Ransomware has grown fouler than ever, but it’s also grown up. The practice of using malware to encrypt files on a victim’s devices and then demanding a ransom payment for unlocking them has advanced far beyond its origins as a nuisance for individual users.
These days, it’s a massively profitable business that has spawned its own ecosystem of partner and affiliate firms. And as a succession of security experts made clear at the RSA Conference last week, we remain nowhere near developing an equivalent of a vaccine for this online plague.
“It’s professionalized more than it’s ever been,” said Raj Samani, chief scientist at McAfee, in an RSA panel.
“Criminals are starting to make more money,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, in another session. She added that the average ransomware payout now exceeds $300,000, fueled by such tactics as the “double extortion” method of exfiltrating sensitive data from targeted systems and then threatening to post it.
“It’s such a lucrative business now for the criminals, it is going to take a full court press to change that business model,” agreed Michael Daniel, president and CEO of the Cyber Threat Alliance, in that panel.
(Just five years ago, the $17,000 ransom reportedly paid by a compromised hospital was a newsworthy figure.)
Having this much money sloshing around has given rise to networks of affiliates and brokers. Samani’s colleague John Fokker, head of cyber investigations at McAfee, explained the rise of “ransomware as a service” (“RaaS”), in which you can buy or rent exploit kits or back doors into companies.
He showed one ad from an “access broker” that listed a price of $7,500 for compromised Virtual Private Network accounts at an unspecified Canadian firm. The ad vaguely described this target company as a “Consumer Goods (manufacturing, retailing, food etc…)” enterprise with about 9,000 employees and $3 billion in revenue.
“The commoditization of these capabilities for the criminals makes it so easy,” said Phil Reiner, CEO of the Institute for Security and Technology, during one of the RSA panels.
RSA speakers noted how often ransomware attacks start with exploitations of known, avoidable vulnerabilities.
Samani called Microsoft’s Remote Desktop Protocol “the number-one most common entry vector for corporate networks related to ransomware attacks.” Fokker added that companies that use RDP often make this remote-access tool too easy to compromise, joking that RDP also means “really dumb passwords.”
The pandemic has helped grease the skids further for ransomware attacks—both by requiring companies to rush into remote work and by making people a little more tempted to respond to COVID-themed phishing lures. As Samani put it, phishing is “still there, still works, people still click on links.”
Two other factors make ransomware especially resistant to any suppression attempts.
One is cryptocurrency enabling hard-to-trace online funds transfers. Bitcoin and other digital currencies may not be too useful for everyday transactions, but they suit the business of ransomware well.
“One of the reasons why we’ve seen this scourge emerge in the way we have is the growth of cryptocurrency,” said Daniel in his panel. “You’re going to have to address that part of the ecosystem.”
He did not, however, get into how that might be done.
McAfee’s Fokker noted that some ransomware criminals feel sufficiently brazen to post images of cryptocurrency transaction IDs instead of posing with sports cars or luxury watches. He showed one such image posted by an attacker who reported $300,000 in payments in a weekend.
Much of these proceeds, he added, then get recycled into underground drug markets: “You’re not only paying a criminal, you’re fueling other types of crime.”
The other factor is the location of so many ransomware operators in countries that do not generally cooperate with U.S. law enforcement. That makes it hard to fulfill such calls for action as the U.S. Chamber of Commerce’s demand Friday that the U.S. government “act decisively against these criminal cyber attackers.”
“From a Western perspective, the three most prevalent threats that we see are North Korea, China, and Russia,” said Adam Meyers, senior vice president for intelligence at CrowdStrike, in an RSA talk Wednesday. Among financially motivated attackers, Russia is an especially popular host country.
Geopolitical realities leave few remedies for the U.S. outside of sanctions. As Reiner said in his panel: “You’re not going to solve this by sending Cyber Command after someone who’s sitting in, say, Eastern Europe.”
One thin upside of this professionalization of ransomware: The attackers just aren’t that into you as an individual anymore, because it’s so much more efficient to target large organizations with deeper pockets.
Meyers noted that in the early days of ransomware attacks on random PCs, attackers who had to coach their victims through Bitcoin basics found themselves “effectively running an international help desk.”
But for the companies, government agencies, and other targets now being hit up with increasingly expensive demands, RSA speakers could only suggest such basic cybersecurity measures as scanning corporate networks for known vulnerabilities, implementing multifactor authentication to defeat phishing attempts, promptly installing security patches, and making regular backups—some kept offline.
They concurred about not paying ransom if demanded—Samani and Fokker put in a plug for No More Ransom, a portal for free ransomware decryption tools partially backed by McAfee that they said has saved victims more than $632 million in four years.
Fokker further warned that even paying can still result in you losing your data, since you can’t count on an attacker’s decryption tools working as advertised. He closed with this less-than-cheerful tip: “Don’t trust the word of a criminal.”