In the long history of computer crime, the players, goals and tactics have seen a lot of change.
Early computers were fairly isolated systems reserved for niche applications, mainly in academic environments. The first instances of security “attacks” were examples of tinkering that went too far rather than malicious activity.
Today’s world is different. Computers power many aspects of our day-to-day lives. They are faster than ever and highly inter-connected. They are in our pockets, homes and offices, but also in our toothbrushes and refrigerators. They even power our critical infrastructure. This now widespread reliance on computers (and the data they process) attracts new kinds of malfeasants.
Over time, computer-based crime has become organized. What started as low-tech cons and scams, or clever technical feats by small groups has been gradually replaced by more professionalized, more damaging, and more hurtful collectives, such as state-sponsored groups. There is one sort of attack that illustrates this transition better than most: ransomware.
Senior Security Consultant at Black Duck Software (formerly the Synopsys Software Integrity Group).
The simple effectiveness of ransomware
Ransomware is an extremely lucrative example of computer crime going “corporate”: incentivized by the will of making more money by investing less effort.
Most ransomware attacks follow a simple pattern:
1. They start by running a malicious tool, an encryptor, on the target system. True to its name, the encryptor will then encrypt the whole disk (or disks) and delete the key. If the perpetrators intend to make the data recoverable, they will keep a copy of the key on their files, away from the affected system.
2. Then, they make their presence known, from red screens to timers. Ransomware campaigns go great lengths to communicate with their victims because they get their money only if the victims believe that paying is the best chance they have to recover their data.
3. After payment, an “honorable” ransomware gang will provide the victim a decryptor tool with the secret key.
There are some instances of ransomware that do not encrypt the data. Instead, the attackers threaten the victims by disclosing data publicly, which could cause embarrassment or leak industrial secrets.
Challenging attackers
However, with ransomware attacks, there are two steps that are somewhat challenging for the attackers:
Challenge #1: Getting the encryptor into the target system. Unfortunately, attackers can (still) benefit from a very simple tactic: asking nicely. Phishing attacks are popular ways of distributing ransomware encryptors because many victims eagerly click links on emails without verifying the origin or giving it a thought. Technical entry points traditionally used to deliver malware remain a useful alternative: if there is an open file share, the attacker can deploy the file into the target system, then find another vulnerability to execute it. WannaCry, the attack considered by many as the most damaging ransomware campaign to date, is an example of this.
Challenge #2: Receiving the ransom payment without betraying the attacker’s identity. Fifteen years ago, this challenge alone would have hindered the expansion of ransomware gangs. They would need to pay in cash, which is hard to scale and would be geographically restricted to the area of influence of the gang, or they would need to rely on digital payments and withdraw the money fast, creating a trail of evidence leading directly to the gang. However, the rise of cryptocurrency presented a solution to this challenge.
While authorities have succeeded in tracking down malicious businesses who took ransom in cryptocurrencies, the international availability of a means of payment that is not linked to an actual identity has made it much easier for criminals to receive their payments and much harder for law enforcement to follow the tracks.
Preventing disruption using backups
Many of the mechanisms that help to prevent ransomware attacks involve general practices that also help to prevent various types of cyber-attacks. Awareness training supports by warning employees about clicking random suspicious links, hardening at the network and operating system level, deploying updates quickly, malware scanning, etc.
There is also great importance in building a sturdy resilience plan, underpinned by a well-defined and tested backup strategy. Of course, backups are a usual control against accidental data loss and conventional disruptive hacking like, say, website defacement. You detect the incident, roll back your data or your environment to a certain previous point in time, and get back to business with (ideally) minimum data loss.
This backup model relies on a few assumptions. To put it simply, it expects backups to work (to contain enough information to allow for a clean rollback) and to be valid (the rollback would clean up any damage made by the attacker). Reality often challenges both assumptions.
Many companies have backup processes in place. Fewer have data recovery plans describing what to do with the backups to return to a working state. Only a small minority of companies test regularly those backups to ensure that they can, in fact, be relied upon. This makes the recovery process clunky and often unsuccessful.
Ransomware attacks also challenge the second assumption. For example: if the backups are hot (that is, constantly connected to the target system), the encryptor could also encrypt the backup drives, rendering the backup unusable. Or the encryptor could be installed at a certain point, stay idle for a few months, then encrypt the data. A backup taken after the initial compromise could recover the data of the system, but could restore an infected state, allowing a reinfection to occur.
To summarize: a robust backup strategy needs to rely on both hot and cold backup locations, sufficiently isolated from each other to keep an attack on the main system from spreading undeterred to the backups, both of which are regularly and rigorously tested. If the downtime requirements of a given system are particularly stringent, the ability to get back up with minimum data loss must be part of those tests.
Wrapping up
At a technical level, ransomware is not a terribly novel threat. The disruptive aspect of it lies in the economic incentives it introduces, leading to more organized criminal structures with the freedom to act more ruthlessly and at a larger scale, and to attack sensitive industries with the hope of maximizing their payment. It is a threat worth considering because it is increasingly prevalent and, for companies caught unprepared, could wreak havoc on their infrastructure. Just remember: do not pay the ransom.
Check out the best cloud antivirus.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
