Ransomware is sinking its teeth into business data everywhere, with the threat continuing to evolve in new more sophisticated variants that encrypt individual files or even entire disks. To learn more about the challenge of defending against one of the fastest growing threats online, both for businesses and consumers, IDM spoke with Dr John Selby, a member of Macquarie University’s Cyber Security Hub established this year in Sydney in a $10 million joint investment with Optus Business.

IDM: It seems there are reports almost every day of new varieties of ransomware, has the problem reached epidemic proportions?

JS:  It’s an area where we’re seeing rapid evolution of the attacks. US victims of Ransomware paid more than $24 million in ransoms in 2015. Cryptolocker had a 41% success rate and earned its operators up to $27M.

The criminal growth has been aided by a combination of technologies including Crypto-currencies such as BitCoin, the Dark Web, TOR and VPNs.

Over the last five years, it’s evolved from very simple straightforward ones that ask you to pay by credit card to unlock data stolen from your PC, through to the next generation starting to emerge which is going after Internet of Things (IOT) devices such as your television and your mobile phone.

And the challenge with a lot of Internet of things devices, particularly for the cheaper ones, is they either have default username and passwords that you can’t easily change, or they have a default firmware that you can’t update, so that once a vulnerability is identified within it, then the attacker can keep coming back again and again and again. 

You may not be too worried about your TV but it can open a backdoor for people to go to examine your network and try to move laterally across your network to get into other devices as well.  IOT devices are often inadequately secured and that’s a backdoor that organised crime has been exploiting with ransomware because it’s much more efficient for them, much lower risk.  Instead of having to send some 300lb muscle-bound thug to demand money from you, one store at a time, they can attack via ransomware, exploiting small businesses’ lack of sufficient backups. 

If you have sufficient backups of your data, a ransomware attack is an annoyance, but you format your computer, you reinstall off your image, and maybe you’ve lost a day’s work.  It’s annoying, it’s a nuisance, but it’s not fatal.  But a lot of small businesses don’t have those adequate backups and they don’t have multiple backups from different days or weeks, and even offline backups every week or every month to protect themselves.

Attackers have gained the advantage with ransomware by exploiting the, I would hesitate to call it “laziness”, but the lack of attention to the issue of backups and encryption in email that most businesses have engaged in.  So, when there’s an exploit and someone identifies it, then it rapidly spreads. And while there’s money in it, then this will be a problem for the businesses in general, because the attackers are motivated by their return on investment. 

IDM: In a recent presentation on ransomware trends in the future you talk about crypto-ransomware as a service.  Could you explain that a bit further? 

JS: Criminals are always looking for new business models and ways to make money. So, ransomware developers have now started to offer for sale, or for rent, their ransomware toolkits.  Criminal gangs in Russia, Ukraine, Eastern Europe and China are now renting access to their Ransomware toolkits for hundreds of dollars per week. Now if you have a particular entity that you want to attack but you don’t have the skills yourself and you don’t have the ability to craft your own ransomware, you can effectively hire them and they will take a percentage of the ransoms you receive. The danger with this is that it is rapidly expanding the capabilities of the people who want to attack you, so all they need to do is cut a cheque to a “ransomware as a service” provider.

The ransomware providers are even offering customer support so their victims can contact them via an email address or Skype to ask for advice, and they’ll walk the victims through the steps of how to buy Bitcoins and how to send them.  They want to make it as easy as possible for people to pay. 

IDM: Do we need to be that worried about malware on a smartphone?

JS: You will if it’s denying you the use of the device, if it’s locked up and you can’t use it, then that’s a frustration that people will often be willing to pay to unlock, because they need their phone.  Now, they could pull the SIM out and put it into another phone if they’ve got one handy. It is always helpful to keep your previous phone when you upgrade if you can, because then you can just keep it in the bottom drawer and have it as a reserve in case of emergency.  But for people for whom time is more important than money, then attacks on mobile phones are a way of, again, exploiting that urgency and extracting money from people without their consent. 

IDM: You have suggested one strategy for businesses to prepare for a successful a ransomware attack is to buy Bitcoins in advance. Isn’t this just waving the white flag?

JS: Having the Bitcoins purchased in advance is just a precautionary measure.  You’re not talking about many Bitcoins, maybe half a Bitcoin or a Bitcoin.  It’s just a convenience factor that for some businesses, if they were particularly concerned and they didn’t want to spend the money on backups, they might find that a cheaper option, just to reduce the time in which their business is interrupted.

People have negotiated with these ransomware providers and there’s been substantial discounts.  One LA hospital paid a $17 000 ransom to regain access to its computer systems (the original ransom demand was for $3 million). Shortly after they paid up that ransom, two more nearby hospitals were hit by ransomware. Victims usually pay $300-$2000 per computer

The danger is that if you pay such a ransom, you’re rewarding bad behaviour. Your may get put onto a “suckers list” and then just be attacked again the next week, by the same attacker or a different attacker; they know you’ll pay.  The more profit that criminals can get out of ransomware, the more they can reinvest a portion of that into developing newer and more sophisticated ransomware to attack more people.

IDM: What is being done internationally to fight these threats?

JS: The EU has put up a website, the nomoreransom.org website, which is designed to help people when they’ve been attacked by a flawed ransomware that has already been defeated by security researchers.  Those experts are trying to identify flaws in the ransomware, particularly in the way in which the encryption has be implemented, so that if they can reverse engineer it and identify a weakness, a vulnerability in the ransomware, then it may be possible to remove the encryption on the files without having to pay the ransom. 

Flaws have been identified in some earlier generations of ransomware, and the EU website is designed to assist people who can check there first, and you may be able to get help without calling in a consultant.  But if you are hit by one of the newer varieties using 2,048bit encryption and it’s been properly implemented, good luck.  Short of having a super computer working for months or years to get access to your data, it’s much cheaper and more efficient to have backups. 

IDM:  Is there’s a risk of email becoming untenable due to the concentrated attacks appearing every day via your inbox?

JS: There are a number of things that people can do to reduce the threat.  The first one is to shift towards encrypted email with, for example, PGP, so that there’s a level of authenticity.  So, a person had to use their private key to sign the email that they’re sending to you.  Although, that only tells you that it’s come from that person’s machine; it doesn’t tell you whether someone might have got access to that machine and then can get access to the email and use the key as well. 

What we’re seeing today, particularly in large companies, in the financial markets and law firms, etc., is a shift towards back channel or offline channel confirmation, so people saying, “If I send you a request for data or I’m sending you a big file, I will call you as well, or you call me to confirm it before you respond to send anything through by email.”  Particularly for what’s known as the “Presidents scam” in the US, or “CEO scam”, where the fake email comes from the President of the company to someone underneath reporting to them, or reporting to someone who reports to the CEO, saying, “Send me this data quickly.”  Most people will comply with their boss’s demand, rather than verifying first.  Companies must work to set up a culture of, “If you have any suspicions, it’s okay to confirm before you click.”  It’s a little bit of an efficiency loss, but that’s a much lower cost than the risk of a data breach or an attack.