The concept of hijacking data and holding the owner to extortion to get it back is not a new one. In fact, in computing such attacks go back to the late 1980s.
An individual at a WHO conference on the AIDS virus in 1989 handed out floppy disks to 1000s of fellow attendees containing a Trojan horse called ‘AIDS’ – a computer virus that would, after a number of reboots of the machine, encrypt and hide all the files and directories. The user would have to then purchase ‘a licence’ requiring they make a payment to a post office box in Panama.
The fundamentals of this attack are the same as what we see in modern ransomware, except there are two main differences to this type of attack today.
Ransomware, from anywhere
Firstly, there are a whole host of ways to get infected software into a target organisation’s computer outside of convincing somebody to put a physical disk into a machine. Today, delivery mechanisms for ransomware are usually email, badly configured systems or software vulnerabilities that have gone unresolved long enough for somebody to exploit them.
Whilst the cloak and dagger stories of dropping USB drives in car parks are indeed true, most such attacks happen remotely with very little exposure or risk to the attacker.
The rise of crypto currency
Secondly, we have the notion of crypto currency to facilitate paying the extortion demands – Bitcoin being the first crypto currency. Dating back to 2009, Bitcoin gained early success through black market activities, such as the infamous Silk Road dark web marketplace. Its decentralised nature makes it difficult to regulate and control (this is somewhat the point of its creation of course in the first place), but this in turn makes it an ideal currency to use for extortion or illegal activity.
Contrary to popular belief, Bitcoin is actually very transparent, every transaction on the blockchain is publicly visible and traceable. From this perspective a more transparent financial system does not exist, however, attributing a crypto wallet address to a person or an entity gets a lot more complicated.
There is an extremely complex eco system of decentralised exchange platforms where it can be swapped for other currencies or laundering systems to blur and hide the origins of payments. Tracking this level of activity is expensive, time consuming and prioritised by law and order authorities where limited resources are seen as best spent.
What are our options?
So, what options are proposed to stop or at least slow down the rising cases in ransomware?
Option 1: Ban crypto currency?
There are nearly 10,000 crypto currencies in circulation today. Many have clear use cases such as decentralised finance platforms, now a multibillion-dollar industry or asset tokenisation. Stronger regulation of crypto currency exchanges might help as at some point it must be transferred into Fiat money (or a state backed currency).
However, this is a lot more complicated than it sounds. After all, money laundering was happening long before crypto currency and such regulation has to be unilateral across the world with international collaboration, which is fairly unlikely.
Option 2: Ban paying ransomware?
There are some instances of this already with certain groups on internal sanctions lists, but this leaves victims in a difficult position. Criminals will not stop attacking, so it will force organisations to be less transparent and force them into behind closed-door negotiations and secrecy.
As an enterprise, what do you do given the choice of rescuing the business or, in many cases, simply accepting it is time to close the doors and turn the lights off? The argument eventually is, banning the payment will stop the activity – if the money dries up so do the operators – but this could take quite a long time and cause huge pain in the short term.
Option 3: Stop paying insurance?
This is a difficult balance. Insurance companies are clearly realising that they need to enforce more regulation around reasonable protections a customer should have in place to prevent an attack – but what counts as reasonable?
For example, should an organisation be responsible for flaws in trusted enterprise software, expecting it to be secure only for it to be used to bypass other security controls because of a flaw of bug? We have seen this play out many times in the last few years with the biggest and most trusted enterprise vendors.
Option 4: International cooperation?
It is well known that many attacks originate from states where the local government’s enthusiasm or motivation to clamp down on the activity is low or simply non-existent. Computer crime is borderless and there remain many locations in the world where operations can run with a certain sense of immunity.
In the current geopolitical climate, I find this unlikely to be successful at least in the short term.
So, reliance on new regulation and laws, banning crypto currency usage or expecting all of the world’s governments to come up with a unilateral and enforced clampdown is not a short-term strategy. Organisations must continue to look at their defences, understand how and why they may get attacked and infected, what to do to prevent against it and how to prepare for the worst.
Let’s talk… Disarming hackers
Every business should assume themselves a target for ransomware, and take the appropriate and reasonable measures to protect themselves.
Join Tim in this Let’s Talk Data! UK event on 17 August, as he explores a real-world hack and how you can make actionable decisions to reduce the risk of an attack on your organisation. Register here