Juha Saarinen: How we created the ransomware monster


The information technology systems that we depend on are built like leaky houses which should be cause for alarm.

That’s bad enough, but we continue to make the situation worse by actively funding the ransomware industry. Renowned security researcher Kevin Beaumont recently pointed that out, and it’s difficult to disagree with him.

Estimates by security researchers suggest that the Ryuk ransomware criminals last year pulled in at least US$150 million ($209.9m) alone. Others “earn” less, maybe US$30-40m, but there’s a steady and large flow of untaxed revenue for ransomware criminals.

Some of that money is being put towards developing an already lucrative ransomware industry.

Recent charges laid in the United States against one of the Trickbot malware coders show that the software development houses of evil have proper business structures, wholesale and retail, with product managers, sales people, malware rentals and recruitment of new coders.

New bugs to exploit are traded among the ransomware criminals who, as Beaumont points out, have huge budgets to play with. Bigger than what defenders in many organisations and even authorities in smaller countries have in fact.

In comparison, the Government Communications Security Bureau spooks have just over $212.5m to work with.

What can anyone do against such well-funded and superbly resourced foes whose business is to rob your organisation?

A start would be to answer the question “what’s the worst that can happen?” correctly.

Ransomware has answered that question for many organisations, and then some, in a very short space of time.

Because it doesn’t get much worse than ransomware, with your business systems locked up, sensitive data stolen and sometimes resold for further criminal activity.

It goes beyond keeping systems patched and backed up, which everyone should do, since few organisations have practised recovery under severe time pressure, in a disaster scenario where most or all business-critical systems are lost. That often includes backups.

Even if backups are safe in the cloud, restoring from there might take a long time during which a business can’t function. That is if the software tools for restoring haven’t themselves been encrypted too.

Tape backups are apparently staging a serious comeback. Sure, tapes are slow and finicky for backing up and data restoration. If they get an organisation back on its feet within a week or so instead of months after a ransomware attack, you too will worship at the altar of magnetic data storage.

If an organisation can’t sustain lengthy downtime while incurring losses, or the damage caused by stolen information being leaked, the least worst option is to negotiate a ransom payment.

In doing so, victims put caviar on ransomware raiders’ tables and new Ferraris in their garages. Again. It’s like an involuntary sharing economy where criminals earn millions through an infrastructure they haven’t contributed anything towards yet can freely access.

Ransoms are paid in crypto currency, but Beaumont doesn’t think there’s much point in outlawing virtual money, but to make it more traceable instead.

There’s some truth in that. Crypto currency is mobile, but only pseudonymous. Thanks to that, the US authorities were able to recover most of the Bitcoin ransom paid to the DarkSide gang by fuel infrastructure provider Colonial Pipeline.

If crypto is banned, well, see above for big budgets which ransomware criminals can spend on developing alternative payments systems.

All that ransom money has to come from a budget somewhere, ditto the costs of recovering from an attack and the losses inflicted when an organisation couldn’t trade.

Few if any organisations have bottomless coffers. It’s far from certain that once losses are counted, there’s room left for an increased IT security budget.

Despite early warning signs – the first ransomware appeared in 1989 – a multibillion-dollar ransomware industry is now humming along. It has successfully leveraged the internet and the lack of security in the systems that are connected to mankind’s giant general purpose network.

Better cooperation, coordination and information sharing across industry sectors could help make the ransomware business sufficiently unattractive for criminals. We haven’t yet managed to achieve such cooperation in any meaningful way, however. Maybe it’ll happen but don’t hold your breath.

Meanwhile, shares in fax machine manufacturers are looking increasingly attractive, provided companies manage to avoid being ransomware-d themselves.

Source: Read Full Article