APRIL 4, 2018 | Merritt Baer
2018 is the year of ransomware. It’s a sign of the times: threats that were once clearly delineated are blurring. Money-motivated versus state-motivated. Corporate level versus nation-state level.
Ransomware is a particular strain of cyber-attack. Generally, it has been understood to be money-motivated, and therefore usually conducted by cyber criminals. This is to be distinguished from other cyber attackers, like hacktivists seeking policy change, nation-states seeking classified or compromising information, or competitors seeking intellectual property. Once ransomed, the victim’s device, server, database, or entire network may be seized and encrypted. Profits from ransomware in 2016 were $1bn, and losses are even higher, at an estimated $75bn including loss of productivity.
The attack vector (mode of infection) depends, but it is often a result of phishing or spear-phishing – that is, targeted emails with malware embedded in links or attachments. It can also come with any other form of access – such as insertion of a USB drive or clicking on a malicious link on the web. Lately we have seen mobile phone exploits too, locking Androids down after posing as an adobe flash update.
Perhaps counterintuitively, ransomware can occur in the cloud. Since at least 2016, researchers have documented what are termed “families” of cloud ransomware. Ransomware tools are easily available for hire on the black market, so anyone can do it. Cerber, for example, was launched as a ransomware-as-a-service (RaaS) in 2016, with the sellers taking 40% of gains, and Satan Raas takes 30 percent and offers a convenient “customer” (victim) dashboard for bookkeeping purposes.
We are exposed to the risk of ransomware in our own organizations, but also through sharing our data. We have very little visibility of or control over the security practices of organizations we do “business” with-- our employer, our healthcare provider, our tax filing software. In the case of entities like Equifax, we may not have ever consented to a business relationship – and yet, we have to care about their security practices. Not to mention, 29 US Government federal agencies were hit by ransomware in 2017. The last two years have witnessed major ransomware attacks on government services, hospitals and medical centers, public transportation, private transportation, and tax filing software.
Ransomware matters in the ecosystem for three main reasons:
- First, we are seeing it bleed into nation-state level attacks. The two largest ransomware attacks in 2016 and 2017 were NotPetya and WannaCry. NotPetya, which debilitated Ukraine’s version of “TurboTax,” was not money-motivated, but nation-state motivated as part of a hybrid warfare campaign by Russia on the Ukraine – though the malware leaked quickly and replicated into systems far beyond the target. WannaCry was North Korean developed, and while it probably did have money motivation (DPRK is notorious for using computers to wrangle in money, from cryptocurrency heists to casino hacking), it blurs the lines of criminal and nation-state activity.
- Second, data is not just held hostage, it is breached. We see ransomers increasingly threaten or conduct doxxing, or public disclosure of private information. This may be in part because organizations do not always pay the ransom, and is certainly in correlation to the bleed of motivation from theft to nation-state level attack. In a recent incident Uber paid off a “security researcher” $100,000 to delete stolen user data on 57 million people. We have gotten to the point where the fact of outside access might be a violation in itself—and ransomware takes this into account. For example, Jigsaw ransomware automatically threatens to send the hostage data to all of the victim’s contacts if the ransom isn’t paid. So it isn’t even about the ransomed institution regaining access—it’s about preventing further breach.
- Third, and perhaps most dark, ransomware is heartless and indiscriminate. Last year, the WannaCry ransomware hit UK’s National Health Service, and hospitals and surgical centers in England and Scotland were forced to cancel surgeries and medical appointments. “It’s life or death,” patients said to the media. In 2016, we saw hospitals in California and Washington DC hit, as well as the San Francisco public transit system. As of the date of publication, the city of Atlanta is still crippled after a Sam Sam ransomware attack a week ago, and defense contractor Boeing is in the throes of a WannaCry attack. The more crucial the organization is, the more likely it is to pay a ransom. This is also troubling for citizens, who have few defenses against the threat on their data once it is out of their hands. As citizen consumers we don’t know the extent to which our data is owned, distributed, aggregated, bought, and sold. Attacks are scaling to networks and databases, like those in January and September of last year on MongoDB.
So, what can you do for your organization? First, back up its files regularly. Second, use good hygiene – make sure all software is up to date and run all patches. As always, don’t allow unauthenticated media devices like USBs onto your systems. Ensure staff are cautious about clicking on links or opening attachments – estimates are that over 97% of phishing emails contain ransomware. Finally, consider using a commercial cloud backup program like AWS, if you have a budget. They offer security monitoring and backup and recovery services. They also offer secure configuration services to limit exposure in the first place.
Ransomware is an uncomfortable reality. It is both an important case study in itself, and a reflection of our increasingly blurred lines between criminal and nation-state activity. It preys on the new normal where data is not owned in one place but in many and by many organizations. The fact of data ownership splintering is not inherently problematic—it presents a great deal of convenience and interoperability. But as we reassess our definition of “ownership,” perhaps our notion of hostages changes from the idea of a captive, to the idea of one who has the power to share, alter, or power-play that fact.
Image credit: Nicescene/Shutterstock
The views expressed herein are the personal views of the author and do not necessarily represent the views of the FCC or the US Government, for whom the author works.