Computer viruses has been around for almost as long as computers themselves. Like many of the early tinkerers of computing, the motivations of early virus authors ran the gamut between personal research projects gone wrong, digital pranks, to outright disruption. Unlike previous viruses and malware, Ransomware has become big business, with investors, owner/operators and bottom lines. With the emergence of freely available digital encryption and universal payment via bitcoin, ransomware may well be the last iteration of modern viruses, their ultimate (if unfortunate) conclusion.
Privacy begets new problems
As personal computers, malware, and the internet matured, so did cryptography. The rapid growth of digital encryption – originally designed to keep individuals’ files safe from access by nefarious individuals or – in some cases - government agencies – has now made it simple for anyone to encrypt a file. Using the same algorithms developed for the protection of top-secret data, this method of encryption renders any file essentially inaccessible. The FBI refers to this concept as “going dark” – an emerging world in which the average user can render data inaccessible to law enforcement.
Strong encryption is context agnostic, protecting military secrets with the same tenacity as a drug dealer’s balance sheet, or – in the case of ransomware - all of the files on your computer and networked shared drives. Without the correct decryption key, access to the files would take years – even decades - of brute-force attacks to open.
Ransomware usually arrives on your computer via spam email, masking itself as a bank statement or credit card notification. This technique – called social engineering – is designed to trick people into opening the accompanying attachment.
Cleverly, the attachment is often a .zip file. The archiving file format is ubiquitous and is able to hide the malicious file inside, hiding it from virus scanning software. The file inside the .zip looks just like a normal Microsoft Word doc or PDF, but runs an automated program called a macro that downloads the ransomware to your PC.
After gaining access, ransomware scans and encrypts files on your local machine and network shares. Ransomware authors then sell the decryption keys to their victims for dollar figures high enough to generate some serious revenue, but low enough that most individuals can afford to pay.
The genius of ransomware is that it solves the monetization problem of modern malware. Rather than gathering pennies from hundreds of thousands of infected systems, it demands hundreds, thousands, or tens of thousands of dollars from each infected host, based largely on their capacity to pay.
In this way, ransomware succeeds where no other malware has before - by monetizing information that only you, or your company, care about.
The monetization model
Ransomware authors assume that the data you store on your computer is of value to you. Rather than try to determine what files you value the most and then assign a value to that data, they simply encrypt everything and set a price that is accessible to anyone with the wherewithal to own a personal computer.
Chances are if you look through your computer, whether it be at work or at home, you can find data that you’d happily pay considerable sums – between one and three thousand dollars - to get back. And therein lies ransomware’s effectiveness – by monetizing pictures of your children, your QuickBooks database or the business plan for your next big project, malware distributors are laying a bet that your backups are insufficient – and in most cases, that’s a winning wager.
Faced with the choice between paying up and never seeing their data again, many choose to pay and hope the criminals hold up their side of the bargain.
Is your industry next?
A troubling development in the malware front is targeted ransomware that is designed to exploit specific industry verticals with either especially poor security or especially valuable data. Recent targets have included health care, tourism and hospitality, and – ironically – policing and security.
Talos Intelligence, Cisco’s threat intelligence group, paints a stark picture of a future where ransomware is tailored for the target organization, both in delivery and payout amount. By comparing the sophistication of the current generation of ransomware with the techniques used by previous iterations of malware, they conclude that malware authors are currently only targeting the low-hanging fruit with a one-size-fits-all model.
As the upper end of ransomware is refined, barriers to entry are lowering for aspiring criminals. Ransomware-as-a-Service offerings have sprung up in recent months, connecting malware authors with people skilled in distribution. By specializing in doing what they do best and splitting the profits, it has never been easier to get into the game.
This article is excerpted from Liam Somerville and Vince Wolfe's upcoming eBook, Ransomware: Malware's Apex Predator. Subscribe to the Graycon Insights Blog to get your own copy.