What the Evolution of Ransomware Means for the Security Industry
by Ricardo Arroyo, Senior Technical Product Manager, WatchGuard Technologies
If you were talk to a retired police officer or FBI agent about kidnappings, they will tell you not to pay the ransom. Criminals are not bound by any sort of honor requiring them to stick to the deal. Many times, threats to the lives of the kidnapped are still carried out in spite of the ransom being paid. Paying the ransom also emboldens the criminal kidnap more often. In some countries, kidnappings are so lucrative, it’s become a big business. The last 18 months of ransomware incidents have shown an escalation that mirrors that of kidnapping enterprises.
While ransomware is not about kidnapping real people, it is about holding something almost as important for ransom, your information. Today, we spend a majority of our working and recreation time on the internet. We play games online, we video call online, we work online and we shop online. We even bank online. All this requires us to confirm we are who we are and allowing our personal information or company proprietary data to be held by a criminal means they can pose as you, open credit, and even steal your money. This is why ransomware is so dangerous, it is a prime gateway towards stealing your identity, all while convincing you to pay a ransom to keep it.
When a piece of ransomware lands on your computer and is executed, it starts restricting access to important parts of your computer. Early on it would simply encrypt documents on your system, restricting access to the data you need to do your job. Eventually, newer types of ransomware restricted access to the computer itself, either by blocking access to your desktop or rebooting your computer into a locked state. Lately, some more recent pieces of ransomware will copy your important data off of your computer. In all cases a message is flashed on the screen instructing you to pay a ransom in some sort of cryptocurrency.
In the first wave of ransomware (2016-2017), the model was to ask for a small ransom, sometimes as low as $100, while infecting as many people as possible. Starting in 2019, ransomware’s second wave shifted in operating model. Instead of widespread infection, newer campaigns started targeting specific companies. Attackers worked for weeks or months to get access to a specific company and would deploy the ransomware on many internal computers once they got access. The ransoms for these attacks grew to thousands of dollars. The increase in ransom becomes viable because the ransomware scare has increased the demand for cyber insurance. If a ransomware event happens to a victim with cyber insurance, the insurance company will assist in recuperating the ransom paid. This means the company is more likely to pay the ransom.
As if all of this weren’t bad enough, in January 2020 the Maze ransomware campaign made a major escalation. In addition to restricting access to the computer and/or documents, this ransomware transmitted some of that data off the computer to some sort of command and control system. This bridges ransomware into the other major business model of cybercrime, selling stolen data. Until 2016 the major source of revenue for cyber criminals was to sell the data they stole to anyone willing to pay. Put it all together and attackers can now turn hacked access to a company into two separate revenue streams.
What’s even more worrisome about these new ransomware campaigns is that victims now must assume the ransomware can and will transmit their confidential data over the internet. These incidents suddenly fall into the realm of mandatory data loss laws in California and Europe. The burden suddenly doubles on the victim, since they were ultimately responsible with safely storing personal data.
With all of this doom and gloom from ransomware, is there anything we can do? Luckily, the security basics still apply. Layered security is still important. Companies should secure their gateways with next-gen antivirus, intrusion prevention, DNS and URL filtering, and deep packet inspection. Credentials should be secured with multifactor authentication and endpoints should have up to date EPP and EDR solutions and be fully patched. To address ransomware directly, EPP or EDR solutions should have capabilities targeted at preventing ransomware, and organizations should also back up their critical files frequent. Lastly, the scare of having your data actually stolen, while nothing new, should be addresses. An old but effective solution, if you have the infrastructure to support it, is Data Loss Protection (DLP). If you have gateway or endpoint security solutions that support DLP, you might consider activating them to prevent your precious PII from being transmitted to the criminals.
About the Author
- Ricardo Arroyo is the senior technical product manager and ThreatSync guru at WatchGuard Technologies, where is responsible for guiding the design and implementation of threat detection and response. Following a 15-year career at the NSA, where he worked as an analyst and cyber operator, Ricardo now uses his extensive offensive cyber security experience to solve complex security problems and develop the latest defenses for small and midsized enterprises.Ricardo can be reached online at