Daily Archives: February 19, 2017

Ransomware has exploded thanks to Bitcoin's anonymity

Ransomware was first detected in 1989.


Ransomware is one of the oldest cyberthreats, but it has made a big comeback in the past couple of years because it has become much easier to perpetrate against consumers, businesses, hospitals, and government agencies.

With ransomware, cyber thieves steal a user’s data and threaten to destroy it unless the user pays them a ransom. One study by Infoblox found that ransomware increased 3,500 percent from the fourth quarter of 2015 to the first quarter of 2016. Ransoms paid also went up 10 times during that time.

Chris Young, CEO of Intel Security, said last week at a private dinner and his keynote speech at the RSA security conference that ransomware was first detected in 1989, but it didn’t explode until recently. In the past, it was easier for law enforcement to catch the perpetrator as he or she tried to pick up the ransom.

“It wasn’t until the advent of Bitcoin in our society that ransomware was able to take off,” Young said. “Because now, as an attacker, I can anonymously monetize my target.”

Chris Young, CEO of Intel Security, at RSA.

Above: Chris Young, CEO of Intel Security, at RSA.

Image Credit: RSA

He added, “The weaponization of data becomes a real threat to all of us. I’d argue it’s quite likely to be our next advanced, persistent threat.”

Bitcoin, the crypto currency introduced in 2008, enables two parties to exchange money without knowing who the other one is. During the past year, security firm Kaspersky identified ransomware as the biggest cyber security threat.

At first, cyber criminals used ransomware schemes against unsuspecting consumers. The criminals stole their passwords, locked down their computers with cryptography, and then demanded ransoms in the hundreds of dollars to unlock the computers. Faced with no choice, the victims paid the ransoms in Bitcoin. And that helped the problem grow and become much more lucrative, said Steve Grobman, chief technology officer at Intel Security, during a dinner.

The ransomware threat has been growing. A ransomware app even made it into the Google Play store in January.

Young said that the growing number of attack types has also come with new attack surfaces, as the number of devices that we use in our daily lives is growing well beyond computers and smartphones. The Internet of Things devices, such as security cameras or TV webcams, are also vulnerable to viruses and other attacks. And they can be used as stepping stones to larger, more threatening attacks.

But ransomware is moving on to bigger targets. The focus is increasingly on places like hospitals, which have restrictions on what they can do with patient data. The bad guys find out where the computer backups are stored, they penetrate them and encrypt them, and then hold the data for ransom.

Cyber attackers held an Austrian hotel network for ransom. The criminals demand $1,800 in Bitcoin to unlock the network, which prevented guests from checking in and out of a hotel, and locking them out of their guest rooms. The hotel paid up.

A crypto ransomware attack also hit San Francisco’s Municipal Transportation Agency, as an infection spread across the Muni system’s networks, taking down ticketing systems. The criminals asked for $73,000 in exchange for restoration of the Muni data.

Ed Skoudis, instructor at the SANS Institute.

Above: Ed Skoudis, instructor at the SANS Institute.

Image Credit: RSA

Ed Skoudis, instructor at the SANS Institute, predicts that the crypto ransomware perpetrators will go after small to mid-sized banks next.

“One of the biggest problems in the last couple of years has been the explosion of crypto ransomware,” Skoudis said in an RSA talk. “Crytpo ransomware is so much more powerful especially when it uses public key cryptography.”

Crytography is useful in enabling secure communications and e-commerce, but there are 150 active families of crypto ransomware today, Skoudis said. Companies say this is one of their biggest fears today, he said, and many more increasingly sophisticated attacks against networks are expected.

Young, meanwhile, worries about the attack targets in homes, thanks to the Internet of Things.

“The target is now the weapon,” Young said. “Now we have to turn our attention to data being weaponized against us. What we used to think about protecting — we now have to be protected against. It’s the strangest irony. The target is now the weapon. We’ve given the enemy all of the scale they could possibly want by connecting our homes with smarter, better, faster devices.”

No More Ransom helps ransomware victims.

Above: No More Ransom helps ransomware victims.

Image Credit: nomoreransom.org

And yes, I’m still waiting for some good news on this front.

To prevent ransomware attacks, companies and individuals have to make themselves into harder targets. If one workstation gets attacked, it shouldn’t make the whole network and its servers vulnerable.

“If your organization gets hit with ransomware, who is going to decide whether to pay the bad guys?” he said. “Your business principles might get hit by the business reality.”

Young said that the fragmented cyber security industry must work together.

“We’re the most fragmented sector in all of IT,” Young said.

The industry has formed the collaborative Cyber Threat Alliance group, and it has created No More Ransom, a site that helps victims of ransomware recover their data.