How to protect mobile devices in the golden age of ransomware
The ransomware the threat and its impact on critical infrastructure have dominated cybersecurity news since the pandemic began. In 2020 alone, ransomware affected more than one third of global health organizations. These attacks are becoming increasingly sophisticated, making it difficult for the public and private sectors, as well as individuals, to defend themselves.
As these attacks continue to be successful, more threat groups are coming into play. They either implement their own campaigns or offer ransomware as a Service (RaaS) in an effort to capitalize on the opportunity. The FBI’s Internet Crime and Complaints Center (IC3) was reported by an increasing this “professionalization” of ransomware as more threat actors adopt the RaaS business model and outsource their campaigns.
The European Union Agency for Cyber Security (ENISA) has called these last two years as “the golden era of ransomware.” In my work as a threat intelligence researcher focused predominantly on mobile threats, I can attest to the spikes. Over the past two years, we’ve seen a significant increase in the number of RaaS offerings being sold online and more sophisticated mobile ransomware families.
Now they are targeting mobile devices
For most of its history, ransomware was mainly considered a threat aimed at desktop computers. Lookout has been tracking mobile ransomware for several years, but many of the early families, such as Android.Locker.38, were crudely designed. Security teams can root them out by restarting the infected device and uninstalling the malicious app.
While some have encrypted the device’s file system (eg Simplocker, discovered by ESET in 2014), most of Lookout’s ransomware researchers encountered a plainly cloaked ransom message that they couldn’t dismiss. They took advantage of an Android permission called “SYSTEM_ALERT_WINDOW”, which should only be used by system-level apps to display important notifications to the user. To stop this abuse by malware authors, 2020. Access has been revoked by Google to it for apps running on Android 10 and above.
Around that time, Microsoft has released an advisory for MalLocker, a sophisticated family of Android ransomware that bypassed the restriction by abusing the notifications displayed when users receive a phone call. Since the device prioritizes calls, the malware hijacks this to display its ransom note on top of other app activity. Attackers combined this with overriding a special callback method, “onUserLeaveHint()“, which the operating system uses when the user tries to dismiss or move the application to the background, in order to continuously display the note.
Ransomware has become a cheap service
While searching for new campaigns, I came across a staggering number of RaaS for sale online. Many of these are bundled with installation and maintenance services to attract non-technical customers. Some of these packages cost only a few hundred US dollars.
At Lookout, we saw a more than 200% increase in mobile ransomware detections between Q1 2020, which was before the start of the COVID-19 shutdowns, and Q2 2020. Although recent quarters have seen a decrease in detections, the numbers are still higher since pre-covid.
How to protect users from ransomware
If there’s any upside to this “golden era” of ransomware, it’s that users are becoming increasingly aware of the risks and how their mobile devices can be compromised. Here are some tips on how to deal with a compromised device and how to proactively protect user devices:
- Always download and install the latest security patches and operating system updates for devices when they become available.
- Once the device becomes compromised, try restarting the device to see if the ransom message still appears and if any of the files are accessible. Older families of mobile ransomware often did not encrypt the device’s file system or implement persistence after device reboots.
- If restarting your device does not remove the ransom note or suspected malware, restart your device in “Safe Mode” or perform a factory reset.
- Consider using a mobile antivirus application to detect known mobile malware families and prevent their installation from malicious websites.
- Install apps only from official app stores, such as Google Play or the Apple App Store.
- For Android users, prevent apps from installing unknown apps by revoking access in your device settings under “Install unknown apps”.
While overworked security teams may not yet have dedicated people on mobile, it’s more than time to take these simple steps and educate staff about mobile security. Before the pandemic, this was a “nice to have” measure. About two years later, with the rise of mobile devices on corporate networks and work-from-home policies, companies can no longer ignore mobile security.
Kristina Balaam, Personal Security Intelligence Engineer, Lookout
#protect #mobile #devices #golden #age #ransomware