The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up.
Hackers seeking to hold computer users to ransom will increasingly adopt Mac OS X-malware KeRanger's ruse of targeting victims' backup files, as well as their PCs.
For the past five years malware makers have been creating programs that will encrypt the hard drive of infected computers, rendering many files inaccessible. The attackers then demand payment, usually of around one Bitcoin (about $400) to decrypt the drive so users can get their files back. Where organisations are affected, criminals will often demand a separate ransom is paid to unlock every encrypted device.
To avoid being held to ransom in this way, users are advised to create regular backups of their drives, which allow the original files to be restored. Backing up data is relatively easy today, thanks to the plethora of cloud-based services.
However, attackers are now crafting trojan software that not only encrypts the files stored on a PC but also local backups, and that in future could target copies stored in the cloud, warned Mikko Hypponen, chief research officer for online security company F-Secure.
One example of a backup-targeting trojan is the recently discovered Mac OS X ransomware called KeRanger. The malware deliberately encrypts files on the machine's drive. However, analysis of KeRanger also revealed work-in-progress code intended to also scramble files backed-up to attached storage via OS X's Time Machine service.
"The prime way for recovering from a ransomware attack is recovering your backups. If it encrypts backups, you can't retrieve the data. We have a technical term for ransomware trojans that go after backups. This is known as a dick move," Hypponen told the Cloud Security Expo in London yesterday.
This trend of targeting backups located on both local network-attached storage and even cloud backup services will increasingly be a feature of future ransomware he said.
"We estimate that there will be ransomware like it in the future, that will try to locate your hardware and maybe your cloud storage to prevent you from recovering your data."
Hypponen advises backing up the backup, saying that he backs up to network attached storage, which in turn is backed up to a removable hard drive.
Timothy Wallach, supervisory special agent with the FBI's cyber task force, also addressed the issue of of how to protect against ransomware.
"The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it," he told the conference.