Talking ransomware and the rise of exploit kits with AVG Technologies
Tim Compston, Features Editor at Security News Desk, sits down with Tony Anscombe, VP of Product Compliance and the Senior Security Evangelist for AVG Technologies, to discuss his role, the rise of exploit kits and ransomware attacks, and other emerging trends which are causing ripples in the cybersecurity world.
When meeting Tony Anscombe – who has nearly three decades of experience in the IT world – for the first time, our conversation soon turns to what it means to be a ‘Senior Security Evangelist’ for a global cybersecurity vendor like AVG. Anscombe’s enthusiasm for his work is certainly evident from the start: “I believe that I have one of the best jobs in the company. We have a research lab that looks at active malware 24/7 around the globe and I spend a lot of time working with them, looking at trends, and what’s happening in the market,” he says.
Anscombe adds that a second string to his bow is the outreach he undertakes within the industry: “This week I had a couple of meetings out here in the Bay Area, one hosted by Google about security in Chrome and about unwanted software, and Google have just invited me to be on one of their panels for that.” He says that discussion with the industry is not just centred on malware or malicious software but also what, ultimately, is good for the consumer: “With consumer choice it is important to make sure that offers are presented to consumers in the right way and people aren’t ending up with machines full of junk, for want of a better word.”
Asking Anscombe for his opinion on the cybersecurity issues he is already seeing and, crucially, what is on the horizon for the year ahead, ransomware – malicious software designed to block access to a computer system until a sum of money is paid – is he reckons high on the agenda: “Well one of our concerns in a piece we wrote recently about ransomware was the shift from it using standard vulnerabilities to moving to exploit kits. Exploit kits, because they are widely used, have a much larger distribution so we might see a lot more people getting ransomware on their machines. That was really our big concern around that.”
According to Anscombe exploit kits, which are becoming more of a factor with ransomware, are basically software packages that are available for sale and are then used by unscrupulous operators to readily create malware that can perform a wide variety of malicious functions. Such malware can, for instance, be installed on hacked web servers and the go on to attack the machines of visitors to specific websites without their knowledge.
Illustrating the new dynamics associated with ransomware, the exploit kit Angler, which Anscombe says has been a known Internet threat since 2013, is now being employed as a vehicle to distribute ransomware, with the sole intent of installing ransomware on a victim’s machine. He adds that AVG’s own Web Threats team is now tracking the resulting ransomware attacks by the Angler crime-ware exploit kit and that, in fact, TeslaCrypt is the most common type of ransomware installation currently associated with Angler.
The frustration of those finding themselves in ransomware’s firing line is summed up in the headline of Anscombe’s recently published commentary piece on the subject: ‘Ransomware criminals should be ‘shot at sunrise’’. The provocative title of the piece was in fact a reference to the opinion of a US politician – Michael C. Burgess, a representative for Texas – who used the expression when venting his anger at the cybercriminals who distribute ransomware which victimises consumers and businesses alike.
A criminal business
Returning to our interview, Anscombe is quick to flag up the economics at play behind ransomware. He stresses that the ‘criminal’ businesses creating this type of malware are well funded, resulting in what is essentially an arms race between the attackers and the protectors: “They [the criminals] are earning money from it, they are well resourced because there are many people willing to work on that dark side thanks to the money and, to a certain degree, it is a game of having to keep up with the techniques they use so that we can protect our customers in the right way.”
Anscombe admits that today’s malware writers are ‘really very clever’: “They will obfuscate [the malware], they will continually change it. We are seeing it move to using exploit kits as the delivery mechanism. Now that is really, really, interesting because with exploit kits if you or I were so inclined we could actually go off and purchase one, which just sounds wrong, but not only could we purchase the exploit kit we could actually get a support contract on it. So that when people like us – AVG – start detecting it, what would happen is you would then go back to them and say it is being detected and they would obfuscate it, modify it slightly, and you would have another go.”
Anscombe explains that when a ransomware installation like TeslaCrypt strikes, the usual modus operandi is for the user’s files to be encrypted, including writeable shares, and then messages the user to extort payment for recovering encrypted data. He cautions that paying the ransom to unlock files does not, typically, result in the recovery of files.
Anscombe feels that ransomware really fits into a broader picture where, over a number of years, threats have become more targeted and the intention of the threat is monetisation: “That is kind of the interesting part and that is why ransomware is particularly grabbing the attention of both the media and the security industry because, of course, it has a level of direct monetising mechanisms built into it as well.”
He goes on to reflect on another threat that had to be addressed in the mobile field: “If you go back two years in mobile you saw malware that was infecting Android phones and sending premium rate SMS in the background and the user never knew. Obviously ransomware is completely different because you definitely know that you have the infection. That is the difference in the platforms, a mobile device has a direct monetisation mechanism i.e. through carrier billing whereas with a PC it is not as easy to actually extract the cash from you so it has to involve you in some way.”
Continuing with his point that there is much more targeting going on with criminal cyber activity today, including with ransomware, Anscombe says: “When we see something on a website today, say somebody comes along and infects website A they will continually move the malware around but, at the same time, they will target people, certainly with ransomware, in countries where there is the propensity to pay. They are not going to go out and try to infect machines in a third world country where even the idea of paying isn’t there. It is geographically targeted and is certainly run as a business in a lot of instances.”
From vulnerability to exploit
So what can be done to address the ransomware problem? Anscombe feels it is important to break things down into two parts: the vulnerability and the exploit: “Obviously making sure and promoting the fact that users need to patch their machines, get rid of vulnerabilities, is a big education piece which obviously we [AVG] actively promote. Then you have got seeing the exploit when something tries to deliver it. A bit of malicious code will look at a vulnerability and then try to deliver an exploit through that vulnerability.” He points out that what is critical here is to actually detect the payload – the exploit – as it happens, as opposed to when it is running: “If it runs and you detect it as a service the probability is that it has already encrypted some files. So the challenge is to make sure that you actually see it.”
A layered response
To cope with the changing dynamics of the cybercrime wave, Anscombe says that anti-virus software now has to deploy a layered approach rather than just working from signatures: “You have heuristics, you have behavioural analysis, so we don’t just look: ‘Oh there is this file, is this file bad?’, we look at the file and the intent of the file, what the file might do on the machine. We unpick the file in real time. Potentially we may run it in some type of emulation mode.”
He goes on to explain that the sharing of threat data, as part of a cloud system, is now an indispensable tool in the cybersecurity armoury: “When you install our software it asks if you are happy to share threat data anonymously. If your machine sees something suspicious it will share it back into the cloud anonymously and we will see it. We will actually do further analysis of it in the cloud – which is beyond the resources of your machine – and, if necessary, it will end up on a physical researcher’s desk to analyse it as well. If there is something different then, ultimately, it is shared out to the rest of the community,” concludes Anscombe.