By Roger Grimes. Ransomware is pretty bad right now. It is taking down nearly any company and industry it can, targeting healthcare, energy infrastructure, and food supplies with equal aplomb. It takes down law enforcement, computer security companies, and entire cities at will. The average ransom paid is over $100K and we routinely see payouts in the many millions of dollars.
So far, the largest I have seen is $40M, but I bet larger ones have been paid that I do not know about. This is to say, it is pretty bad out there. Some companies are estimating overall annual damages from ransomware in the multi-hundreds of billions of dollars …ANNUALLY!
As I covered in my last article, ransomware is no longer about just encrypting data and has not been for quite a while. Today’s ransomware is:
- Encrypting your data
- Exfiltrating your emails, data, confidential information, IP and will post it publicly or give it to your competitors if you do not pay
- Stealing company, employee and customer login credentials
- Extorting your employees and customers
- Sending spear phishing attacks to your business partners from your own computers using real email addresses and email subject lines your partners trust
- Conducting DDoS attacks against any services you still have up and running
- Publicly embarrassing your company
With all of these things being done routinely by ransomware, the question is, how could it get worse? What is the future of ransomware?
I think I know.
In general, malicious hackers and malware have been going more and more professional over the last few decades. Yesterday’s funny, “haha”, computer viruses and worms gave way to email worms and spam bots, which gave way to crimeware and ransomware. There is no going back. The traditional idea of a lone, script kiddie attacker, souped up on Jolt Cola, hacking his away around the Internet has given way to professional firms. Hacking has gone pro. Actually, it has been that way for a while.
Today’s cyber criminals are often small- to medium-sized collectives that are organized closer to corporations than to cyberpunk gangs. They have CEOs, lead generation, development and fulfillment departments. Malicious hackers have time clock hours, paychecks and earned vacation time. The malware involved runs on a distributed, fully redundant network and server infrastructure that would be the envy of any corporation. Every ransomware gang has its set of competitive advantages that they use to sell their product and services over another.
The spokesperson for the Darkside ransomware group that hit the U.S. Colonial pipeline a few weeks ago sounded like the CEO of any publicly traded company trying to do damage control after having spoken to a professional PR firm. It would not surprise me if he had tons of senior-level executive, corporate experience. Ransomware has not just gone pro, it has gone corporate executive!
Skipping File Encryption
All of the leading ransomware gangs have realized that encrypting data is the least of what they can do. They are having far more success exfiltrating data and threatening to release the data publicly or to the victim’s competitors without having to worry about the victim having good backups. Nope, with the data exfiltration threat, backups do not count. I have even heard early rumors of a few specific ransomware exploits where the ransomware gangs simply skipped encrypting any files. Encrypting files takes a little finesse to do it right, especially in a way that makes for easy recovery after the ransom is paid. Too many complaints. Exfiltrating data takes a little research, followed by a few minutes of copy commands.
In some cases, the ransomware victims actually fear data exfiltration more than encryption. For one, many of the victims actually have good backups. But even beyond that, many victims are fighting and hoping that they do not have to report a malicious hacker compromise as a data leak. Because a data leak sets off a whole bunch of increased reporting requirements, whereas an encryption event often does not. Think about how many ransomware victims go out of their way in their initial and follow up PR statements to say essentially, “Our data was not compromised” or something like that.
I think that most computer security experts have struggled with those sorts of statements, because how can anyone truly verify that the victim’s data was not viewed or compromised when the whole network was pwned for weeks? But those victims want to do anything to have the company assisting them declare that there was no data leak. The entire victim company breathes a sigh of relief when they are able to claim that the data was not leaked (legitimate claim or not). It is clear that many victim organizations fear data exfiltration over data encryption, if only to avoid the reporting requirements and laws that a data leak invites. This is not lost on the ransomware criminals. Ransomware gangs are already starting to concentrate more on data exfiltration as a way to get paid and we can expect that focus to only grow.
It's also important to understand that “ransomware industry” isn’t a monolithic thing. It’s composed of different groups interested in different things at different times. Some go in with specific targets and objectives from the start. Others end up with randomly chosen victims and change their wants on-the-fly as the current situation develops from what they learn. Most ransomware groups want to get paid, but even that isn’t always the motivation. Some are in it to steal IP for someone else, and they may or may not get paid for that service. Some are in it to disrupt operations or to send a message. We’ve heard of human-directed ransomware groups doing pure ransom extortion on one day, only stealing data on another, installing a spam bot on another day, and installing a bunch of crypto-mining agents on the next victim organization to finish up the week.
The Future of Ransomware
The key to understanding the future of ransomware, for as long as it is able to stay “successful”, is that the real problem is not ransomware. Ransomware is the outcome of your real problem, which is that malicious hackers used some exploit method to break into your organization and now control it completely. They can do anything they want.
To that end, I think the future of ransomware is that cyber criminals will do anything they want. They will encrypt data when that makes sense. They will steal data when that makes sense. They will go looking for passwords when that makes sense, and so on. But the repertoire of what they will do…their payload actions…will simply increase to expand across the whole genre of hacking. They will become malicious hackers for hire. Some will be paid to go steal someone’s IP. Others will be paid to go disrupt some competitor’s industrial SCADA equipment. Some will get paid to insert secret backdoor trojans on someone’s firmware. If you can imagine a malicious hacker doing it, then ransomware gangs will do it.
Ransomware started as something that attacked mostly people at home. When they realized they could make hundreds of thousands to millions of dollars for nearly the same effort attacking corporations, they started concentrating largely on corporations. I think as some of the big corporations start to fight back more successfully, we will see some of the ransomware gangs go back to attacking people at home, especially with IoT involved. We already have seen ransomware locking up smart televisions and those type of tactics are sure to rise in the future because of our increasing reliance on Internet-connected devices in our homes. IoT-attacking malware is already one of the hottest and most popular forms of malware and has been for years. Currently, nearly all of it exists to take over the involved device in order to use it as a node in a large bot net, but what is to prevent those tens of millions of Internet-connected devices from being hit by ransomware instead of a bot trojan? Nothing!
Who among us would not pay $100 to unlock our $3000 smart television or $300 to unlock our $40,000 Internet-connected car? There’s probably less personal information you care about related to your television or car, but it will be a decision between paying the ransom and waiting for the vendor to regain control of your device. Have you called or contact the tech support of an IoT vendor? Good luck. I assure you the ransomware criminal will be far more responsive and helpful.
Is paying a hacker $100 to unlock our refrigerator that far of a stretch? The IoT ransomware attackers will be less of a problem and more a bother than anything else because most of us don’t keep a lot of personal data there, at least right now. But suppose a ransomware gang captures intimate moments from our security cameras and threatens to share them publicly? Who might pay then? I don’t think attacks that take advantage of our growing reliance on IoT devices in our homes is too far of a stretch to imagine as a reality.
But even in the corporate world, I believe that things will get worse. In the future, I think we will long for the days when ransomware only encrypted files, extorted companies over data and stole passwords. If we take what they started with…which was only encryption…they have now expanded their list of services. Then they added data exfiltration, solely as a way to threaten compromised victims into paying, and are now doing a handful of new things (e.g., stolen passwords, employee and customer exploitation, etc.). The trend of ransomware is one of expanding services and functionality. It is pretty clear. I don't think that I have to be a television psychic to predict this. The trend is already happening before our eyes. They will do anything and everything they can do. Sky is the limit.
Again, and I cannot reinforce this enough: Your problem is not ransomware!
Ransomware is an outcome of your real problem. Your real problem is in not being able to successfully stop malicious hackers and malware from breaking into your environment and taking it over. Until you stop the root causes of exploitation, you will never stop the hackers and malware. Or said another way, if ransomware magically went away today, hackers and malware would not go away. They would just do something else. And in this case, the trend strongly indicates that they will be expanding their suite of attacks and targets.
You must focus on preventing hackers and malware from getting a foothold into your environment. A backup is not enough and has not been enough since the beginning. Prevention is the only way to stop this mess.
How do you do that? By concentrating on how hackers and malware most likely break into your organization. And if you do not know, the most likely root causes are social engineering, unpatched software and credential attacks. You need to create a defense-in-depth, layered set of policies, technical defenses and education to mitigate all of the threats. I cannot help you with everything, but I can tell you how to mitigate social engineering and phishing. You can download KnowBe4’s Comprehensive Anti-Phishing Guide, which summarizes every way we know to fight social engineering and phishing. Or if you prefer the same information in a one-hour webinar format, go here.
The future of ransomware is corporate gangs of malicious hackers who will do all the things they can if you allow them into your network. Your primary focus must be on mitigating root exploitation causes because nothing else will work as well. In as much as this may not be good news to hear, everything I have said has been this way for years.
The problem has never been ransomware. Ransomware is just waking us up to what our lack of appropriate preventative controls has wrought. We must do better at prevention. And when we mitigate the root causes of exploitation, we not only get rid of ransomware, but everything else, including what they might be planning on doing in the future.
I do not want to paint a bleak picture. Because for most organizations, just doing two or three things (e.g., fighting social engineering, better patching and login credential defenses) is 99% of what you need to do to prevent successful attacks. Instead of focusing on everything you could do, you should focus on these three primary mitigations/threats because they will do more to make your organization safer than anything else you can do.
In my next article, I will discuss what it will take for ransomware to be significantly defeated once and for all.