Ransomware: Old Racket, New LookSecurity Expert Recommends Kidnapping and Ransom Insurance - for Cyber
Cyber extortion: What's old is new again.
Ransomware may be the big-time cyberattack du jour, but at its heart these types of attacks are plain old shakedown attempts. Psychologically speaking, they're designed to compel someone to do an attacker's bidding. In the case of ransomware, that involves goading someone into transferring bitcoins to an attacker-controlled wallet in the minimum possible amount of time, based on the attacker's promise to, in return, give the victim a decryption key for their forcibly encrypted data.
"Despite everyone's best efforts, at least some degree of these types of attacks are going to continue to succeed."
Of course, the practice of holding someone or something to ransom is not a new concept.
In a May 12 keynote presentation at the AppSec Europe 2017 conference in Belfast, Northern Ireland, Jeremiah Grossman, chief of security strategy for endpoint security firm SentinelOne, referenced an example from 75 B.C.
According to an account published by the Greek author Plutarch, a 25-year-old Julius Caesar was kidnapped by the Cilician pirates then terrorizing the Mediterranean Sea. When the kidnappers set a ransom demand, the story goes, Caesar laughed and said he was worth far, far more, and so they raised their demands accordingly. Eventually, Caesar - after ordering his kidnappers around - was freed after his friends paid the ransom. After gaining his freedom, Grossman recounted, Caesar then ordered his kidnappers to be hunted down and crucified.
No doubt many ransomware victims might wish they could also bring some tough justice to bear on their tormenters. Unfortunately, based on just about any measurement standard you can think of, the attackers are winning.
Moscow-based security firm Kaspersky Lab, for example, reports that from January to September 2016, ransomware attacks against businesses increased threefold.
Meanwhile, the FBI says that ransomware victims collectively told the bureau that they had paid $209 million to attackers in the first three months of 2016, up from the $24 million that got paid to attackers in all of 2015. Of course, many victims don't report such payments to the FBI, meaning that cybercriminals' collective haul is likely much higher (see FBI to Ransomware Victims: Please Come Forward).
For proof of the efficacy of these operations, Grossman says he learned in January of a New York law firm - no names were named - that paid a seven-figure ransom after attackers managed to encrypt all of their data.
@jeremiahg 7 figures already paid.— Richard Bejtlich (@taosecurity) January 31, 2017
Ransomware is fascinating in its own right, with various families and strains sometimes being "skinned" with themes ranging from British Prime Minister Theresa May and U.S. President Donald Trump to horror films and Pokémon.
How to Battle Ransomware
But the bigger question is: How do you get rid of it?
Such discussions are germane to the application development space because ransomware is designed to forcibly encrypt data. In effect, our productivity and communication tools are made to work against us.
Solving this problem will require the individuals who code and maintain our applications and operating systems - never mind networking protocols and so on - to find better ways of ensuring that our systems can't be used against us, or at least that they don't leave any flaws in their code that attackers can exploit.
This year's AppSec Europe, for example, contained four tracks: application development, hacking, business-level concerns as well as DevSecOps, referring to the practice of doing DevOps - think agile-inflected code development and rapid iterations - but with baked-in security.
But more will be required than just writing better code and then replacing less secure systems and devices with new ones. Despite everyone's best efforts, at least some degree of these types of attacks are going to continue to succeed.
Model: K&R Insurance
To address that problem, Grossman told the AppSec Europe conference that the kidnapping and ransom insurance industry - born after Charles Lindbergh's baby was kidnapped in 1932 - offers a useful model. The industry, for example, protects oceanic shipping firms, which face the risk of piracy, especially when operating in the India Ocean off the coast of Somalia. In response to that threat, the industry has codified a list of best practices - ranging from having armed guards on ships to ensuring that if the ship gets boarded, everyone surrenders. As a result, kidnapping victims rarely die. At the same time, all of the roughly 20 firms that offer such insurance have their policies underwritten or reinsured by Lloyd's of London, which sets the rates that will be paid out to pirates. By doing so, it helps ensure that ransom payments don't get too high.
The results speak for themselves. In 2010, $148 million was spent on ransoms to pirates, Grossman says. But the same year, firms paid ten times as much - $1.85 billion - in insurance premiums to cover privacy.
Transposing that example to the information security realm, Grossman says that "we know how to make secure enough software." What can be lacking is follow-through, both by vendors, who must commit to writing more secure software, as well as by users, who need to be putting basic anti-ransomware defenses in place.
"The way I hope we'll change this is by changing the incentives model - making vendors accountable for what they say and do," he says.
At the same time, he also believes that the insurance model offers a sustainable path forward, because it will be impossible to successfully block all ransomware attacks. He hopes that ransomware insurers will gather and disseminate minimum best practices, and by doing so force organizations "to listen to our cyber-insurance overlords," thus improving everyone's information security defenses.
These insurers must also band together to present a unified front in the face of ransomware payments. "We're going to need the formation of insurance 'syndicates' for ransomware pricing," he said. "The last thing anyone wants is for seven figures to become the norm."