Ransomware is big business.
In early May, the UK’s National Health Service (NHS), along with hundreds of other organizations worldwide, was crippled by a massive ransomware attack known as WannaCry. In June, another campaign variously known as NotPetya, or Nyetya, hit companies in the Ukraine and elsewhere who use a popular Ukrainian tax software package.
Before that, there were Cryptowall, CryptXXX, and Cerber, and since then NemucodAES, MacRansom, and EncrypTile have surfaced. And ransomware known as CryptoLocker or Locky has been plaguing users worldwide for a couple of years, spread by spam emails. In each case, infected individuals and organizations were informed that their data had been encrypted, and that their only hope of retrieval was to pay a ransom to receive the key to the encryption. Just last week, ITWorld Canada reported that an unnamed Canadian company had to cough up $425,000 to get its files back, since the cybercrooks had managed to attack its backups as well as its primary files.
Ugly does not begin to describe the situation.
Ransomware has become the latest weapon for cybercriminals and others with malicious intent. It is relatively easy to create (believe it or not, you can buy malware as a service if you don’t feel up to building it yourself), relatively easy for crooks to profit from, and they’re taking advantage of the opportunity. CSO Online reports that a security expert has estimated, based on what he’d seen in Bitcoin wallets (Bitcoin and other cryptocurrencies are the most popular payment methods, since they’re anonymous), that ransomware raked in over $1 billion last year. So far, $850 million in economic loss has been attributed to NotPetya, and $8 billion to WannaCry – no small change.
What is ransomware? Briefly, it is malicious software that renders systems unusable and/or data inaccessible, often by encrypting files. The authors then demand payment of a ransom, usually in Bitcoin or some other cryptocurrency, in exchange for a way to regain access to the systems or data. It’s not new – before Bitcoin, online extortionists took their cash in the form of prepaid credit cards or gift cards, or any other anonymous form of payment. The key was untraceability. Cryptocurrencies just made life easier for the crooks.
To make things more interesting (and not in a good way), some of the extortionists have decided that spreading the infection is even more attractive than money, telling victims that they could also get a decryption key by infecting two friends. That suggests to me that the crooks have something extra tucked into their ransomware that makes access to additional systems more valuable than immediate cash. So far, I haven’t seen any reports of what that might be, but I’m sure it will come back to bite the victims at some point.
Another thing that has already come back to bite victims is the lack of honour among thieves. In one attack, once a system was compromised and its data encrypted, other attackers pounced, changing the ransom note to redirect payment to themselves. That, of course, did not satisfy the original attackers who held the valid encryption key, and some victims ended up paying several ransoms as they attempted to find the group that was really locking up their data.
And it gets worse.
The latest assault, NotPetya (Nyetya), only pretended to be ransomware, according to security researchers. While it used the same leaked NSA attack mechanisms as WannaCry to spread through a network, and the note displayed on infected machines’ screens claimed to be holding data for ransom, the fact was that the information had actually been erased, and the contact email address in the note was invalid. The malware went so far as to wipe out the computer’s boot sector, and then reboot the machine, rendering it unusable.
Researchers at Cisco’s Talos security group believed that the primary initial vector was a malicious update to a Ukrainian tax program called MeDoc. The malware then spread through the network, infecting vulnerable machines. Ukrainian law enforcement officials have since raided the software company’s site and confiscated its servers for forensic examination (the company claimed it had been hacked). Talos believes that the attack was not motivated by a desire for profit, and may have been a political statement, since it hit anyone worldwide who did business with Ukrainian companies, and therefore used the software. Nothing is yet proven, however, and the investigation continues.
Regardless, Nyetya is yet another indication of two things: the US National Security Agency’s leaked cyber-weapons are being put to good use by criminals, and neither companies nor individuals are taking security seriously enough.
Vendors persist in releasing products with known weaknesses; for example, both Nyetya and WannaCry take advantage of an insecure network transport mechanism, SMB1, that should have been already supplanted by the newer, more secure SMB2. Yet there’s a long list of current products that still require SMB1, making it impossible for their users to disable the protocol if they can’t replace the offending products. Microsoft plans to force the issue by removing SMB1 support from Windows.
In addition, individuals and companies are not giving patching, backups, and cyber hygiene enough attention. To be fair, companies do have to test patches before applying them, to make sure they don’t have unexpected consequences, but there’s no excuse for leaving machines unpatched for years – and yes, that happens all too often.
Even a few months can make a difference. Microsoft patched one of the flaws that enabled WannaCry several months before infections started, for example, but victims had not yet applied the fix. Patching is a pain, to be sure, but recovering from a preventable malware attack is even more painful. Failure to secure systems can be a career-limiting move for IT and management alike; regulators, auditors, and insurance companies no longer cut anyone much slack.
The onus isn’t just on vendors and IT, however. Users have to pay attention as well. Many attacks launch when a user opens an attachment or clicks on a link in an email. And that’s not new either – I still remember a sheepish phone call from a contact – ironically, a security guy – who had foolishly opened the attachment to a message and infected his computer with the ILOVEYOU worm that destroyed his files, then began spewing out its affectionate missives to all of his contacts. He warned me not to open his “I Love You” email. That was in May, 2000.
The security industry isn’t sitting on its hands. It has stepped up to help alleviate the growing ransomware threat. The No More Ransom project, founded in mid-2016 by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security (now McAfee) – does double duty: it works to help victims recover their files without paying ransom, and it educates users about ransomware and its prevention. From its modest beginning, it has grown to include law enforcement agencies from over 20 countries, and an ever-growing group of security firms.
However, it’s still not enough. Cybercrime is a business, and like any other business, it continues to adapt to changing conditions. Whether we like it or not, we, too, have to adapt our processes, technology, and people if we want to avoid being victimized.