February 15, 2017
NEWS ANALYSIS: At the RSA Conference, vendors and researchers discuss the state of ransomware, why the threat will only get worse and how to fight back.
SAN FRANCISCO—Ransomware was the cyber-security story of 2016, and it is likely to be a big story again this year, with malicious operators upping the stakes by going after bigger and more lucrative targets like corporations, public infrastructure and industrial control systems.
Those were some of the conclusions from vendors and researchers during a daylong seminar on ransomware here at the RSA Conference 2017.
Throughout the day, experts discussed ways of not only preventing malware but also dealing with it once it hits, including whether to pay or not to pay. But paying or not, there is still a lot of work to be done for a victim as part of the mitigation process.
There must be strategies in place for properly restoring data, patching the holes and training staffers to be on the alert for ransomware possibilities. In other words, ransomware is an ongoing security issue that should involve the entire company.
Ransomware Is Big Business
Ransomware netted cyber-criminals more than $1 billion last year, mostly from individuals and small businesses. The technique of locking or encrypting files and then demanding ransom for the key is an evolution of traditional cyber-crime business models of merely stealing data or taking down networks. Those methods take a lot of effort and don't always deliver a lot of money, if any.
"Bad guys are sick and tired shoveling PII [personally identifiable information] around," said security researcher Gal Shpantzer. "The market is saturated. It's no longer a seller's market."
Rather than peddle stolen data on the black market, cyber-criminals have opted instead to go direct to the customer, so to speak, which significantly shortens the attack life cycle and overhead and delivers money more quickly, he said.
Ransomware actors also act like business people, for the most part. They are known to negotiate on price. Hollywood Presbyterian Hospital last year paid only $17,000 in Bitcoin after an original demand of more than $3 million.
But the business side of ransomware goes deeper than that because the business needs to operate on a level that commands enough respect that victims pay up. And once they do pay, the hackers must honor the deal and deliver the keys to unlock the data or the entire business proposition goes out the window.
In other words, there must be rules to the game, said Jeremiah Grossman, chief of security strategy at cyber-security firm SentinelOne. Grossman compared today's ransomware criminals with the modern-day kidnapping and ransom market—which includes Somali pirates—in which a cottage industry has evolved that includes security personnel, ransom negotiators and insurance syndicates such as Lloyd's of London.
Likewise, ransomware campaigns are increasingly being "professionalized" and funded, with sophisticated money laundering schemes, Grossman said. Ransomware negotiators are emerging, and cyber-insurers require clients to keep ransomware policies secret.
"Who really is profiting from the kidnapping and ransom business? It's not the pirates," he said. While pirates earned about $150 million in 2010, $1.85 billion was paid out in insurance against the pirates. By 2021, Grossman contends, the ransomware protection market will reach $17 billion.
Critical Infrastructure on the Hit List
Over the past few years at the Black Hat conference, researchers have shown ways hackers have compromised everything from cars to door locks to guns and every internet of things (IoT) device in between. Ransomware changes the dynamics of these hacks significantly, to the point where the nation's critical infrastructure will be held for ransom.
In just the past few months there have been two examples of public systems being compromised by ransomware: the San Francisco MUNI system in November and the closed circuit TV cameras in Washington, D.C., days before the presidential inauguration in January.
Those types of incidents are likely to increase because of the shoddy—or nonexistent—security in industrial control systems and programmable logic controllers, said researcher David Formby of Georgia Tech.
Industrial control systems present inviting targets because lives, or at least the public well-being—are at stake in the ensured continuous operation of public systems, such as transportation, the water supply or the electrical grid. With these targets, ransomware criminals can demand more money under tighter deadlines.
Formby demonstrated how easy it would be to compromise off-the-shelf controllers such as Rockwell Automation's MicroLogix and Schneider Electric's Modicons to create an attack that could threaten a community’s water supply.
To date, these manufacturers have only paid lip service to security because they do not see it as part of their core competency, and they pass the buck to security administrators, Formby said. But once these systems get hit more regularly, the manufacturers may start paying more attention to security.
Other than practicing security basics, there's not much that users can do. And if they do get hit, they are resigned to lose lose data or money or both. A new group, however, is trying to give victims a third option. Nomoreransom.org was formed last year by Kaspersky Lab, Intel Security, the National High Tech Crime Unit of the Netherlands' police and Europol's European Cybercrime Centre.
The project offers free tools to decrypt files. While that is helping ransomware victims, said Raj Samani, CTO of Intel Security's EMEA division, it is also creating enemies. "Someone is not happy about this," he said.
From the day it went online last year, the Nomoreransom.org site has been targeted by millions of attacks, but none has been successful, Samani said. Other than offer the host and security provider, Amazon Web Services and Barracuda Security, a great commercial, he said, it proves that the project is hitting ransomware criminals where they live. The next step, he said, is to use the project site as a honeypot to see if it can catch any of the attackers.
Despite the lessons learned, ransomware is here to stay. The costs and the stakes are only getting higher. When critical infrastructure gets hit, the victims are all of us, and we may lose more than money. As Grossman said, "Let's solve these ransomware issues before somebody dies."
Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.