Ramsomware is not new — it has been around since the early 1990s — but what is new is the increasing threat posed by the efficiencies of a cloud-based delivery system known as ransomware as a service.
Longtime readers of this column know that I am a huge fan of all things cloud — until now.
Ramsomware is a type of malware that encrypts a target’s software files, forcing them to pay a “ransom” for their decryption. It’s not new — it has been around since the early 1990s — but what is new is the increasing threat posed by the efficiencies of a cloud-based delivery system known as ransomware as a service. RaaS is a criminal variant of software as a service, or SaaS, whereby cybercriminals provide the platform and related ransomware services (everything from delivery to taking payment to tracking the progress of the extortion) for a fixed fee or percentage of the ransom payment. Basically, it has become very easy to just log in to the portal of a favorite RaaS dark web vendor, pay the fees to get started (sometimes as low as $US39!) and distribute malware to their victims without having to actually write their own malicious code. No real technical skills necessary.
There is no doubt that there has been a huge upturn in ransomware attacks over the past year, likely spurred on by RaaS. This year’s Lloyds Emerging Risks Report estimates that, in 2016, cyberattacks were estimated to cost businesses as much as $450 billion a year globally. According to the 2017 Verizon Data Breach Investigations Report, ransomware is the fifth most common form of malware and is expected to grow this year.
Unfortunately, RaaS vendors now run their businesses the same sophisticated way legitimate software companies do to market and sell their technology products and services, with videos explaining malware features and customization tips, user-friendly interfaces and free help guides. Customers of some RaaS providers can see an estimate of their earnings before they sign up. “Satan,” a popular RaaS malware, is made available via a user-friendly, intuitive GUI with a simple signup that allows for customizations (of the ransom amount, for example), contains tools for creating the malware and even translates the ransom note into 14 different languages. There is a helpful “metrics dashboard” that makes it simple to track the amount of ransomware that has successfully infected machines and how many entities have paid the ransom amount. The Satan RaaS platform claims that their clients/users can create their own ransomware “in less than a minute.” Easy peasy.
RaaS service providers typically advertise their products via banner ads and forum postings on the dark web, although Sophos has reported at least one RaaS provider, the Rainmakers Labs, had earlier this year marketed an introductory video for its “Philadelphia” ransomware on legitimate mainstream sites such as YouTube (which has since removed it).
While some RaaS vendors charge an initial usage fee, others prefer to enter into a profit-sharing model with their clients and take a cut of each ransom, which likely incentivizes a larger volume of attacks. So when the target pays the RaaS service provider (usually in Bitcoin) to unlock and retrieve its data, the “client” will obtain a (lucrative) percentage share (50–80 per cent). For example, the default setting on the Satan RaaS site allows 70 per cent of any ransom monies paid out by the targets to go to the client. By contrast, “Fatboy” ransomware, which appeared earlier this year, is smart enough to change the amount of money it charges so that recipients in areas with a higher cost of living will automatically be charged more to have their data decrypted. Other popular examples of ransomware available as RaaS include “Petya/Mischa”, “Shark/Atom” and “Cerber” viruses.
What can be done to prevent a RaaS attack? The following suggestions may be helpful.
- Ensure that all security patches are up to date, including any available for open-source software The use of OSS is ubiquitous in code developed today, although not all organizations that employ it keep meticulous internal records of its usage. While OSS code is often robust (benefiting from global collaboration in development), peer code review/validation does not always catch everything (remember the Heartbleed virus?). As well, security updates may not be pushed out automatically and instead may require developers to proactively seek and install them. Even when OSS security patches are made available, they are not always deployed by OSS users. The Apache Struts2 vulnerability exploited in the recent Equifax breach was disclosed and fixed by the Apache Software Foundation on March 6 when it released an updated version of the software. However, Equifax has publicly acknowledged that attackers entered its systems in mid-May, after the company failed to update its software, even though it knew about the vulnerabilty.
- Stop using old software Not all lawyers like to spend their hard-earned money upgrading their software. While it’s easier to stay comfortable and stick with the software features that you know, complacency has its risks. Older systems entice malicious actors to exploit their weaknesses, as was evident in the May WannaCry ransomware cryptoworm attack, which targeted computers running Microsoft Windows operating systems by encrypting client data and demanding Bitcoin ransom payments. Microsoft had moved swiftly to patch those versions of its Windows software that were currently supported at that time, but, eventually, emergency security patches were made available for even unsupported versions. Surprisingly, The Guardian has reported that Windows XP is still the third most popular operating system in the world. According to Netmarketshare.com, the out-of-date and vulnerable Windows XP is still running on 7.04 per cent of the world's computers (approximately 140 million) even though Microsoft formally stopped releasing security updates for XP in April 2014.
- Back up your files regularly Make sure that you or your firm (or your third-party backup storage specialists) back up files regularly and frequently so that if you are hit with a ransomware demand (and refuse to pay it) you can at least limit some of the damage by being able to restore your data.
- More security training Many RaaS offerings spread via phishing emails so, as pedestrian as it sounds, it’s really important for everyone, including lawyers, to obtain adequate security training. Eager lawyers should take a moment to actually look at the email received and resist automatically clicking on each and every one, especially those that look suspicious and contain malware-laden attachments.
- Consider cyberliability insurance Lastly, you may wish to consider purchasing cyber-liability insurance as a failsafe. This is becoming an increasing option for many corporations. Lloyds’ estimated that the global cyber-insurance market is worth between $3 billion and $3.5 billion, but, by 2020, it could be worth $7.5 billion. Written premiums for cyber-insurance increased by 35 per cent in 2016 and will no doubt grow in 2017. If you do opt to purchase this kind of insurance, read the fine print carefully to ensure that ransomware is covered and look for any meaningful exclusions.