show image

Jeremiah Grossman on ransomware: is this the crime of the century?

Jeremiah Grossman is chief trust officer at end-point and server protection specialist SentinelOne — a company he just joined from WhiteHat Security, which he founded 

There’s something more than a little ironic about ransomware.

It’s a crime that relies on encrypting data and demanding payment to decrypt it — and it’s rocketing in popularity among cyber criminals.

That’s at exactly the same time as the debate rages in the US around the need for companies like Apple and WhatsApp to hand over the keys to allow government access to online communications.  

And that’s just as the UK debates the controversial ‘Snoopers Charter,’ featuring a watered-down clause around the right for government agencies to demand back-door access to encrypted communications data. 

If anyone is in any doubt about the rise of it, last week’s Infoblox report, which showed a 35-times growth in ransomware domains in the first quarter of 2016 compared to the previous one, makes for sobering reading. That total constitutes 60 per cent of all malware that exists today, leaving us in little doubt about the growing severity of the problem.

According to the FBI, ransomware victims paid out $209 million in the first quarter of 2016 — compared to what looks like a meagre $24 million for the whole of 2015.

Low barrier to entry

The rise of ransomware shows no sign of abating as the criminal infrastructure behind it evolves to offer ‘Ransomware as a Service’ in the same way you might buy your next cloud server platform.

This convenient off-the-shelf setup distances those who develop the code from those responsible for transmitting the infections.

There’s also been an explosion in the ways in which ransomware reaches its victims, now including: phishing and spear-phishing attacks, where emails entice victims to click on links that download malicious code that encrypts their PC; botnets, where machines being controlled remotely are infected with malware; and malvertising, where visitors to trusted websites are infected with malicious code as they browse.

Most ransomware that we’ve reverse-engineered in our labs, like the popular Petya and CryptXXX variants, aren’t actually that sophisticated. They’re relatively easy to acquire on the Dark Web and in forums.

In fact, ransomware offers a good return on investment for a relatively modest outlay — around $65 to buy in the case of the recent AlphaLocker variant — making it quick and easy to monetise with low barriers to entry. 

Before the rise of ransomware, attackers relied on more cumbersome cyber campaigns that required the hacker to find and extract sensitive or valuable data like credit card details and health records, or maintain an infrastructure of compromised assets, like a botnet. 

To monetise that, they had to find a means to unload the information within the Dark Web.

Ransomware, however, maximises the return and minimises the effort needed to extract data, simply by encrypting it and demanding a ransom, often in the form of bitcoin – an anonymous currency that almost guarantees criminals cannot be traced.

A recent report from Flashpoint showed that a typical Russian ransomware operator can earn $90,000 a year, 13 times an average local salary, making it an attractive option for people without many other high-earning avenues.

Shapeshifting infection

You might ask why, given that last year Gartner estimated that businesses spent $75.4 billion on cyber security, ransomware is ripping through existing enterprise security defences.

The truth is that many existing defences like antivirus and other first-generation, end-point protection technologies aren’t up to the job.

That’s because they’re based on detecting known threats through previous attack signatures they’ve already gathered and then matching patterns of new malware against those already detected.

The secret of ransomware’s success is its ability to evade detection by cloaking the nastiness in wrappers that are continuously being modified, making it virtually impossible for traditional solutions to keep pace with its constant variations. That’s in spite of the fact that on the inside it’s essentially the same thing.

We’re seeing at least half a dozen new variants emerging every week. The genius of ransomware is in the obfuscation techniques like wrapping, which are becoming ever-more sophisticated.

If the ransomware gets trapped in a sandbox environment — a technique used by a number of security products to quarantine suspicious code — it now waits until it’s released from quarantine before executing its payload. 

Escalating ransoms, better answers?

This paralysis of traditional cyber security defences to tackle ransomware is spurring on cybercriminals even more. 

As the incidence of ransomware moves from the consumer, where initially gamers were targeted, to focus more on the enterprise, some businesses are turning to cyber insurance to offset the cost of the ransom. 

Here too, changes are afoot in the scale and audacity of the attacks, as shown by recent incidents involving hospitals, like the Hollywood Presbyterian Medical Center in Los Angeles, which paid $17,000 to its hijackers. Another, MedState Health in Washington DC, failed to disclose the ransom it paid, yet the evidence indicates escalating stakes.

So what’s the answer? Businesses do have choices. They can pay the ransom and reclaim it on insurance, but that means sacrificing the encrypted device or the data it contains.

They could invest in replacing old, out-of-date antivirus software with next-generation solutions, which should use behaviour-based monitoring and sophisticated algorithms, rather than static signatures to detect, mitigate and stop ransomware.

Today ransomware is a massive problem, which is almost certainly being under-reported, as businesses are not currently obligated to disclose an attack. 

Cyber insurance companies are themselves reviewing their options to minimise their exposure to ransomware attacks.

There is a greater need than ever to re-evaluate the current responses and adopt new technology to counter the threat before it reinvents itself. Without a change, we know this can result in countries and critical infrastructure, like power grids or transportation systems, being held hostage. 

Today, most businesses aren’t prepared to counter the threat of ransomware and some businesses are experiencing many attacks in a reasonably short space of time.

Unless a new approach to thwarting these attacks is taken soon, ransomware could indeed become the crime of the century.

NS Tech’s guest opinions are an opportunity for expert and interesting people to put their views to the test. They do not necessarily represent the views of NS Tech