The evolution of ransomware
To understand the impact of ransomware on businesses worldwide, you have to know about its initial development and emergence and its projected evolution.
Ransomware is nothing more than simple extortion. It’s all about obtaining something, usually money, through treats. In the case of ransomware, all your information (files, pictures, data, blueprints etc.) is encrypted and you cannot access it again unless you pay the ransom,
I will never forget the dread I felt the first time I saw a ransomware infection. In front of me was the most simple and ingenious threat that I had encountered in 20 years of working in IT. This was a perfect crime. The money was to be transferred using non-traceable bitcoins in exchange for the encryption key. It was April 2014, and at the time, we had some sophisticated systems for backup in place to defend systems against normal virus attacks and equipment failure. We were able to restore the files to negate the ransom attack and were back in business at minimal cost. It led to a couple of hours of downtime at most. We had dodged a bullet this time.
Basically, your run-of-the-mill mugger has graduated from stalking you at the ATM with a knife. They are now stealing your money by holding your information for ransom while hiding in some far-off country.
Since then, it’s been a never-ending series of attack, countermeasure, and attack. The vectors had become sophisticated, but they were still un-targeted “throw everything at the wall and see what sticks” attacks. You would see the usual tactics like emails with bad attachments or bad websites. We used the defensive strategy: protect as best you can while paying very close attention to your backups.
Eventually, what began as a single hacker trying to monetize their knowledge had morphed into a fully-fledged ransomware gold rush by organized crime. The returns were too good to ignore. According to MIT, CryptoWall demanded payments up to $1,400 and made over $2 million.
By 2015, we had become pretty good at defending against the infections via email and web and had become very good at backups. But the criminals were starting to up their game. A small but very successful law firm I worked with was hacked using an undiscovered back door. First, they deleted the backups and only then encrypted the data. The unique part of this attack was that the attackers knew who they were targeting and had a personalized message. They said your data is worth not two bitcoins but 200. Off-site backups were able to save the day, but this time the downtime was days instead of hours.
Around the same time, a hospital hack and $17,000 ransom payment in California was big news. Cybercriminals had discovered how to leverage industry characteristics and an individual company’s information.
Currently, hackers are no longer satisfied with a broad reach approach. They are now identifying small companies with resources, breaching their systems, destroying their backups and then extorting them for as much as they think they can get.
Where does it go from here?
The methods of infection are becoming much more sophisticated. Social engineering attacks in conjunction with targeted hacking attempts are being utilized to break into individual company’s systems. Hackers are starting to mix traditional worm malware and ransomware. Remember the “I Love You” virus? Combine this with CryptoLocker and you get the idea.
On the protection side, we’ve had to change how we do backups and how we prevent lateral movement of hackers once inside systems. Quite frankly, we have been able to avoid paying the ransom most of the time. Protecting against the initial breach is much harder. The cost involved is the real problem. To protect and mitigate is costing a lot of money which no one has really budgeted for before. The loss of productivity must be in the billions of dollars.
The future is going to go one of two ways:
We could keep doing the “protect, breach, hack, protect” dance and over time adjust our products and services to reflect the increases in cost. This could mean no longer using the internet the way we have become accustomed to.
Or, we come to a collective realization that this entire issue is at its heart nothing less than terrorism and address it with the same level of intensity. What else would you call players outside the US that spend their time extorting US citizens, damaging business systems and destroying value in the form of downtime and productivity?