The world of cybersecurity is often likened to a cat-and-mouse game. Attackers are constantly coming up with new ways to exploit systems and system developers are finding new ways to defend against them.
One such threat is malware infections. When defenses fail, traditional malwares can cause a lot of harm. They can be used to exfiltrate sensitive data from your machine (such as documents, passwords etc.), used as part of a botnet to attack other systems, or just crash your system (such attacks are broadly called “denial of service” attacks).
The only way to keep them at bay is to ensure that the latest version of softwares are installed in your systems and to use endpoint protection tools (“anti-virus” as they are often called), which work to ensure vulnerable systems aren’t exploited.
Lately, a special kind of malware called ransomware is causing a lot of trouble for users and security professionals world over. While ransomwares are said to be around since the late 1980s, the recent growth of bitcoin has made them a profitable venture for attackers.
Over the last few years, ransomwares have given the cat a huge edge over the mouse in the cybersecurity game.
The modus operandi
So, how do ransomwares work? The idea is simple. The attacker installs a ransomware in the victim’s system, encrypting all the data on the hard disk, hence making it unreadable. A ransom is demanded, which has to be paid in bitcoin. Once the ransom is paid, the attacker sends the victim the decryption key, which is used to retrieve all the encrypted data. The way bitcoin is structured, it is possible to make it very hard to associate an entity (human or organisation) with the recipient of the transaction.
Sample this: A few months ago, the terminals at San Francisco MUNI (their rapid transit system) displayed a strange message. Instead of displaying train information, it said: “You are Hacked!!!. ALL Data Encrypted.”
The message also provided a contact email address to help with the decryption. This meant the rapid transit system could not process ticket collections, and decided to open up all trains for free (which reportedly cost them USD 50,000), until it could restore its system (perhaps from available backup).
In the case of traditional malware attacks, it is hard for attackers to monetise their act. All they can do is sell the sensitive data in the black market for money or use compromised web accounts/credit card details to make purchases. While these methods are used all the time, it is hard to generate a steady income from them. In addition, fraud detection mechanisms these days are well equipped to handle such incidents.
However, attackers using ransomwares easily bypass endpoint protection checks by slightly modifying known ransomwares which create signatures that go undetected. Once the data is encrypted, receiving the ransom is a smooth process. The user has to transfer a predetermined number of bitcoins to the attacker and the decryption key is sent.
Unlike traditional ransoms, the nature of bitcoin makes it very difficult for law enforcement agencies to track the owner of the recipient bitcoin account. This makes profiting from ransomwares a repeatable process. Attackers use all the tricks of seasoned extortionists. This includes inducing a sense of urgency to make payments (for instance a “countdown” to a deadline on a screen) and coercing victims to pay up. They often leave detailed instructions (with screenshots and explainer videos) on how to convert their currency to bitcoin, send the money and decrypt their files. After all, UX is not limited to legitimate operations alone.
While MUNI was able to get away without paying a ransom, others aren’t so lucky. Surveys indicate that most businesses are willing to pay the demanded ransom. An FBI report indicated that over $200 million was paid in ransom in the first quarter of 2016 alone. This is in no way a US-specific problem. A university researcher in Madhya Pradesh reportedly lost over 50GB of data in a ransomware attack that caught the MP Cyber Police unaware.
What’s the fix?
Like all security incidents, the best way to mitigate the threat of ransomwares is to try and ensure that the attack never happens. Having up-to-date softwares, running routine anti-virus checks and showing security awareness while clicking on links and downloading attachments are good preventive measures.
But, like all secure incidents, there will be times when preventive measures fail. How does one deal with them? One way of course, is to pay the ransom (if your moral code and bank balance allow it). The other is to invest in “ransomware decryptors”. These are tools that promise to retrieve the data without receiving the decryption keys. To be honest though, any self-respecting attacker will ensure the ransomware they deploy is resistant to these decryptors. The final option (and often the safest) is to revert to a backup. This will lead to some loss of data, but proper backup hygiene goes a long way in reducing the damage.
While the above approaches work reasonably well for individuals, all of those options make businesses nervous. Paying a “ransom” can send a message that you are weak and attract more attacks.In addition, paying a ransom also adds a lot of uncertainty to your balance sheet; “ransomware decrypters” are rarely reliable and there are as many ways for backups to fail as there are fish in the ocean (There’s an interesting one playing out as this article is written). Such situations are ripe for insurance, assign a dollar value to the risk and find a way to insure the company for that amount in case an attack occurs.
The problem is, while cyber insurance has been around for many years — and is predicted to be a $7.5 billion market by 2020 — only a few companies offer insurance/payouts against ransomware attacks. This is probably because most available protection mechanisms are not effective enough to handle ransomware attacks, which would mean a higher number of insurance payouts.
Unless defence tools catch up quick enough to thwart the risk of ransomwares, the new economy spawned by these attacks will continue to thrive. Until that happens, businesses need to have a combination of preventive and reactive measures to deal with the threat.
Update, 12.36 PM (IST): Some references mentioned at the bottom of this article have been deleted.