Ransomware: Lucrative Cyber Crime Tactics Rapidly Evolving

TLP: WHITE | The NJCCIC assesses ransomware infections will continue to increase steadily and pose a threat to the public and private sector, as well as home users, as the technical barriers to conduct these cybercrime campaigns continue to drop and the return on investment for cybercriminals remains extremely high. The NJCCIC recommends all organizations and home users familiarize themselves with ransomware tactics and implement the necessary security and backup strategies to mitigate this threat. Ransomware variants are likely to increasingly target mobile devices as users rely more heavily on tablets and smartphones, and also bundle with additional malware designed to steal login credentials and financial information. Moreover, the tactics used to distribute malware through spam emails or compromised websites are becoming more sophisticated, as are anti-forensic capabilities that enable malware to delete themselves after infection in order to avoid detection, extraction, and examination.


Ransomware is a type of malicious software (malware) that attempts to extort money from victims by restricting access to a computer system or files. The most prevalent form of this profit-motivated malware, referred to as crypto-ransomware due to the use of encryption algorithms, is on the rise as many new variants are being developed by hackers and international cybercrime groups. The security firm Symantec reported a 112 percent increase in ransomware attacks in 2014, largely due to a 4,000 percent increase in crypto-ransomware infections.  In the first quarter of 2015, ransomware infections rose 165 percent according to McAfee Labs.

  • The steady increase in ransomware is largely driven by more elusive variants of crypto-ransomware that rely on the Tor anonymity network for command and control (C2), as well as the use of online currency, namely Bitcoin, for anonymously accepting ransom payments. Some of the most recent strains posing a threat to US businesses and home users include CryptoWall 3.0, the CTB-Locker ransomware family, two similar strains called TeslaCrypt and Alpha Crypt, and TorrentLocker.
  • Since April 2014, the FBI’s Internet Crime Complaint Center (IC3) has received 992 Cryptowall-related complaints, with victims reporting losses totaling over $18 million. The potential losses for victims goes beyond the ransom fee to recover files, and may include network mitigation and other IT services, loss of productivity, legal fees, and credit monitoring for victims.
  • There is an expanding marketplace for off-the-shelf cybercrime tools that allow average users with limited technical ability to distribute malware and conduct for-profit cyber attacks. A ransomware kit named Tox was released in early 2015 that allows any internet user to enter a ransom amount and reason for their campaign, then download a ransomware executable file disguised as a Microsoft screensaver file (.scr) to send to potential victims. The tool provided a user interface to track the number of victims and total profits from paid ransom.


Contact Information
Any agency with comments or questions about this document should contact the NJCCIC at njccic@cyber.nj.gov.

Traffic Light Protocol: WHITE