From recent memory, two security disclosures had fairly dramatic impact in the world of security: 1) the Mandiant APT1 report in February 2012 and 2) the Target network compromise and resulting data breach. While it seems every week brings a headline grabbing security breach, such as the recent HeartBleed vulnerability, these two events in particular both captured the media’s attention and also caused significant changes in the industry.
In the case of the Mandiant APT1 report, corporate Boards and CEOs finally took notice of targeted attacks against their industry by foreign nation states. The evidence presented served as a wake-up call for corporate boards that in turn opened the flood gates to rising budgets on security operations and tools. The Target breach, on the other hand, brought broad media awareness of cyber security threats to the masses. People learned that corporations can and do screw up their network security in a way that impacts them personally. It’s fair to say almost every adult in the US was affected by the Target breach in some way, shape or form. These two events by themselves have significantly altered the security landscape by bringing awareness of what security folks have known for a long time – we are woefully equipped to deal with clear and present security threats.
Having noted this and in spite of endless other security events to focus on, I believe we are about to witness another sea change event in security – a wave of ransomware that will fundamentally change the security market again – this time likely more dramatically than the prior two events.
Most enterprise security folks scoff at ransomware as just a nuisance category of malware. One that is not new by any means and certainly not worthy of their attention since ransomware by and large is not targeted at companies. Ransomware, after all, is run in broad campaigns by cyber crime gangs, primarily designed to extort people’s hard earned money rather than corporate assets. It’s really not very sexy for Enterprise security professionals to spend much time and effort on — since it’s an individual’s problem — at least perception wise.
Money and Pain
So what makes ransomware so game changing since it is not particularly new, advanced or targeted? It comes down to two things: money and pain. Let’s talk about pain first. The Mandiant APT1 report cast a light on what a lot of people already knew or at least understood intrinsically – there are ghosts in the network and they may be doing damage to your firm’s long-term competitive future. For some firms that know they have been breached, the pain is acute; but for most, it’s still academic. If you don’t know you are breached you may be blissfully ignorant; that is until a customer, partner, or Government agency informs you of the breach.
However, experience and history shows that without the pain factor, you are unlikely to take appropriate counter-measures. Likewise while the Target breach is estimated to have created more than $44M in fraudulent charges, most consumers did not suffer any personal losses since banks will often make them whole on fraudulent losses. So the pain to consumers on the Target breach was in fact relatively minimal. Ransomware, on the other hand, causes tremendous palpable personal pain to its victims, who often not only lose all their work, but also photos of sentimental value, all while suffering through the victimization of extortion. The personal pain factor for ransomware is off the charts compared to prior major security events that are more abstract at an individual level.
The cyber crime gangs that are conducting ransomware campaigns are making serious money on the back of it. People are willing to spend US $300 to $500 to retrieve a key to decrypt their data. The take from each of these infections is 10x that from selling traditional stolen identities or credit card numbers in carders’ forums. And of course there are now commercial grade toolkits to launch ransomware campaigns available for mere thousands of dollars on the market—which in turn will multiply perpetrators and campaigns. What this means for the multi-billion dollar cyber crime market is they may have the perfect tool now for making bank on the back of everyday users.
So having said all this, a fair question is why hasn’t ransomware exploded already? It is certainly not being held back by traditional anti-virus slowing them down. Rather, it is likely because most existing payment systems have traceability to payment, which is likely to expose the perpetrators to law enforcement. The development and widespread adoption of truly anonymous online payment systems is likely to send this type of crime through the roof. Until then the perpetrators of these crime are relying on Bitcoin and similar online pseudo-anonymous payment systems to cash in on their extortion schemes and hoping their victims will create Bitcoin accounts to pay.
How to Defend Against Ransomware
The wave of ransomware is also demonstrating a well-worn truth of the industry – traditional anti-virus isn’t working. If you are reading this blog you probably also don’t believe anti-virus will protect you against these threats. So clearly not falling for a ransomware spearphish is one strategy. You might be clever enough to distinguish a malicious link in an email or recognize an executable attachment masquerading as a PDF. However, are you as confident your family will also be as clever? Your co-workers and employees? Cisco announced a wave of ransomware June 6 that utilized malvertising on popular sites like Disney.com, FaceBook, among others. These ads exploited vulnerabilities in user’s browser plug-ins including Java, Flash, and SilverLight when visiting the sites to drop the ransomware. These types of exploits — the so-called vaunted driveby attack — require no user intereaction to exploit and launch.
While Federal authorities are working in concert with companies like Cisco and Microsoft are attempting to roll up cyber crime gangs as they emerge – often in jurisdictions that are not extradition friendly – we can’t depend on law enforcement to protect our own data.
Instead of depending on Federal law enforcement and your broken anti-virus solution to protect your own work and corporate data that may get held hostage, it’s time to upgrade your endpoint security suite with Invincea. If you recently purchased a Dell machine through a commercial account, you have our software on the desktop – use it to browse safely. If not, use Sandboxie for your personal computer or Invincea FreeSpace for your corporate machines. For a demonstration of how Invincea FreeSpace defends against CryptoWall see video below :
To learn more, get moving today!