Ransomware: Towards An Internet Of Hostages?

“Your documents, photos, databases and other important files have been encrypted . . . nobody can decrypt your files until you pay and obtain the private key . . . You only have 96 hours to submit the payment”.  Not the sort of message that anyone wants to see, but increasingly the very situation that many are facing, followed by the stark realisation that they’ve been hit by ransomware!

While it has come to prominence recently, and gained a media-friendly name, the concept of ransomware is not a new one.  In fact, an early example tracks all the way back to 1989, when Dr Joseph Popp sent out 20,000 diskettes purporting to contain a database about the AIDS virus.  Installing it on a PC ultimately triggered the hiding of files, and presented victims with a demand to send $378 to a post office box in Panama City in order to get instructions for restoring their data.  As it turned out, this was rather unsuccessful; no-one sent any money, and Popp had incurred costs of around £14,000 to purchase and post the disks (plus he was tracked down and arrested by the Metropolitan Police’s Computer Crime Unit, and eventually sentenced to two and a half years in prison).

Unfortunately, more recent ransomware attacks have been significantly more fruitful than Popp’s endeavours, and since the arrival of CryptoLocker in 2013 we have seen a progressive rise in attackers extorting money and managing to evade capture.  Findings from Kaspersky Lab illustrate the growth of the problem during 2016, with 62 new ransomware families appearing, and an 11-fold increase in the number of new ransomware modifications observed between Q1 and Q3 (with over 32,000 by the latter point).   Such developments have led many to herald 2016 as the year of ransomware, but unfortunately that doesn’t mean we will necessarily be looking back and seeing it as the high-water mark.  Indeed, the most appropriate way to summarise the threat would be ‘growing and getting worse’.

It is easy to find reports of organisations having been hit – with my local hospital having been amongst those publicly disclosing the fact. However, as with malware in general, ransomware does not confine itself to a particular set of victims; small businesses and individuals are also fair game and may find themselves more exposed.  Indeed, there have been attacks targeting technologies such as Smart TVs, which are more likely to be found in domestic contexts.  While organisations arguably have a basis to be more prepared, with detection technologies and formalised backup strategies, individuals may find themselves less protected.

What has also changed since the days of Dr Popp is the accessibility of victims and their even greater dependency upon devices and data. Attackers naturally realise this, and will basically target anything that victims value highly enough to be willing to pay to get back.  Whether they should pay or not is, of course, a matter for debate. Many do pay, but equally, the wisdom of not doing so is reinforced by further findings from the Kaspersky study, suggesting that 20% of small and medium businesses who paid the ransom still didn’t get their data back as a result. Cyber criminals, it seems, just can’t be trusted!

Being prepared and protected is better than having to pay, but it’s challenging to tick those boxes when the market is full of exploitable tech that can only be used in a vulnerable mode until the manufacturers fix the problems.  Having said that, it’s also true that many are more exposed than they need to be – for example, the suggestion that 36% of businesses don’t make appropriate use of backups leaves them more exposed to the impact of ransomware as a result.   Unfortunately, even then the principle of “if you want it back, back it up” potentially fails at the point where the ransomware has knackered your NAS and corrupted your cloud, or indeed where organisations have got the data backed up but have never tested how to recover from it.

So, what of the future?  It’s often easy to make doom and gloom predictions in relation to security threats, but with ransomware they could be entirely realistic.  We’ve already seen it across desktop and mobile contexts, and the obvious new frontier is ransomware in the Internet of Things. So, what might IoT ransomware be able to do? Unfortunately, the possibilities are quite varied.  Imagine your house cutting off the heating, your car demanding money before it will start, or (possibly worst of all) your coffee machine refusing you a morning caffeine fix!  Moreover, it’s quite easy to imagine how these threats could be tailored to pick their moments for best effect.  For example, the activation of ransomware in your car would be particularly opportune when you’ve driven it to somewhere remote and so need it to work in order get you back again.  Meanwhile, taking your home heating hostage would be particularly likely to garner a payment during a winter cold snap (“Yep, he’ll be cold enough to care now – kill the heating and switch the aircon to cooling mode!”).  And the predictions can easily get scarier – imagine for the example the hijack of healthcare IoT devices and medical implants; effectively holding the person hostage without any need for physical contact.

Of course, there would be a good reason to argue against such predictions if the technology concerned was being released without the routes for malware (ransomware or otherwise) to exploit it.  However, we are not at that point yet, and the experience with the Mirai botnet showed just how vulnerable the current IoT devices can be.  With devices having exploitable vulnerabilities and lacking natural safeguards, we effectively become victims-in-waiting across many of our platforms.

While it may sound like hype and scaremongering, it is safe to say this stuff will happen. A generation ago, the predictions surrounded malware on mobile devices, but the absence of incidents at the time caused many to dismiss it as security spin. Nonetheless, here we are today, and mobile malware is a clear and present danger.  Similarly, we already know that ransomware has proven itself to be effective, so why wouldn’t attackers want to target other things that we would pay to recover?  If it’s obvious enough for security folks to predict it, the attackers will certainly have thought of it too.

The unfortunate fact is that ransomware is not going away; we must view it as another permanent resident in the malware community and ensure that we take the necessary steps to safeguard against it wherever possible.

[su_box title=”About Professor Steve Furnell” style=”noise” box_color=”#336588″][short_info id=’101404′ desc=”true” all=”false”][/su_box]