Hit ransomware crims where it hurts
Make it illegal to pay them and you snuff out reason they exist
Travelex, Toll Group, Bouygues Construction, Fisher & Paykel Appliances, Lion, Honda – these are familiar names on a growing list of companies and organisations being hit by different types of ransomware.
It really is a hit too: when ransomware strikes, it can be devastating to a company’s operations as their computer systems become unusable, with the data that they need being encrypted and inaccessible.
The ransomware business is getting bigger and nastier by the week. While ransomware criminals used to take a scattergun approach and send out malware to a large number of potential victims, they now reconnoitre select targets carefully, scanning the internet for unpatched and vulnerable peripheral network devices and servers as well as sending out booby-trapped email attachments.
Once an interesting organisation has been found and compromised in some way, the ransomware criminals don’t necessarily strike immediately. Instead, they bide their time, maybe wait for a company’s reporting season or annual general meeting, and then activate their malware to exert even greater pressure to force an organisation to pay them.
While they wait, ransomware criminals persist in the systems and copy over sensitive and confidential data. It can be financials, privacy-sensitive records from healthcare providers, legal documents from law firms, or future product plans from manufacturers. As part of the attack, ransomware tries to delete any data backups, in order to make recovery much more difficult.
If a company struck by ransomware hesitates to pay the extortionists, their data will be published on a website somewhere on the internet. Sometimes the data goes up immediately after the ransomware has encrypted the information on an organisation’s servers, as additional “encouragement” to pay up.
There is even “ransomware as a service” now. This is when malware developers either rent out or sell their code to others who deploy it against victims for extortion.
It would be wrong to blame the ransomware victims for what is happening. They have little or no support from anyone, with no effective local organisation currently offering advice and assistance on how to deal with ransomware attacks. If they can’t find a decryptor via Interpol’s No More Ransom site (nomoreransom.org/en/index.html) that’s pretty much it for victims.
We mustn’t forget that information technology and networks are very much “black box” stuff.
Figuring out that your systems are vulnerable, either because they’re missing updates or there’s a newly discovered flaw that can be exploited to break into organisations’ data troves, is really hard.
There’s a whole industry out there making software that tries to detect and prevent intrusions, and sift through giant log files looking for anomalies that could indicate an attack is under way.
Even when such precautions are taken, ransomware gets through the defences.
Sometimes this happens as companies’ trusted managed service providers, the fancy term for outsourcers, are compromised and used as convenient attack vectors against their customers.
It can take as little as one vulnerability that opens up systems to the first step in an exploit chain, and the criminals get in.
As a related aside, there are good people out there who understand the asymmetric nature of attackers versus defenders. They’re security experts who think like hackers, and do penetration testing.
When the ransomware activity started to spike as the Covid-19 pandemic got worse, I spoke to one security consultant, asking if his company had been run off their feet with clients wanting to check their IT setups were as secure as they could be. To my surprise, that wasn’t the case. Only a couple of organisations had come forward and requested testing.
Maybe there isn’t enough awareness that IT security is a process that needs constant work and updating to remain effective; which is fair enough as IT is a tool for many organisations, and not their core business or competence. There’s room for a rethink here though.
Then there’s the difficulty in identifying who the ransomware criminals are. They hide behind monikers such as Snake, Maze, Nefilim, and REvil, deliberately using broken English in ransom notes to mislead cyber sleuths as to their nationality.
Some countries such as North Korea are believed by security researchers to actively launch ransomware campaigns to bring in foreign currency, and as lowlevel sabotage efforts.
Other nations are thought to tolerate the criminals as long as no attacks are launched in their home territories. There is ransomware that’s designed not to activate if it finds computers that are set to the languages of the Commonwealth of Independent States that succeeded the Soviet Union for example.
Following the money trail is difficult too, as there are services that take the ransom amount paid in crypto currency and split it up in multiple small transactions, mix them with others, and send them via different dodgy exchanges. It’s possible to trace the ransom transactions, but it takes time and effort.
There is no such thing as totally secure IT systems, and finding the criminals is slow and difficult and there’s no shortage of others wanting a slice of a billion-dollar cottage industry; what do we do?
Ransomware criminals are in it for the money, and that’s the key.
Paying ransoms makes the situation worse. It can be a double-bind situation where victims feel they need to pay to ensure their organisations survive, or patient data doesn’t leak out and hurt vulnerable people, or legally privileged information isn’t used to blackmail victims.
Maybe it’s fear of reputational damage. Generally speaking, most ransomware organisations I’ve talked to recently have tried to keep quiet about attacks. One aspect of that is the worry that ransomware criminals will start to publish data if attacks become known, or an organisation says they won’t pay. This seems pointless, as it’s almost guaranteed that ransomware raiders will publish data anyway to force payment.
Instead, make it illegal to pay data ransoms, be it directly or via insurers.
It isn’t currently, but paying ransoms only supports criminals and helps them refine their wares, making them even more effective and devastating. Paying ransoms also makes the business more attractive to newcomers, guaranteeing that a bad situation will become even worse.
It might hurt at first but halt the flow of money, and you stop ransomware.
There is even ‘ransomware as a service’ now. This is when malware developers either rent out or sell their code to others who deploy it against victims for extortion.