The 1996 movie Jerry Maguire popularized the catchphrase “Show me the money!" Skip ahead two decades and ransomware authors are shouting a virtual “Show me the Bitcoin!” While I won’t be shouting that, I will be giving a presentation on the topic, “Dealing with Cyberextortion, Ransomware, and Other Bad Stuff” at InfoSec World 2017 in April.
What is ransomware?
What is this thing called “ransomware”? It’s a type of malware that holds a victim's data hostage until some form of currency—ransom—is paid to the criminal. Ransomware is on the rise, primarily because of the ease with which cybercriminals have found a new and profitable venue, often via RaaS (Ransomware-as-a-Service). RaaS allows ransomware to be conveniently delivered, primarily through phishing attacks, and combined with the fact that it often runs undetected by anti-virus software, it’s an attack type that works.
The effects of ransomware have been devastating to organizations, from locking hospitals out of patient data to police departments that have lost years’ worth of evidence to companies paying the ransom yet not receiving the key to decrypt their data, and much more.
While ransomware has been around since 2009, it was only in 2015 when it turned into a serious information security issue about which every firm needs to be concerned. One of the forces propelling ransomware into being such a malice as of late is the rise of cryptocurrencies like Bitcoin. When a perpetrator uses traditional money transfer methods such as PayPal or Western Union, a clear digital trail is left in the wake, providing authorities the necessary information to track down and possibly apprehend the criminal. Though common belief is that Bitcoin is a fully anonymizing protocol, this is only partially true; a skilled investigator can use various tactics to determine who conducted a specific transaction. Nonetheless, Bitcoin is a compelling force behind the increase of ransomware attacks—paired with the unfortunate fact that ransomware is effective: It’s easy to deploy and many organizations are unprepared to deal with the after-effects of an attack.
Why does it work?
Many successful computer attacks take advantage of rampant software vulnerabilities, be they buffer overflows, cross-site scripting, or the like. With ransomware, the main vulnerability exploited is the victim company’s lack of a comprehensive data backup plan.
Before the criminal gets to the sensitive data that will be stolen, encrypted, and leveraged for a monetary payout, though, he/she must first exploit other vulnerabilities. Commonly, an attacker finds his or her way into an organization’s system, either through a drive-by infection (e.g., a user visiting a malicious website) or by tricking a user into opening a malware-infected email. Once the first layer of the attack is compromised, the attacker moves on to lock the victim’s data. The victim then has the choice to pay the ransom and (hope) to get the key to unlock the data, or don’t pay, reimage the device, and restore data or systems from backup copies.
Firms that maintain good backup plans and processes can simply isolate the infected device and ignore the infection. Firms that don’t keep good backups, on the other hand, have severely limited options.
Avoidance or mitigation
There’s a lot a firm can do to ensure it doesn’t become a ransomware victim. Two of the most valuable tactics include managing an effective end-user awareness program and ensuring a comprehensive and tested data backup program is in place at all times. Awareness programs are important because, most often, ransomware will enter an organization via an end user’s device—his or her laptop, desktop, or smartphone. If users are aware of the potential for problems and on the lookout for suspicious activity, they can help stop some of the instances of infection from ransomware or any other type of malware aimed at exploiting human nature.
The second tactic—having adequate and up-to-date backups—is arguably more important because doing so allows the company to recover with minimal disruption and cost regardless of outside forces or unintended accidents.
In addition, unbeknownst to some, a new type of software might be able to help stop some ransomware variants and should be explored as a third tactic.
What to expect
The question of whether or not to pay ransom weighs heavily on organization’s minds, and we will discuss both sides of the issue during InfoSec World. In short, however, the problem with a decision to pay is that the attackers are not members of the Better Business Bureau or other countries’ equivalents. Just because a criminal receives his ransom, the victim won’t necessarily receive the decryption key to unlock its data. Yet the attacker always wins.
Even if governments create regulations that allow for prosecution of ransomware creators, the combination of an open internet with anonymous currencies means that the threat of ransomware will not be going away anytime soon. The industry needs to face reality head on and understand that every organization needs to put plans and controls in place to ensure they are not victims of such attacks.
About the author: Ben Rothke is a Senior eGRC Consultant at The Nettitude Group. He has over 15 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, cloud security, design and implementation of systems security, encryption, cryptography, and security policy development. Rothke is a member of the InfoSec World 2017 Advisory Board, repeat speaker, and will be presenting “Dealing with Cyberextortion, Ransomware, and Other Bad Stuff” on April 5th.