The Future of Ransomware
The current state of ransomware is more proof that our adversaries keep getting smarter. It may not be the case for long, but right now ransomware is like baby Einstein. Not because it’s overly sophisticated or stealthy, but because it’s simple and clever. And it’s got lots of room to grow.
Consider this; no longer must a criminal navigate your corporate plumbing, popping boxes, injecting code and passing hashes. All the work these bad actors used to waste time on, you now do for them. Why spend hours (OK minutes) forcing your way into an investment or payroll account when you can have your victim wire the funds for you?
The payoff for these types of attacks is unknown, despite the daily headlines outing compromised hospitals, colleges and restaurants. This is mostly true because it’s so pervasive (we’re working 7 cases from Boston to Dallas as I write this).
This trend has been particularly alarming because for the first time in corporate America, malware has become life or death. At best it’s disruptive, but at it’s worst it has directly affected a victim organization’s ability to conduct business. Including patient care.
Ransomware has also opened up a whole host of new opportunities for cybercriminals. No matter what you do – a dollar is always worth a dollar, assuming the same currency. With ransomware, a dollar can be worth a lot more.
What I mean by this is – if I steal your dollar, it’s pretty much only worth a dollar. No matter how good my negotiating skills, it ain’t never going to be worth more than one dollar.
Now, if on the other hand I steal your priceless Picasso, it’s worth is priceless. The value of that asset is incalculable, or can be better defined as “whatever I can negotiate for it”. Forget about the emotional value, which will generally only increase the multiplier. All this despite the fact that the acrylic paint and wood that the painting is on is worth a couple of bucks.
Compound this with the reality that with ransomware, criminals do less work for the same dollar. This further increases the ROI.
Even more exciting is where this is all going. One of the greatest new opportunities is in confidentiality’s ugly little sister – integrity.
Confidentiality is basically the cybersecurity prom queen – popular, well-known and attractive to the masses. Integrity on the other hand, is less understood even by the most serious of security pros.
As it turns out, integrity may grow up to be the rich sister.
Imagine coming in to work on a Monday morning, grabbing a protein bar and a steaming cup of your favorite joe and heading to your desk. You check the logs from the weekend, scan the monitoring dashboard and the SecureWorks alerts – nothing. A quick check of an IDS report and uptime status and you conclude that it’s been an uneventful weekend. Fantastic, now you can finally get to those Board reports you’ve been putting off.
Here’s what you missed: your data is there, it’s just all wrong. That’s right – all of your data has been changed. In subtle, random ways. No patterns. No canaries. No nothing. All of it.
If you think losing good data is bad – try keeping bad data.
Your doctors amputate the wrong leg. Professors hand out the wrong grades. Exchanges trade stocks at the wrong rate. Airplanes fly the wrong routes. You get the picture.
Now – what’s it worth to get it fixed?
I can’t answer that question, but I can tell you from a response perspective it’s a nightmare. We’re experts at telling when data has been encrypted or exfiltrated, we’re not so good at knowing when it’s off by a tenth of a percent.
The good news is that the intrusion (today at least) would look basically the same. One of the rare cases where prevention might be easier than response.
In my next update I’ll talk more about what you should be doing to fight it.