There is no doubt that new generation ransomware getting in the wild are more sophisticated, complex and uses multiple factors to avoid detection. Most of the ransomware which we have discussed in our portal utilizes geolocation technology for customizing payloads and target organization and enterprises across the globe. As everyone knows, geolocation is the approx. a place where an internet connected device resides.
Fundamentally geolocation obtains an appropriate location of a connection by referencing the systems IP address against multiple databases and repositories. These repositories and databases are maintained by Internet Service Providers (ISP) and Traffic Detection Services (TDS) which use and maintain repositories and databases on the places where an IP address has been used.
Also, this geolocation data doesn’t provide the actual on time address of a device which is connected to the internet, but it can get within 10 – 20 miles of a device’s location. Now this information (of the device) is used by cyber criminals and extortionists for directing ransomware to specific regions where they can believe they can get a big return.
Geolocation is also used for customizing random messages for intended target regions, used by spear phishing campaigns across sectors and audience. Enabling geolocation assists cyber criminals to narrow down regions and countries corresponding to multiple factors for identifying the potential victims who are capable of agreeing to the ransom against the threats.
A lot of malware campaigns take the advantage of such victims sometimes even by spoofing a legitimate coupon portal and using IP address geolocation to offer coupons for local stores, which from the victim’s perspective would look genuine.
There have also been cases wherein cyber criminals hosts portals which mimic coupon organizer sites such as Couponizer – tools which assist consumers in organizing their coupons. The way the criminals innovate on their spoofed pages is adding content such as offering coupons for stores, shopping centers, and restaurants which are closer to where the victim lives.
This makes the portal look legitimate in the eyes of the victim which uses geolocation based features to make their sites look real. To achieve such precision the cyber criminals use this feature (IP address geolocation) which precisely determines the location based on victim’s IP.
Once the IP is received, it is queried against a database which posts the results into the web pages. In this case, the geolocation feature increases the appeal and legitimacy to the general customers or potential victims. From a victim’s eye, the portal displays local content which gives them the confidence to browse ahead.
Thus, ransomware has commenced utilizing geolocation capabilities to customize the language and content, including the content of ransom messages which gets displayed to a user. Cyber criminals also understand and observe that it is generally easier to attract victims changing the messages in the language of the victim’s region in both the cases – to move forward with the schemes (victims got delved into) and to get paid the ransom.
Some of the ransomware also focuses on to check the language settings on the victim’s computer in addition to using geolocation for precisely detecting the language settings to customize it as nearly possible for the victim to get involved.
Ransomware generally locks the victim’s system until the ransoms are paid to the extortionists. Multiple online ransomware threats include deceitful claims from extortionists presenting themselves with the look and feel for local law enforcement agencies which claims to victims, that they have conducted illegal activities such as downloading copyrighted movies, games or music. Such schemes to use geolocation to customize which law enforcement agency should be used in the ransom message.
To get infected, a victim has to potentially trigger an action which would download and execute the malware from one of the malicious links. Once infected, it could cause damage to any extent (as per the family of malware executed) such as, use the system to send out spam’s to other contacts in the system or download another malicious script which could result in data loss or identity theft.
Protection from such threats
Geolocations aiding ransomware is a new trend which sets itself to be an essential part of cyber criminals. This also signifies, no matter where you are fundamental data protection and privacy principles apply.
The following are some of the key principles which customers should follow at a minimum to avoid getting a hit from ransomware:
- Only provide or input details to an application, if it provides a notice at the time information is collected describing how personal information is processed and protected. Only provide personal information that is necessary, relevant and not excessive for the purposes for which it is to be used. This notice should include:
- information about the purposes for which it is collected and used, and
- to whom it may be disclosed
Restricted access should be provided to third party applications and devices to access the personal information including the opportunity to correct, amend or delete any personal information from the system and smart device.
- Reasonable steps should be taken to verify the information which is shared will be used for the purpose for which it is to be used.
- Identify the retention period to ensure that personal information is retained only for the timelines required meeting the purposes for which it was collected.
The following measures would also prevent against ransomware:
- Phishing Awareness: Phishing is the technique used by perpetrators to trick victims into thinking they are dealing with a trusted portal or other entity. Customers face this threat from multiple directions – criminals may impersonate them to take advantage of unsuspecting customers or try to steal employee’s details / online credentials. Customer awareness is one of the best defenses – never responding to incoming messages requesting private information. Consumers should avoid any emails which might lead to bogus sites. Before clicking on the reminders or invitations to click on suspicious links and clicking on links to upgrade applications or browsers etc. it is encouraged to review and only click if required.
- Periodic Backups: Have periodic backups, scheduled for important data and information. Have critical data sources back up at least weekly and store the copies either on a hard disk or in the secure cloud platform. Backing up your data with a reliance provider also is useful.