Seems like ransomware is getting traction, since I was asked for 3 times last week my opinion on the topic.
What is going on with ransomware, how to deal with it and is it going away? Short answer – no. Here is why.
It is business thing
First time founders think having awesome product is the most important thing to succeed. Once they will mature a little bit, they will find out marketing and distribution is real deal.
10 years ago, it was pretty popular to extort ecommerce and content companies with DDoS attacks. I personally had “pleasure” to deal with this issue for 3 times. Two times we were able blackhole DDoS traffic and implement what we called hillbilly CDN, once customer decided to pay.
Let’s take a look on a problem from business perspective. Using DDoS as product, you have to act in real-time to create pressure, have to solve payment infrastructure (anyone remembers eGold or payment in vouchers?). Scaling was hard as your DDoS infrastructure has only certain capacity. DDoS capacity was changing very fast as your hacked machines were subject of interest for other groups. This business didn’t scale well and distribution was hard.
Since extortion is multination technological industry with agile transformation (like shady Amazon) need for transformation was here. Payment infrastructure (part of the distribution problem) was solved by BTC. Side note – BTC is not anonymous and seems like it is not problem. Product was here – encryption malware and this product compared to DDoS scales very well (e.g. when you have 1000 victims in pipeline your cost for service is not growing linearly). Early versions of most of the ransomware had issues (remember it is agile industry) with weak encryption algorithms, stored keys in memory etc. Probably normal developer thing – not invented here, I will make my own cipher suite. This was eliminated by using industry standards encryption algorithms.
Product-market fit was easy. Encrypt and extort. There is churn (e.g. 40% will not pay as they have backups, 20% will not pay as they do not have resources – you can provide discounts) – you get the idea.
I mentioned it is agile industry and here is the thing – you need faster distribution (bigger pipeline for your churn) and for last two years I saw multiple times offers like this: introduce our ransomware to your corporate environment and get 30% of profits (business thing – commission based model). Another model – start your own ransomware with our platform. We will handle payments and create ransomware packages you will take care about support and find victims (franchise/sometimes MLM model).
You can see – ransomware is really just a business. You have customer support, development, finance people etc. and probably even some board meetings. :)
To conclude – there is great product-market fit, profits are here and most of the businesses can’t compete with agile tech industry (see newspapers vs Facebook, local shops vs Amazon).
It is political problem
If there are countries which supports ransomware gangs, provide legal infrastructure (or decide not enforcing law) and even profit from ransomware (North Korea, Russian intelligence units) situation is not going to change. It is relatively harmless to profit from ransomware, there is not going to be military action as response to ransomware attack (so far, in future this will change) and investigation is taking long time. Worst case scenario – you will play diplomacy card. Cost/benefit analysis is speaking for ransomware.
It is technical problem
Technological landscape in average household and organization is getting more complex every year. Just think how many new devices you got in last two years. For corporations it is worse. Cloud has removed perimeter and remote work moved security boundaries to homes of your employees. Shadow IT is omnipresent – it is not just people will bring their own cell phones. Your data are in various services like dashboard, note-taking apps etc. All these things are creating super-complex landscape.
And cybersecurity is constantly failing. Why is cybersecurity failing – that’s topic for another time. Long story short – cybersecurity does not scale well and immediate response is always more compliance and rules instead of root cause analysis.
Lot of cybersecurity problems can be solved by proper hygiene and it is where almost every company is failing – assets management, monitoring and incident response. At least at 50% of organizations I speak with is saying what kind of countermeasures they are doing, what tools they are buying. Rarely I can hear incident response, resilience and reliability and continuity planning. It is almost like most of the people do not plan for failure and act surprised when incident happens.
Why ransomware getting traction now?
1. Ransomware is commodity and requirements for entering business are low – almost no technical skill required.
2. Complexity of landscape is increasing (read more things to attack and more ways how to get access) every year which helps fill extortion pipeline.
3. Little readiness for incident – no backups, no incident handling planning, zero focus on resilience.
What’s next?
More ransomware of course. Difference is, this is going to be more present for industrial organizations. How many manufactures are not going to pay ransom if they must deliver just-in-time? When ransomware will hit targets like Colonial pipeline or other critical infrastructure how probable is they will not pay extortion? I heard few times things are going to change, there will be legislation and new regulations. Might be but that is what we have been doing for last 20 years. Are we more secure?
If you are not planning for incident buy some BTC, there is good conversion rate these days.