Ransomware (or more accurately cybercrime) is a well-oiled, well-funded industry. I recently joined Michael Haag and Ben Johnson on a webinar to take a deep dive into the ransomware epidemic—discussing its origins, inner workings, and practical prevention techniques and tools. One of the top questions we received from attendees was “What can organizations expect in the future?” With changes in commoditization and further availability of resources (more programmers, more exploits, and more attack surface), the industry is poised for an explosion. That’s right: I am predicting that we are just tipping the iceberg.
Watch the on-demand webinar: The Ransomware Epidemic: an End-to-End Look at the #1 Cyber Threat
Crime-as-a-Service: Behind the Business Operations
My prediction isn’t wild speculation by someone in security, no specific hyperbole, but based on the same research I did to build my own ransomware campaign. To be clear, I built a ransomware operation for research. I wanted to understand exactly what was involved to see if I could get to the deeper question: the “why.” I have worked in and around security my entire life, and throughout my career I’ve never really been that interested in the technical aspects of hacking (the “how), nor in the target (the “what”). My driving force has always been the “why.”
I wanted to know what caused so many programmers—talented ones—and other computer professionals to continue to innovate and expand this criminal activity. Having a healthy understanding of motivation and method is as important in combating this growing industry as understanding attack vectors or technical details. So I started to dig into the criminal black market online. It quickly became apparent that ransomware is not going away anytime soon. In fact, all signs indicate exponential innovation and infrastructure improvement leading to increased growth.
Get a behind-the-scenes look at Jamison’s research and how he built a ransomware operation from the ground up
When an economic sector begins to grow at exponential rates and show profitability in the triple and quadruple digits, it will attract a large amount of attention from skilled workers, investors, and profiteers. “Crime-as-a-service” is an emerging market valued at a billion dollars plus—and growing. It is a fire attracting the moths of startups, talent, and press. Just a few years ago (2014), this segment of the global economy was in the tens of millions range. However in 2016, the industry topped one billion in reported paid revenue.
Ransomware is much more than software; it’s a business model. As the industry has grown, the methods have accelerated from broad net “SPAM ware” to targeted ransoms where specific data is targeted based on its perceived value, to “Vapor ransoms” where the ransom demand is merely a bluff. The key to commonality here is that regardless of the tactic, the end goal is really extortion. That might actually be a better name for the crime: extortion-ware.
Ransomware: A New Spin on an Old Crime
In the 1990’s the global economy faced a similar challenge. It was called kidnapping and ransom—the act of physically seizing businessmen, tourists, and government officials then holding them for an insurance payment (K&R Insurance). At its peak in the mid-1990’s, it was more than a 500-million-dollar industry (inflation-adjusted, that’s about one billion today). No country was safe; people were held in the US even. It was about your ransom and profile. So how did we stop it?
The answer is simple: we did not stop it at all. We evaporated the market. Obviously, people didn’t stop traveling or doing business in remote areas. Instead, it started with training for travelers to drive awareness. The state department used to brief travelers on specific, tangible threats when in specific areas, whether it was gangs, or other bad actors, tactics, and motives. The last line was active defense: bodyguards. All of this reduced potential opportunities for kidnapping and increased the costs for kidnappers. It eventually became too expensive of a “business” and kidnappers moved on to their next criminal endeavor.
Building a Line of Defense Against Ransomware
To bring this abstraction to reality, this is what the information security community must spearhead. We must continue to raise awareness, train users, and improve security controls to limit ransomware’s profitability.
Let’s consider not just end user training in your enterprise but specific training. Not just helping them understand what a phish looks like, but pointing out a specific phish (maybe a monthly “top phish”). You can make it a game, and give out a gift certificate for “biggest phish.”
Then add to your arsenal top line talent that is monitoring your key value players—the ones that you will be forced to pay the ransom for. These are your bodyguards. Not in the form of armed men in suits, but vigilant defenders skilled in the tactics of your foes.
Combatting a billion-dollar industry filled with talent, motive, and momentum might seem a really daunting task for any enterprise. I would say to you that part of the issue is our continual obsession with technical details and trivia (things like what strain is it, where did it come from) rather than focusing on healthy IT and security controls, training our users, and detecting foes moving or hiding within our networks.
Should You Pay the Ransom?
One of the top questions people ask about ransomware is, “Should we pay the ransom?” I always answer that with another question: “What could an attacker encrypt that would cause you to have to pay?” If you cannot answer that question you have a great deal of homework to do. I would suggest you start with inventorying and prioritizing your assets. Failure to fully inventory and value your assets is what can result in a situation where you have to pay the ransom. Combined with proper backup procedures and prevention techniques, you can get your organization to the point where there is no need to pay. That is how we can evaporate this billion-dollar crime industry.
To learn more, watch the on-demand webinar: The Ransomware Epidemic: an End-to-End Look at the #1 Cyber Threat