Categories: Blog

New ransomware distribution model: Infect two “friends”, unlock your files for free

In our previous blogs, we have looked at ways through which ransomware moves from being malware used by cyber criminals to extort money from victims to becoming a service that can be rented by anybody who wants to launch such attacks (read more here). This evolution allows ransomware service providers increase their revenues with least effort by leveraging a network of ransomware operators who launch their own attacks and share the benefits.

Nowadays, new ransomware tries to develop a new distribution model for maximization of profit: using the victim’s social connections to spread exponentially, in exchange for free data decryption. The idea is based on well-known retail promotional methodology: “bring two friends and get a discount” and works in a similar way.

How does it work?

In essence, this ransomware infection behaves exactly like any of the other ransomware families. It will get into the system via well-known vectors, such as email phishing, encrypt the files on the computer and then display a ransom note. Except, in this case, the ransom note contains a new option: the opportunity to decrypt the files for free, if you can infect two more users with the ransomware package, who in turn will pay ransom – or infect other two more users, etc.

Infecting others can be done by passing on a link to the ransomware install package, encoded with the victim’s identification parameter. When going for this option, the primary victim is encouraged to share the link on social media, email, etc. If one or more different users install the package and pay the ransom (or further add to the pool of victims using the “spreading” option), the victim receives a code that would unlock the files for free. Cyber criminals added extra precautions to make sure that this functionality is not abused: the encryption key will get deleted if the wrong code is entered four times. Case in which the files will be forever lost.

Why is it more profitable than common ransomware?

Average ransomware is mainly spread from victim to victim via phishing campaigns or malicious websites. These methods have certain costs, and therefore there is an average price per victim acquired which needs to be covered by the cyber criminals for distributing their software. Such campaigns have a medium to low rate of success, especially in environments that run email or web filtering technology.

The pyramidal scheme featured by this new type of ransomware implies getting a certain number of victims infected, and then motivating them to further distribute the malware. This approach results in a lower cost per acquired victim because, with a relatively small base of victims, their total number may grow exponentially. This distribution model is also much more efficient as victims would spread the malware to their contacts through social media or email, with a much better chance of getting through spam filters, etc.

Hence, with the pyramidal distribution scheme, the costs and efforts decrease as victims help distribution. Only primary victims incur costs, and the malware can spread virally through legitimate channels.

Pyramidal victim acquisition scheme for ransomware

In general, a pyramidal scheme promises to deliver services or benefits to users on enrolling others into the plan. It is unsustainable economically but does guarantee exponential growth of the business model. Since hackers do not promise to pay anything (just give files back for free), the downside of the pyramidal model is eliminated. The hackers benefit from the exponential growth of the pool of victims (potentially paying the ransom) while investing far less in distributing and spreading their ransomware.

Popcorn Time

Without any apparent connection to the Popcorn Time P2P application, it is a new, in-development type of ransomware discovered by the MalwareHunterTeam. It implements the pyramidal scheme distribution approach described in this article. It asks for one bitcoin in exchange for the decryption key, but also provides victims with a link that can be shared. If two or more victims pay the ransom, it promises to decrypt the files for free. Read more technical details here.

How we can help

TEMASOFT develops an advanced anti ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available. For more information, follow us on social media and subscribe to our newsletter.

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: ranstop

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023