The Business of Ransomware

Introduction

?In order to understand “The Business of Ransomware”, we first need to understand what ransomware is. “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” (Ransomware Guidance and Resources. Cybersecurity and Infrastructure Security Agency CISA, n.d.).

?

Ransomware has evolved over the years and can be divided into two types. The first type of ransomware will lock the host so it can no longer be accessed. The files can be left intact or the files can be encrypted and a key will be needed to access the files. (Richardson, R., & North, M, 2017). In addition to laptops and desktops, there is a second variation of ransomware that is capable of changing the pin on your cellphone and requiring the victim to pay the ransomware in order to be provided with the new pin. Without the new pin, after a certain amount of guesses, the phone will be wiped out and you, the victim, will no longer have access to the data. This is why good backups are necessary.

?

In the earlier years of ransomware, malicious actors wanted to maintain their anonymity. They became especially cautious when receiving payments from their victims. Earlier methods of payments put the malicious actors at great risk of being discovered. A determined investigator could easily track and discover the true identity of the attacker. Once Bitcoin emerged in 2008, it allowed for the anonymization of the payments to the malicious actors from the victims of ransomware. However, Bitcoin was not the only method of payment. “WebMoney, PayPal, Ukash, Vouchers, Western Union, MoneyGram and other digital payment methods were used” as well. (Custers, B., Oerlemans, J.-J., & Pool, R, 2020).

Background

?

The first ransomware virus was created in 1989 by a Harvard trained biologist. His name was Joseph L. Popp and is known as the “father of ransomware.” The virus created was known as the AIDS Trojan also known as the PC Cyborg. Now, let’s fast forward to September 2013 when ransomware went professional. The methods of distribution became sophisticated. The primary method of distributing and installing ransomware was done by utilizing a social engineering attack. The user first clicks on a phishing link or opens an attachment. Once this happens, the encryption commences.

The most famous piece of ransomware is 1s Cryptolocker. A hacker named Slavik developed it. You had three days to pay the ransomware via Bitcoin.

?

“According to the research, the average payment following a ransomware attack in 2020 rocketed up 171% to $312,493 compared to $115,123 in 2019..” (Cluley, G, 2021)

?

Though it’s possible that you can restore your data without paying the ransom, it’s another case if the data was exfiltrated and the malicious actors are threatening to sell or publish your data.

?

Significance

?

With ransomware being so pervasive, it’s important to understand the impact it has. Ransomware is one of the most effective ways of bypassing security controls on the device. This leads to the economic loss of individuals, companies, and governments who are impacted usually to no fault of their own. (Uandykova, M., Lisin, A., Stepanova, D., Baitenova, L., Mutaliyeva, L., Yuksel, S., & Dincer, H, 2020).

?

Ransomware has a cost and it ends up impacting us all. Businesses incur downtime, loss of business, and increased operation costs. The average cost of remediating a ransomware attack rose from $761,106 in 2020 to $1.85 million in 2021. What is also concerning is the average cost to recover. An attack is now on average 10 times the size of the actual ransom payment. (Ransomware Recovery Cost Reaches Nearly $2 Million, More Than Doubling in a Year, Sophos Survey Shows, n.d.).

?

Surprisingly, it’s not just criminal organizations or a group of hackers that distribute and attack with ransomware. Nation states also participate in attacking with ransomware. They use funds paid with ransomware to fill their state coffers. (Nation-states in the ransomware business. (InGuardians., n.d.). Nation state attacks are very sophisticated as they have the resources to do so. Nation attacks are planned and executed at the highest levels.

?

How favored nation-state attack types work

?

Nation State attacks are on the rise. There are nations who are very publically visible regarding their attacks. They are China, Iran, North Korea, and Russia. The aforementioned nations have been known to participate in ransomware attacks either directly or indirectly through a proxy or a group. The United States and Israel are believed to be involved in attacks, though not related to ransomware.?

?

Discussion

?

Ransomware is not going away. “As of 2020, it is estimated that 33.28% of unprotected computer systems are infected with malware.” (Uandykov , M., Lisin, A., Stepanova, D., Baitenova, L., Mutaliyeva, L., Yuksel, S., & Dincer, H, 2020). With organizations being quite vulnerable to malware, as well as ransomware, and organizations paying the malicious actors the fee to decipher their files, the attacks will only continue.

?

The malicious actors treat their software development like a modern streamlined corporation. Their software constantly evolves. They have added additional functionality to their ransomware that allows data exfiltation, and distributed denial of service attacks. One feature was even added where it deletes files regardless of the payment. They also improve their tactics and strategy. (Ransomware Guidance and Resources. Cybersecurity and Infrastructure Security Agency CISA, n.d.). Some malicious actors who have robust organizations have employed graphic artists to develop nice marketing slicks and FAQ sheets. They have built professional and well-staffed call centers and have provided streamlined payment options. You even have the option of getting into the business yourself by utilizing Ransomware as a Service.

?

Businesses will pay large ransoms as not to further impact their business.?Grubman, Shire, Meiselas and Sacks, a law firm, had its confidential files downloaded and had their backups deleted and encrypted by hackers in May 2020. The threat actors demanded $42 million dollars in ransom otherwise they would publicly disclose the confidential information.

?

Phases of an attack

?

The life cycle of ransomware is an interesting one. It starts off with the threat actor targeting an organization. This can occur via spear phishing, by targeting a specific employee, or general phishing hoping to catch someone within the “net.” One of the most common ways to target someone is via a link within an email. The unsuspecting user clicks the link and this downloads the malware. Then, within that malware, a second program is downloaded and the encryption of the files begins. A message is then generated on the screen that outlines the consequences for non-action and where to make the payment to get the decrypting keys.

?

With the growth of ransomware also comes the sophistication in the development of ransomware. We can even call it a sort of framework. “Two of the more popular ransomware toolkits used by threat actors are Sodinokibi, which encrypts file systems to make them unusable by the targeted organization and Maze, which not only encrypts files on the target system but exfiltrates information in documents and emails to further squeeze the targeted organization to pay.” (Shaw, T. J, 2020).

?

If you pay the ransom, there is no guarantee that the threat actor will provide the decryption keys. Victims are unsure whether or not to pay the ransom. Most threat actors make it a point to provide the keys when the victim pays. It’s good business and promotes the victims to pay the ransom. The other alternative is to file a claim with your insurance company if you purchased the correct insurance. This does not mean that the insurance company will honor the claim. In one case, the business owner purchased an insurance policy that covered the loss and damage to the affected property, but when the company filed the claim, it was denied. Here, the insurance company stated the loss was data and not equipment as it was not a direct loss. (Shaw, T. J, 2020).

?

?

?

Implications

?

We need to protect our infrastructures better. We need to hold those who attack us accountable. That includes malicious actors, whether they are nation states, criminal enterprises or hacking groups. If we don’t, infrastructures, governments, and corporations among other entities will continue to be highly susceptible to cyberattacks. Malicious actors have progressed from simple spam distribution to phishing attacks organized extortion through cyber means.

?

The targets have become more brazen. Malicious actors are targeting law enforcement agencies, hospitals and criminal infrastructures. They thrive on instilling intimidation in the organization they are attacking.

?

What is a cause for incredible concern is that the next major war could be a cyberwar instead of a conventional war. In February 2011, then CIA Director Leon Panetta warned Congress that "the next Pearl Harbor could very well be a cyberattack." (Thomas Rid, 2013). As of now, we have not had a cyberwar. With the sophistication of cyberattacks, it is possible to create weaponized code and perform computer-based sabotage to carry out surgical attacks on the adversary.

?

How do we define cyberwarfare? If we stick to the definition provided by Carl von Clausewitz, a nineteenth-century Prussian military theorist, it could provide clarity. The first part of this definition is that wars are violent or at least they have to be potentially violent. Two, the act of war is always instrumental. Either the actual act of physical violence or threatening to use force against the enemy will compel them to accept the will of the attacker. The third and finally qualification is the attacker must have some kind of political goal or intention. With these three aforementioned acts, war must be attributable to one side during the confrontation. (Thomas Rid, 2013).

?

As of now, fortunately, not one cyberattack has matched all three of those criteria. The closest one to meeting that criteria were the massive pipeline explosion in June 1982 within the Soviet Union. A book states that the CIA managed to inset malicious code into the software that controlled the valves and pumps of the pipeline. However, there is nothing to prove that this really happened other then a book published stating this.

?

Nations and hackers will always try to utilize and take advantage of weakness in other nations and organizations. Ransomware has the capability of starting that war as it has real-life implications to create harm to life. Careful thought must be exercised when utilizing this type of attack. Real harm comes when electric grids are shut off, nuclear power plants are rendered dangerous, dams are opened up and other similar situations.

?

Recommendations

?

Ransomware, cyberattacks, malware and other cyber threats can be prevented in many different ways.?Some require legal penalties and some require technology implementations. Some of them can be proactive such as any country associated with the United Nations should enter into a cyberwarefare arms treaty with other participating countries. (Goldsmith, J, n.d.). In order to motivate participating countries to enter into this type of agreement, there needs to be mutual gain. Contained within a treaty like this, there should be some penalties such as tariffs for those who violate the treaty. Along with tariffs, economic sanctions can be imposed on a country and can hurt terribly. This will motivate a country to remain compliant.

?

From a technology standpoint, following the NIST cybersecurity framework is one of the ways you can help prevent compromises, breaches, ransomware attacks and other cybersecurity events. On the site?https://www.nist.gov/cyberframework, you can download the framework, participate in online learning as well as get the latest updates. ([email protected], 2021).

?

The following general security best practices are recommended:

1) Patching – Making sure your hosts are patched to as recommended by the manufacturer is very important. If not patched, threat actors can take advantage of known vulnerabilities.

2) Proxys – Enterprise organizations should utilize a proxy to prevent users from visiting vulnerable or known malicious sites.

3) Next Generation Firewalls – Just as important as a proxy is a next generation firewall. Next generation firewalls can block attackers with known malicious IP addresses. Some next generation firewalls can also detect viruses and other malware and suppress them from becoming active.

4) Multifactor Authentication – Having just a password to authenticate an account can leave you quite vulnerable to compromised accounts. If a threat actor gets a hold of your credentials, they can authenticate your account. If you use multifactor authentication, it will dramatically lower your chances of getting compromised. Multifactor authenticating for an account requires your username, your password and having either an application that validates you are logging in or a text message with a code that you need to enter into the portal to validate you are who you say you are.