Credit where credit is due: Ransomware is kind of brilliant.
From a defender’s perspective, it is perhaps the most difficult threat to deal with in the last five or 10 years. It locks up your data, makes it inaccessible and unrecoverable (without backups), and presents you with, at most, two options: Don’t pay the ransom and lose all your stuff. Pay the ransom and potentially still lose all your stuff. It’s the computing equivalent of being forced to choose between Bud Light and Stella Artois. Neither is appealing, but one will cost you a lot more than the other.
Preventing the installation of ransomware is at once a deceptively simple and maddeningly difficult task. Ransomware authors use the same phishing and drive-by download techniques that we’ve been trying to get users to ignore for something on the order of 15 years now. Granted, some of the lures are a bit more advanced than the first or second generation of phishing emails, but not by much. They’re still enticing users with promises of money or free stuff or some variation on the “Hi, your boss wants you to open this shady XLS file” scam. The tactics are old, as are the goals of the attackers, but they are still incredibly effective.
Ransomware is the market correction for traditional malware.
User education has been forwarded as the most likely tool for defeating ransomware on a grand scale, and it certainly has a lot of potential benefits. Security teams tend to think of education and awareness as a one-time thing. We have made you aware of these threats, now please avoid them. But threats, like user behavior, evolve over time, and a user who is confronted with an email that looks exactly like one from his CEO is likely to follow the instructions in that email rather than refer back to an online course he clicked through in four minutes when he was hired six months earlier. The fear of being ripped by an executive in front of your colleagues often supersedes the fear of clicking a questionable link or attachment. One is tangible, visceral. The other is abstract and fuzzy.
Defending against fuzzy threats is no fun. Just ask Microsoft.
From the other side of the lens, though, ransomware looks like it may just be the biggest thing since, well, forever. Most malware is pretty dumb, both in its design and its intent. Malware authors traditionally have designed their creations to cause users and security teams problems by disrupting network operations, wrecking endpoints, or some combination of the two. Lately, they’ve added data theft as the top priority in many cases. But none of those outcomes is guaranteed to make the attacker any money. Unless someone is paying an attacker to disrupt or lock down a specific network, or steal data from a specific target, it’s up to the bad guy to monetize his work. It’s like writing a spec script for Game of Thrones and hoping that somehow the producers will take note and send you a ticket to Dubrovnik.
Ransomware presents an elegant solution to this problem. The monetization model is built right into the malware. It requires little, if any, help from outside sources and once an attacker has a working ransomware sample, he can generate cash indefinitely. As long as there are gullible users to target, the money will pour in. And there are no signs of the pool of victims drying up.
On the Wire Podcast: Ransomware in Depth
Ransomware is the market correction for traditional malware. It is the highest evolutionary stage we have seen thus far, combining malicious intent, broad distribution capabilities, and a native revenue model. We have done a poor job so far responding to this threat and the attackers are evolving and improving their capabilities at a frightening rate. There’s no reason to think they will slow down anytime soon, so it’s up to the security community not just to keep pace but to pull in front and address the problem now.
The problem is a multi-faceted one to be sure, and it requires technical, as well as social, answers. Nearly all of the successful ransomware variants require payment in Bitcoin, making it even more difficult than usual for law enforcement agencies and security researchers to track down the crews writing and deploying the malware. These crews increasingly use money-laundering services that will break the public connection between the victim sending the payment and the criminal receiving it. Solving that portion of the problem would go a long way toward disrupting the ecosystem that these groups have built so carefully.
Until then the refrain will continue to repeat: Hackers hack, users click, and money flows.