10/01/2019 Update: a new variant of ransomware has been impacting hospitals around the globe. If you have been infected, please contact us to engage our incident response team.
With the increasing prevalence of ransomware attacks, I needed to address why it was happening. In this five-minute video, I cover the factors that have changed both the nature of the market for ransomware, and the perpetrators behind ransomware attacks. These factors have resulted in more people and businesses falling victim.
Understanding the reasons for its continued success can help people grasp that ransomware is not a "more advanced virus" requiring "more advanced anti-virus" - but a different method for criminals to make money, requiring a different method to deal with it.
Watch the video or read the transcript here:
Mike: Adam, we're here today to discuss ransomware, and I'm wondering if you can tell me why are we seeing more incidents involving ransomware?
Adam: Ransomware in 2019 has seen a tremendous increase in the number of incidents because the malware designers are now decentralized. And as a result, that makes it much cheaper for them to actually buy and sell ransomware on the Internet. Because it's so easy to buy, it's a lot lower skill level that we have from malware designers actually running these attacks. So, you see a lot less organized crime, less sophisticated individuals just sort of running this opportunistically, and when there's so many different individuals participating in this, it's very hard for law enforcement to basically find and stop them.
Mike: How did hackers used to buy and sell ransomware?
Adam: For many years, probably since, you know, early 2017 the ransomware market was comprised of dark web sites. These were TOR-routed sites that were centrally run to deal in, not just, you know, ransomware but drugs, guns, other illicit products through the transfer of bitcoins between two individuals globally. And that meant that organized crime obviously had a very vested interest in not only running these websites but promoting their products and services on them. And that's where most of the predominant, either remote access to systems, ransomware, or credit card info that was stolen through these attacks or other kinds of attacks, that's where it came from.
Mike: What was the reason for the change?
Adam: Well, many of the websites that were up on the dark web actually were brought down by law enforcement. So, the FBI famously taking down things like Silk Road or Alpha or other, you know, large sites where people could basically trade these wares. And as they brought them down, people started losing money. They started losing bitcoin and so the crime community and started decentralizing to encrypted instant messaging to be able to transfer their wares between each other with bitcoin.
Mike: So you're saying that this shift had an impact on the actual prices of ransomware in this newly distributed market. Why would you say that is?
Adam: Well, you can see the actual costs go down if you were monitoring how much these “products” are being sold for on the market. And we started to see Ransomware-as-a-service – where people offer lifetime support and break-fix for the ransomware, guaranteeing some of its effectiveness over the life of the product for as little as $50. And when you look at the prices, originally they were probably six or seven times that; around $350 was the average price for something like the Philadelphia ransomware kit in late 2017.
Mike: So just to reiterate, because the barriers of entry are so low, and the market for ransomware is now distributed, you're attributing the increase that we're seeing new hackers attacking people and businesses. Why hasn't law enforcement stopped these guys like they did the criminal syndicates before?
Adam: So, law enforcement in terms of agencies tends to segregate, right? They tend to move between, you know, ATF and, you know, uh, the Drug Enforcement Agency, the Federal Bureau of Investigation in the United States or the RCMP, and local law enforcement here, the cyber crime unit, you know, as a function of these teams tends to have less interest, see less value in the targets when they are essentially “just a couple of a ransomware trades” or smaller attacks by individuals. And so without pairing it with drugs and weapons, you have a less value in eliminating a threat to the country or to a province or to a state in keeping these kinds of things open. So, because they're decentralized, they're no longer paired with much more malicious crimes. You have a lot more individuals getting away with it and law enforcement having smaller resources to deal with a much larger decentralized problem.
Mike: What do we do about all this?
Adam: I think we have to probably have a broader discussion and maybe a separate topic as it is fairly wide. This is just one element of it; understanding where it comes from. What to do about it requires a focus, especially from the small to medium market where we're interested in solving the problem. We have basically provided the ability to focus our attention on the detection and response elements of all parts of the attack. So the email campaigns, the botnets, the actual ransomware executables themselves and the different things that we have to do in detection and response to deal with that. From the customer's perspective we also want to be as efficient as possible and helping them focus on their part, which is mostly prevention, patches, configuration, vulnerability analysis that we're doing to make sure that the spread of the campaigns that we analyze can be eliminated before they start.
Mike: Thank you very much Adam.
Adam: Thank you Mike.