Ransomware is rapidly shaping up to be the defining online security issue of our era. It’s a brutally simple idea, executed with increasing sophistication by criminal groups. A huge chunk of our lives is now stored digitally, whether that’s photos, videos, business plans or customer databases. But too many of us have been lazy about securing these vital assets. The criminals’ brilliant twist is to realise they don’t have to steal that data to make money: they just have to make it impossible access again — by encrypting it — unless the victims pay up.
Ransomware was once a menace mainly for consumers, but now it’s a significant threat to business. Just last week, there were warnings about a new wave of ransomware attacks against at least 31 large organisations with the aim of demanding millions of dollars in ransom. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for their attacks.
The vast majority of targets were household names, including eight Fortune 500 companies, tech security company Symantec said: if the attack (by a group calling itself Evil Corp) hadn’t been disrupted, it could have led to millions in damages and downtime, with the impact felt through the supply chain.
Some of the hyperbole around ransomware is overblown. It’s probably over the top to describe these WastedLocker attacks as part of Evil Corp’s retaliation against the US government after its leaders were indicted by the Justice Department in December — which is how The New York Times interpreted them. (Indeed, others have argued that the gang is actually trying to attract less attention right now, which is why, so far, it has not threatened to publish information stolen from its victims.)
But it’s also true that these groups are smart, sophisticated and, because around half of companies pay the ransoms, very well funded.
For example the group behind it have access to highly skilled exploit and software developers’ capable of bypassing network defences on all different levels, according to researchers.
How skilled? When a version of their malware is spotted by the defences on victim networks, the group is often back with an undetectable version after just a short time.
In one case the group went so far as to pose as a potential customer to request a trial licence for a security product that was not commonly available, says FOX-IT, part of NCC Group.
The targets of the ransomware gangs have evolved, too. It’s not just about PCs anymore; these gangs want to go after the really irreplaceable business assets too, which means file servers, database services, virtual machines and cloud environments. They’ll also search out and encrypt any backups that organisations foolishly leave connected to the network. All of this makes it much harder for victims to recover — unless of course they want to pay that ransom. And the attackers seem willing to take a longer view too; some of these attacks can take weeks or longer to go from the initial minor breach of network security through to complete control of the victim’s corporate network.
Police forces, lacking officers trained in high-tech crime, are loath to investigate knowing that the perpetrators will be far from their jurisdiction and impossible to catch. Many businesses would rather pay up, return to business as usual and forget about the cost and the stress of the whole thing.
It’s quite possible that ransomware will form the core of a new type of a digital attack, used by nation states and others who simply want to destroy networks. Wiper malware is ransomware whose encryption can’t be reversed, so the data is lost forever. There have been a few of these incidents, but the fear is they could become more mainstream.
Another concern is that, as they become more confident and better funded, these criminal groups will raise their sights even higher. One new worrying trend is that gangs will steal the data as well as encrypting the network. They then threaten to leak the data as a means of pressuring the victim into paying up.
These cyber-criminals often spend weeks poking around in a network before they make their attack, which means they have time to understand key digital assets, like the CEO’s emails for example, allowing them to put even more pressure on their victims.
There’s no obvious end to the ransomware nightmare in sight. Indeed, the likelihood is it will get even worse.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: