Tracing the evolution and subsequent revolution of ransomware
This is actually where I came in, nearly 30 years ago. The first malware outbreak for which I provided consultancy was Dr. Popp’s extraordinary AIDS Trojan, which rendered a victim’s data inaccessible until a ‘software lease renewal’ payment was made. And for a long time afterwards, there was not much else that could be called ransomware, unless you count threats made against organizations of persistent DDoS (Distributed Denial of Service) attacks.
While Denial of Service attacks amplified by the use of networks of bot-compromised PCs were becoming a notable problem by the turn of the century, DDoS extortion threats have accelerated in parallel (if less dramatically) with the rise in ransomware in the past few years. However, statistics may be obscured by a reluctance on the part of some victim organizations to speak out, and a concurrent rise in DDoS attacks with a political dimension rather than a simple profit motive. There are other complex interactions between malware types, though: there have been instances of ransomware variants that incorporated a DDoS bot, while more recently the charmers behind the Mirai botnet chose to DDoS the WannaCryptor (a.k.a. WannaCry) “kill switch” in order to allow dormant copies of the malware to reactivate.
The worm turns
Of course, there’s a great deal more to the malware ESET calls Win32/Filecoder.WannaCryptor than the Mirai factor. The combination of ransomware and worm accelerated the spread of the malware, though not as dramatically in terms of sheer volume as some of the worm attacks we saw in the first decade of the millennium, partly because its spread was reliant on a vulnerability that was already widely patched. However, its financial impact on major organizations caught the attention of the media worldwide.
Pay up! and play our game*
One of the quirks of WannaCryptor was that it was never very likely that someone who paid the ransom would get all their data decrypted. That’s not unique, of course: there are all too many examples of ransomware where the criminals were unable to recover some or any data because of incompetent coding, or never intended to enable recovery. Ranscam and Hitler, for example, simply deleted files: no encryption, and no likely way the criminal can help recover them. Fortunately, these don’t seem to have been particularly widespread. Perhaps the most notorious example, though, is the Petya semi-clone ESET detects as DiskCoder.C, which does encrypt data. Given how competently the malware is executed, the absence of a recovery mechanism doesn’t seem accidental. Rather, a case of ‘take the money and run’.
While the DiskCoder.C malware sometimes referred to as NotPetya clearly doesn’t eschew making some profit by passing itself off as ransomware, other ‘wipers’ clearly have a different agenda, such as the (fairly) recently revived Shamoon malware. Malware with wiper functionality aimed at Ukraine include KillDisk (associated with BlackEnergy) and, more recently, one of the payloads deployed by Industroyer.
What can you learn from these trends?
Holding your data to ransom is an easy way for an attacker to make a dishonest profit, and destroying data for other reasons such as a political agenda seems to be on the rise. Rather than speculate about all the possible variations on the theme of data mangling, let’s look at some measures that reduce the risk across the board.
- We understand that people choose to pay in the hope of getting their data back even though they know that this encourages the criminals. Before paying up, though, check with your security software vendor (a) in case recovery may be possible without paying the ransom (b) in case it’s known that paying the ransom won’t or can’t result in recovery for that particular ransomware variant.
- Protecting your data proactively is safer than relying on the competence and good faith of the criminal. Back up everything that matters to you, often, by keeping at least some backups offline – to media that aren’t routinely exposed to corruption by ransomware and other malware – in a physically secure location (preferably more than one location). And, obviously, backups defend against risks to data apart from ransomware and other malware, so should already be part of a disaster recovery plan.
- Many people and organizations nowadays don’t think of backup in terms of physical media like optical disks and flash storage, so much as in terms of some form of cloud storage. Which are very likely to be offsite, of course. Remember, however, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local and other network-connected storage is. It’s important that offsite storage:
- Is not routinely and permanently online
- Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
- Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.
- Protects the customer by spelling out the provider’s legal/contractual responsibilities, what happens if the provider goes out of business, and so on.
- Don’t underestimate the usefulness of backup media that aren’t rewriteable/reusable. If you can’t modify what’s been written there, then neither can ransomware. Check every so often that your backup/recovery operation is (still) working properly and that your media (read-only, write-disabled, or write-enabled) are still readable (and that write-enabled media aren’t routinely writeable). And back up your backups.
- I’m certainly not going to say that you should rely on backups instead of using security software, but bear in mind that removing active ransomware with security software that detects ransomware is by no means the same as recovering data: removing the ransomware and then deciding to pay up means that the data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is part of the malware. On the other hand, you certainly don’t want to restore your data to a system on which the ransomware is still active. Fortunately, safe backups can save your data if/when something malicious slips past your security software.
And the future?
“Don’t make predictions about computing that can be checked in your lifetime” – wise words from Daniel Delbert McCracken. Still, we can risk some extrapolation from the recent evolution of ransomware in order to offer some cautious thoughts about its future evolution.
The AIDs Trojan was pretty specific in its targeting. Even then, not many people were interested in the minutiae of AIDS research, distribution of the Trojan by floppy disk was relatively expensive, and the mechanism for paying the ransom didn’t really work to the attacker’s advantage. (Of course, in 1989 Dr. Popp didn’t have the advantage of access to cryptocurrency or the Dark Web, or easy ways to use Western Union (the 419 scammer’s favorite) or to monetize nude photographs.)
The attack itself was ‘classic’ ransomware, in that it deprived the victim of his or her data. Later, DoS and DDoS attacks deprived companies of the ability to benefit from the services they provided: while customers were deprived of those services, it was the provider who was expected to pay. However, as the non-corporate, individual use of the Internet has exploded, the attack surface and the range of potential targets have also widened. Which probably has an influence on the promiscuous distribution of most modern ransomware.
While the media and security product marketers tend to get excited when a highly visible or high-value victim is disclosed – healthcare sites, academic institutions, telephony service providers, ISPs – it’s inappropriate to assume that these institutions are always being specifically targeted. Since we don’t always know what vector of compromise was used by a specific campaign, we can’t say ‘It never happens!’. But it looks as if ransomware gangs are doing quite nicely out of payments made by large institutions compromised via lateral attacks from employees who have been successfully attacked when using their work accounts. The UK’s NHS Digital, for example, denies that healthcare is being specifically targeted – a view I happen to share, in general – while acknowledging that healthcare sites have ‘often fallen victim’.
Could this change?
At the moment, there still seem to be organizations that are prepared to spend relatively large sums in ransom payment. In some cases, this is a reasonable ‘backup strategy’, acknowledging that it’s sensible to keep a (ransom)war(e) chest topped up in case technical defences fail. In other cases, companies may be hoping that paying up will be more cost-effective than building up complex additional defences that cannot always be fully effective. That in itself may attract targeting of companies perceived to be a soft touch or especially able to pay (financial organizations, casinos). The increased volume of wiper attacks and ransomware attacks where payment does not result in recovery may mitigate this unhealthy trend, but companies that are still perceived as unlikely to harden their defences to the best of their abilities might then be more specifically targeted. It is, after all, likely that a successful attack on a large organization will pay better and more promptly than widespread attacks on random computer users and email addresses.
Data versus Devices
Looking at attacks on smartphones and other mobile devices, these tend to be less focused on data and more on denying the use of the device and the services it facilitates. That’s bad enough where the alternative to paying the ransom may be to lose settings and other data, especially as more people use mobile devices in preference to personal computers and even laptops, so that a wider range of data might be threatened. As the Internet of Unnecessarily Networked Things becomes less avoidable, the attack surface increases, with networked devices and sensors embedded into unexpected items and contexts: from routers to fridges to smart meters, from TVs to toys, from power stations to petrol stations and pacemakers. As everything gets ‘smarter’, the number of services that might be disrupted by malware (whether or not a ransom is demanded) becomes greater. In previous years we’ve discussed the possibilities of what my colleague Stephen Cobb calls the Ransomware of Things. There are fewer in-the-wild examples to date of such threats than you might expect, given the attention they attract. That could easily change, though, especially if more conventional ransomware becomes less effective as a means of making a quick buck. Though I’m not sure that’s going to happen for a while…
On the other hand, there’s not much indication that Internet of Things security is keeping pace with IoT growth. We are already seeing plenty of hacker interest in the monetization of IoT insecurity. It’s not as simple as the media sometimes assume to write and distribute malware that will affect a wide range of IoT devices and beyond, so there’s no cause for panic, but we shouldn’t underestimate the digital underworld’s tenacity and ability to come up with surprising twists.
* Apologies to the shade of Henry Newbolt who wrote Vitai Lampada, from which I’ve misquoted: https://en.wikipedia.org/wiki/Henry_Newbolt.