A ransomware victim must have a compelling reason to go through the burdensome process of obtaining Bitcoin and paying the ransom. For many victims, the threat of permanently losing access to their files is enough. However, some ransomware authors and criminals seek to push victims harder by raising the stakes even further.
Karo Ransomware, for example, compels a higher rate of ransom payment among victims by combining basic ransom techniques with other forms of social engineering. In addition to threatening to permanently delete affected files, Karo also threatens to:
- Leak personal and financial data online.
- Distribute any nude photos found on the victim’s computer to the victim’s contacts and to pornographic websites.
The risk that private information would be shared publicly and, for some content, to friends and acquaintances, can be a far more compelling reason to pay a ransom than data loss alone. This creates a scenario in which even victims with adequate data backups may be compelled to pay to prevent the leakage of private data.
Figure 1 – A Karo Ransomware payment site provides a compelling three-part threat
However, the ransomware does not provide the threat actors with the ability to exfiltrate information or the ability to gain remote access to the infected computer. It is likely that the threat actors consider the threat of disclosing victims’ private data to be sufficient leverage to compel more victims to pay the ransom.
|Karo ransomware network watch list IOCs||Infrastructure type|
|hxxp://ibvmcu4eayyxjc4j[.]onion/controller[.]php||Command and control|
|uh6r7smsyxtsb25w[.]onion||Ransom payment site|
Figure 2 – Karo Ransomware distribution and payment infrastructure
Karo provides a compelling extortion-plus scheme that would disproportionately impact private individuals rather than enterprises. However, it develops a framework by which threat actors establish a valuable data type or category of information, encrypt files on an endpoint or network, and threaten to disclose information from a designated valuable category. The designated valuable category could include intellectual property, enterprise financial data, executive-suite personnel data, or even internal email information. Coupling a ransomware tool with another malware is relatively common.
Threat actors may turn to more elaborate extortion schemes to increase the effectiveness of their ransomware and the success rate in or compelling ransom payments. Other threat actors have made the news recently by threatening to release protected information to compel a ransom payment. Combining the threat to release protected enterprise data with encryption ransomware ensures that threat actors have multiple pathways for extortion. Even if the enterprise has taken proper steps to stave off the risks of encryption ransomware, the intrusion and prospect for stolen data could compel the target to cooperate with attackers.
Ransomware that uses enhanced extortion techniques may be created to target a specific organization or enterprise, or like Karo, it may be designed to compel individuals to feel they must cooperate to protect their private information. In both cases, the threat actors are using the value and privacy of information against the victim.
The appropriate response is threefold:
- First, enterprise data must be inventoried and backed up, and its value to a potential attacker must be understood. This prevents an organization from making poor decisions based on incorrect assumptions of their ability to overcome an attacker’s threats.
- Second, a full understanding and assessment of the current attacker’s abilities and the resources used to support their endeavors is necessary. This allows an enterprise to understand what risks attackers pose and the infrastructure and resources used to deliver those risks to the enterprise.
- Finally, as the threat landscape evolves, security professionals must enact comprehensive security postures that bolster against the most reliable and flexible attack methodologies like phishing emails.
The last of these three goals is crucial as it allows for an organization to develop a holistic strategy for countering a broad spectrum of risks defined against enterprise data and infrastructure. For example, a comprehensive defense against phishing attacks begins by engaging every employee to identify and report phishing emails. By empowering these users, network defenders gain insight into the latest attempts to attack their organization. This provides valuable intelligence that can then be compared with external intelligence reporting to understand the risks posed by the attack and how to mitigate it.
Learn about emerging trends and evolving threats in phishing malware with the PhishMe® Q1 Malware report, click here to download.