It sits in the cloud, waiting to strike when someone least expects it. Its trap is set, and the prey unknowingly invites the predator in, in the form of a digital download. Little did the consumers know that when they downloaded the EnergyRescue app they were letting in a vicious form of malware which would turn their Android phone into an expensive paperweight.
Ransomware is a fearsome beast in the tech world. It moves through servers and networks as it tries to find a weak target. Then, like a lion after its prey, it springs into action and locks a user’s data. Pictures, bank statements, text messages, documents, credit cards, whatever is on the device now is hidden behind a message, telling you to pay up or lose it forever.
On December 30, 2016, Los Angeles Valley College found malicious software had taken control of a campus email and computer network.
The campus’ website, email and even voicemail was unavailable until they paid the ransom of nearly $30,000. An investigation into the incident is ongoing, but it isn’t yet clear which piece of malware is the guilty party.
“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the school said in a statement.
After paying the ransom LAVC received a “key” from the unidentified hackers, which allows the district to open its systems. With hundreds of thousands of files to unlock, the process is still underway.
LAVC is not the only university subject to computer attacks and malware, PLNU’s IT team works to defend the school’s systems from attacks in all forms.
Imagine you’re sitting at your computer when you receive a link from an old friend or even a company that has many products you use. Included is a link, urging you to log-in to view a document or update your account information, maybe it even begins a download. These could all be forms of cyber-attacks, as malicious actors try to obtain personal information or access your computer.
PLNU is often the subject of these types of attacks, most commonly Phishing, where you are urged to enter a password or other personal information to access a webpage.
“PLNU is being targeted with this type of attack daily,” said Ben Nixon via email, PLNU’s IT infrastructure and security architect. “These attacks continually increase in volume and sophistication.”
As the presence of mobile phones continually grows, they become an ever-increasing target for malicious programmers. In the past, Android users were able to download apps from the Google Play store without fear of letting in a piece of malware, but that isn’t the case anymore.[x_pullquote cite=”Dr. Benjamin Mood” type=”right”]“We call it a zero-day attack, because it’s never been seen before.”[/x_pullquote]
EnergyRescue’s hidden malware was exposed by Check Point Software Technologies, the self-described “worldwide leader in securing the Internet.” On January 24, they announced the threat it posed to Android users.
“The infected app steals contacts and SMS messages from the user’s device and asks for admin permissions,” Check Point’s report read. “If granted, the ransomware locks the device and displays a message demanding payment.”
This particular beast is Charger, a program of the ransomware family that highjacks a user’s device by exploiting a weakness in the software.
“Hackers are always finding new problems with applications,” says PLNU professor Dr. Benjamin Mood. “We call it a zero-day attack, because it’s never been seen before. Oftentimes the programs or the malware that hackers will create will use these zero-day attacks to gain access to your machine.”
Mood is a PLNU alumnus and faculty member who received his PhD in the field of Cybersecurity after studying at the University of Oregon and the University of Florida, where his research focused on secure multiparty computation.
Charger can actually do very little to disrupt the phone’s functions, until a user specifically allows it to make changes to the phone’s system.
“If you just installed the application it would do bad things, but if it didn’t have administrative privileges it couldn’t do very much,” says Mood. “But then the application would ask the user for administrative privilege. If the user gave the application those administrative privileges, then the application really does bad things.”
For Charger that involved selling personal information on the Deep Web, the hidden side of the internet where a black market for bank accounts, personal information and other illegal products and activities flourishes.
The number of ransomware attacks is on the rise, as a 2016 study by security firm Malwarebytes shows around two-fifths of all companies have experienced a ransomware attack. The FBI also estimated ransomware was a more than $850 million crime in 2016, a massive increase from the $24 million crime in 2015.
Charger is not alone, and its lookalikes continue to lurk in the cloud until a user clicks on a malicious link, or downloads a corrupt file. Once one latches onto a target it will worm its way through the code until it takes control of a system.
Mood jokes, “the safest computer is the one you don’t turn on.” While it’s an old joke reminiscent of the 1980’s film War Games, it points to a common weakness in computer systems.
Human error is often to blame when malware invades a system. In its 2016 Data Breach Incident Report, Verizon found 30% of all security incidents were caused by accident. These accidents include sending sensitive information to the wrong person, publishing the wrong document and even accidentally restricting a network’s firewall.
[x_pullquote cite=”Charger” type=”left”]“We collect and download all information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”[/x_pullquote]While programs like antivirus software can help defend a user against malware, common sense can be the best line of defense.
“You don’t normally use your computer with your administrator account, and you don’t go to random links you’re not aware of, in either a private browser or a normal browser,” said Mood. “In order to do that, you’d have to search the Internet in a virtual machine which is basically a computer within a computer.”
Creating a virtual machine is a complex process, but a common tool used by researchers to study malware. However, the creators of malware are programming their malicious software in new ways, hoping to outsmart this computer within a computer.
“Sometimes the analysts studying these viruses, they can’t actually get the virus to work on virtual machines,” says Mood. “The virus makers have gotten smart enough to detect whether they are in a virtual machine and the virus just decides not to do anything, because it realizes it’s in a sandbox.”
As the battle between researchers and malware continues, society also is implementing technology in new ways. In a 2016 survey, the real estate firm Coldwell Banker found around 45% of Americans either own, or have invested in, smart-home technology.
For now, these devices seem to be safe from malicious programs largely because there isn’t a sizeable profit to be made from infecting them. The fastest growing market is ransomware. After all, what are you to do when you receive this note?
“You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes,” the message from Charger reads. “We collect and download all information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.”
While the app containing Charger has been removed from the Google Play store, its relatives continue to lurk in the cloud, waiting for their next unsuspecting victim.