The Ransomware Cyber Attack
Running ransomware campaigns is a profitable business estimated to $1 billion in 2016 (1) and is a serious menace to any company or individual. Reading through the news you regularly find articles (2, 3,4) about companies being attacked and held hostage by cyber criminals untill they pay a ransom.
A recent paper published in Denmark by KMD (5), have also concluded that a large portion (43%) of the interviewed companies had suffered from an attack.
By the sound of it, it seems like the majority of companies are under attack and the bad guys are winning the game.
Or are things really as bad as it sounds ?
Let’s take a look at what defines Ransomware which is the numero uno on the threat billboard of any vendor in the security industry:
Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. The cryptovirology form of the attack has ransomware systematically encrypt files on the system’s hard drive, which becomes intractable to decrypt without paying the ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, whose payload is disguised as a seemingly legitimate file.
By definition it sounds like it’s basically a trojan with an extortion twist. It makes sense when you think about it, relating ransomware to trojans, becuase often the payload is introduced by luring users to click on a link or click an attachment which seems to be something else.
What if we go back in time a bit. How is the definition of the early Ransomware variants ? One of the early examples of Ransomware was a trojan named GPCoder (8), and another trojan named Krotten (9), and in 2010 we saw trojans locking users computers and forcing them to send SMS to a premium-rate number to get access to their computer again (6). We can find more great examples digging back in history (7) - but this isn’t really the point of this post.
But if we’re dealing with a trojan, why doesn’t all trojan detections/preventions in corporate environments count as a cyber attack ? Because a trojan detection is “just” malware and isn’t something you would normally present to the management as a cyber attack ?
Let’s look at some definitions af a cyber attack:
A cyber-attack is any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. These can be labeled as either a cyber campaign, cyberwarfare or cyberterrorism in different context. Cyber-attacks can range from installing spyware on a PC to attempts to destroy the infrastructure of entire nations. Cyber-attacks have become increasingly sophisticated and dangerous as the Stuxnet worm recently demonstrated.
And the definition of a hacker:
In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment, or to evaluate those weaknesses to assist in removing them. The subculture that has evolved around hackers is often referred to as the computer underground.
Ok, so a cyber-attack is performed by hackers with various motivations. But Ransomware campaigns can be initiated by script kiddies, which in the industry normally aren’t considered hackers or dangerous. An example is the Tox platform (10), basically enabling everyone to launch a ransomware campaign.
So if we are merely dealing with trojan infections, script kiddies/non-hackers, why do the press and companies in the industry, continue to relate ransomware with hacking or cyber attacks ? Maybe because it is good for business. Maybe because the products that have been sold are struggling, and it just feels better (both in the customer mind and the sales rep of the vendor/partner) if the customer thinks he is under attack. Maybe because it is a kind of attack, but then why not count every spam mail, phishing mail, spyware, trojan, rootkit, etc detected/prevented ?
The problem is, besides being misleading, if we continue calling ransomware for an attack and give the organizations the feeling that this is what an attack looks like, and this is how you deal with an attack, then they are gonna get quite a surprise the day they need to respond to a real attack. Responding to an attack is quite different from restoring files and finding a super noisy machine in the network. Carrying out an attack takes careful planning, reconnaisance of the target infrastructure and using necessary tactics to stay under the radar. This is difficult to respond to - not to mention detecting.
Getting infected with Ransomware is not the same as being attacked or hacked.