Ransomware has brought the point-of-payment to the point-of-attack. That might not sound like much, but it could reshape the threat environment.
If you stop looking at ransomware through a technology lens, and look at it through a market lens, you’ll begin to see the real innovation, and danger, behind it. It’s not about the data, or the encryption methods, or any of the tactics, techniques, and processes that ransomware uses. Ransomware’s big breakthrough is the fundamental shift in how cyber attackers get paid.
The traditional monetization model involves multiple steps of infiltrating your system, stealing your data, going to the black market, and selling it. The ransomware model makes the process much more efficient. With ransomware, the victim is paying for all those other steps not to happen. It’s not only a faster, much more efficient way to get paid, it’s also more profitable.
Dark web markets act like most markets and eventually end up normalizing prices. Someone comes in cheaper, the market resets at a lower price point, and prices are driven down. Cyber victims, however, do not communicate or collude. What one victim will pay might be very different than another. This market ambiguity favors the exploiter and they will get the most they can out of every victim. This is why in real ransom cases, the ones where they kidnap actual people, most of the negotiations are done through a single insurance broker – Lloyds of London. This way, Lloyds can control the costs, the governance, and the protocols. No such mechanisms exist for the cyber world yet, so we’re on our own.
People are paying the ransoms, which means the model is working. According to IBM, 70% of victims pay the ransom. What’s more, less than 25% of victims report the crime. Cybersecurity Ventures predicts that ransomware market damage costs will exceed $5 billion in 2017, up more than 15X from 2015.
Ransomware is a market-proven, highly efficient, emerging business model. As with any market, that means we’re in for a period of investment, growth, competition, and adaptation.
Ransomware’s perfect storm
Ransomware isn’t new. In fact, it can be traced back to the late eighties, where the first victims had to snail mail their payments. It has, however, taken off in the last few years. So, why now? Like most market “overnight successes” there’s been a long period of obscure development, ignited by a few key innovations and convergences. For ransomware, one of the big breakthroughs has been Bitcoin. This digital currency has the advantages of being both instantaneous and untraceable – critical factors for ransomware success.
Other drivers include the increase in phishing attack effectiveness and sophistication, the expanding use of the Internet (e.g., social media, file sharing, application downloads), and enhancements in encryption technology. All of these drivers helped create a perfect storm of opportunity for attackers to target and exploit ransomware victims. Where they once targeted individuals, they now have migrated to more profitable corporate targets. We’re fast approaching a tipping point that will trigger a period of expansion and change.
Ransomware is already adapting
Ransomware will change, but the driving principle of extorting payment directly from victims will remain. Ransomware is rapidly adapting. Attackers are changing their malware and approach to take advantage of their victims’ lack of sophistication. They now offer “customer” support lines, payment options, and user-friendly interfaces. New ransomware adjusts the ransoms they charge based on international exchange rates, so it’s more likely the victims get hit for the largest amount they can reasonably pay. Attackers are also beginning to specialize, by offering Ransomware-as-a-Service (RaaS). Ransomware is even starting to go mobile. Ransomware targeting Android users has increased by over 50 percent in just a year.
Attackers are also doing their market research, and refining who they go after, based on who is most likely to pay. Healthcare is a prime target, because of the criticality of their data and their likelihood to pay ransoms. As a result, ransomware accounted for 72% of healthcare malware attacks in 2016.
Ransomware will go kinetic, and that’s a huge threat
Today’s ransomware denies us access to our data. Tomorrow’s ransomware will hijack our connected devices. The Internet-of-Things is working it’s way into our private and professional lives at an exponential rate. From our cars, to our medical devices, to our industrial controls, we’re opening ourselves up for cyber attacks at an alarming rate. For example, researchers recently found more than 80,000 industrial routers exposed on the public Internet when they conducted just a two-week scan.
Ransomware might not only be able to lock out data from these devices, they might be able to take control of them, causing kinetic effects in the real world. Imagine an attacker cutting the breaks to your car or overloading your pacemaker if you refuse to pay. The more life-threatening these are, the more they can demand in ransom. Remember, the reasons that hospitals are such a great target for today’s malware is because the data they block is critical to emergency care. Eventually, ransomware will evolve past simply blocking data, and the term ransomware will refer to any mechanism to extort money directly from victims.
Today’s ransomware is a warning, and we’re not listening
Ransomware’s greatest strength might be our complacency. In its essence, ransomware is malware that has a novel payment method. Most current ransomware can be prevented or remediated through basic cyber hygiene. If we patch our systems, automatically back up our data, teach our people, and have the right monitoring and response mechanisms in place, we can avoid a lot of the impact of ransomware. The WannaCry malware that impacted hundreds of thousands of computers, could have been prevented if companies installed the patch that Microsoft had released months prior to the attacks.
Yet we often become our own worst enemy. There are lots of reasons for this, but the fact remains that we are in danger of becoming complacent when it comes to ransomware. Companies are already setting aside bitcoin funds to use in case of an attack, rather than taking steps to avoid one.
The danger is that companies start seeing ransomware as simply a cost of doing business. That would be a very short-sighted perspective. Ransomware is being driven by some very deep-seeded market factors. Regularly paying ransoms makes you a target and feeds directly into those market forces.
Ransomware is a game changer that has the power to reshape everything from who attacks you, what they target, and how you are attacked. More than technology, it’s driven by market fundamentals.
Your best response is to implement your own cyber security fundamentals.