By Andrew Paulette
In the previous parts of this series, we explored the concepts underlying ransomware as well as some of the tactics and variations on basic ransom-based malware. Here in part IV, we will explore what makes ransomware an appealing enterprise for cybercriminals; as the title of part III indicates, the ransomware industry is booming.
Just as successful entrepreneurs constantly evaluate emerging markets and otherwise untapped profit streams, so too do successful cyber criminals constantly seek out new methods of attack for profit. Although some of the biggest profits to date have come from attacks on customer data in areas such as the healthcare industry, security professionals can now expect future variants to compromise the data of control systems that manage critical information systems for both businesses and the public at large. In order to combat the market saturation, cyber criminals will no doubt focus their attacks against critical business infrastructure in order to maximize the impact and potential payout. These illegal entrepreneurs will seek out poorly defended data and systems that have a low maximum acceptable outage (MAO), or systems that cannot stay offline without causing severe damage to profits, privacy, or customer service, such as patient healthcare information for hospitals or management systems for critical infrastructure.
One ransomware attack recently targeted a luxury hotel’s card key system, rendering it unusable and leaving guests without access to their rooms. While this system did not hold confidential or personal data traditionally targeted by ransomware, it was a critical system; as such, the hotel paid the ransom of €1,500. Once a ransom is paid, however, the targeted business is not in the clear; in fact, they may become more of a target – not only by the original criminal, but by other criminals looking for an easy payout. The hotel in question was attacked three more times, and paid similar ransoms each time.
The cybersecurity industry should expect to see an increase in attacks against critical business systems. In a worst case scenario, ransomware will be used against industrial control systems used to manage critical infrastructure. In a recent presentation given at the 2017 RSA Conference, researchers from GIT demonstrated how a ransomware attack can target the embedded technology used in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks. These devices are used to control critical infrastructure such as the power grid, the water supply, and other industrial systems. Denying availability to these systems could have consequences beyond the business – it could place human lives in danger. Such a cost would be the ultimate enticement for the quick and quiet payment of a costly ransom, avoiding the potential loss of life and the embarrassment of such an attack.
Public shaming through ransomware
Throughout 2016, one of the few silver linings of a ransomware attack (specifically crypto-ransomware) was that the malware only encrypted the data and did not cause the additional public embarrassment of a data breach. For a business or individual with a recovery strategy, the effects of ransomware could be reversed by wiping their systems and restoring the data from maintained backups.
Not to be outdone, ransomware authors and cyber criminals will no doubt add the threat of data disclosure to their toolbox to help assure payment. Called doxware (a combination of the terms doxxing and ransomware), data can still be recovered through backups, but there is little the user can do to prevent data disclosure except pay the ransom.
For example, Jigsaw ransomware threatened users by not only stating that their files were encrypted, but that “all logins, contacts, email, passwords, and skype history” had been collected and a copy would be sent to their contacts if the victim did not pay. While subsequent reporting suggested this was a scare tactic, this technique is not beyond the skills of the programmers creating ransomware. The ability to weaponize an individual or organization’s private or confidential data against them is a powerful motivator that renders the traditional defense of data recovery useless. As companies create more comprehensive data recovery plans, we can expect this form of malware to catch on as the next step in the arms race between cybercrime and defensive security.
Be sure to join us next week as we discuss how organizations and individuals can plan smarter defenses against the increasing ransomware threats. Follow us on Twitter @NetCentricsCorp to hear about the final installment in this series on ransomware.