Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Declaring War on Ransomware

It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.

For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent. The story here is that for too long, this issue hasn’t been addressed seriously by too many, and it’s time for that to change.

Today’s Ransomware Landscape #

To understand where we are today, it’s important to look at how ransomware has evolved over the years.

Ransomware has been around for many years, starting no later than 1989 with the AIDS Trojan, which targeted the healthcare industry and charged $189 per infected machine (via a P.O. Box in Panama). If we fast forward to the mid-2000s, ransomware was becoming more popular, and the fee being extorted was up to $300 per machine — a decent payday for not much work. Then, jumping ahead to 2013, we see the introduction of CryptoLocker, which charged $400 per device. But CryptoLocker was different from others in a significant way; it provided proof that there was serious money to be made — estimated to be up to $27 million. This changed the game.

As the years have gone by, the ransom demanded has increased quite significantly, with payments in the millions now being so common as to barely warrant notice. Of the major players, DarkSide is reported to have pulled in $90 million, Ryuk is estimated to have made $150 million, REvil has made $100 million, and Maze comes in at $75 million.

The profit these attackers make is simply extraordinary, and this has changed tactics and created a dangerous business model.

In the past, ransomware attacks were largely untargeted, going after anything that stumbled across them. The operators didn’t concern themselves with who they hit or how much money they had. Now, it’s very much about finding companies with weak security and taking them for as much money as possible. Ransomware moved from opportunistic to targeted, and the profits have soared.

Another significant change is the move to ransomware as a Service (RaaS), professional teams developing the ransomware and providing it to attackers that find vulnerable targets and deploys it. While one may talk about a group such as REvil conducting an attack, the reality is more complex. REvil provides software and a service to the actual attackers, and then the profit is split between them. This has allowed a division of work, the development of better ransomware, and allowed attackers to focus on finding vulnerabilities (instead of needing to write code for the ransomware first). All in all, this is a logical evolution from a business perspective.

A final note to set the stage for what’s going on today is that many of these RaaS operators treat their enterprises as genuine businesses; legality isn’t part of the equation for them.

Paying Ransom Hurts Everyone #

When a ransom is paid, everyone suffers. Funneling money to criminals allows them to expand, finance new attacks, recruit more people, and continue their crusade to make the world a little more dangerous.

While some may find themselves in a position where, due to their organization’s failures, they have no hope but to pay the ransom and hope the criminals actually help them, they do so at the cost to everyone. Funding criminal enterprises is, without question, morally wrong — it’s also self-defeating as it reverts funds away from better investments, and provides additional resources that will be used for future attacks. Just because an organization has paid the ransom doesn’t mean that the gang will leave them alone forever.

Each dollar that these gangs receive makes the world a little worse, and a little more dangerous for everyone. Each dollar they receive enables them to do more damage. Each dollar they receive motivates them to do it again.

Disrupting their business model must be a key goal of everyone involved, and that means making sure they receive as little money as possible.

Fighting on Multiple Fronts #

There is no silver bullet that will suddenly bring this problem to a halt; it needs to be addressed on a number of fronts simultaneously. This requires actions on the part of all stakeholders, and requires this action to be taken quickly and effectively. While ransomware will never be eliminated, the growing profits and increasing impact of attacks make it clear that not enough is being done.

Technical #

The industry, the entire technology sector, has largely failed to address this issue adequately. While some progress has been made, it’s still far too easy to successfully execute these attacks.

Platforms #

O.S. vendors should be investing far more heavily in sandboxing applications, limiting their ability to quietly access all of the data on a system. Something akin to AppArmor on all platforms would go a long way to limiting what these destructive tools can do.

Vendors should also reevaluate the traditional tiered approach to permissions, where system management functions also permit access to files and information that is unlikely to be needed. The principle of least privilege isn’t appropriately applied in O.S. permission models; instead of giving administrative users only the necessary access to perform the specific tasks needed, administrative users are often able to access things they have no real need to, greatly increasing the attack surface. Instead of tiers of administrative users, each level gaining more access, there should be a greater focus on types of administrative users, with each being limited to the least privileges possible. The concept of all-powerful user accounts is, and always has been, a mistake.

Platform vendors have a responsibility to address this issue and implement reasonable controls that limit what malicious software can do; while there are commercial tools that address these concerns, it’s the platform itself that should be providing more robust protection and providing organizations with a safe by default environment.

MSPs, Services, MDM, & Integrations #

Too often, the keys to the kingdom are passed out freely, creating massive new attack vectors. The Kaseya attack is an excellent example of this; the attackers leveraged the privileged access that the Kaseya VSA product has to attack MSPs, and then used their access to attack their clients. This type of excessively privileged scenario creates such a large attack surface that an organization’s security because entirely dependent on a third party.

As above, there should be a greater focus on properly adhering to the principle of least privilege and minimizing the risks and attack surfaces created. Too often, such integrations require levels of access and privilege that genuinely aren’t needed; this needs to change.

When a third party takes on privileged access to a client, they accept a substantial responsibility, one that not enough take as seriously as they should.

IT & Infrastructure Management #

I.T. is a mess. It’s that simple. In the decades that the field has had to evolve, many of the same problems persist from year to year, decade to decade.

The tools to manage systems in a secure way are often inadequate or introduce their own issues (here’s a fun example). Corners are often cut, taking the easier approach over the more secure approach; it’s easier, it’s faster, and often results in fewer complaints. In penetration tests, it’s common that the tester gains a substantial degree of access due to countless errors and missing controls. The list of issues goes on and on.

To gain the upper hand, organizations need to invest in making resilient networks that are both resistant to attacks and able to recover quickly.

Where’s the Backup? #

An absolutely critical change that needs to occur is that backups should be protected, readily available, and tested. The fastest way to recover from a ransomware attack is restoring the encrypted data from backup; it doesn’t require approvals, payments, or supporting international criminal gangs.

Every organization should implement a robust backup strategy to recover effectively and efficiently if they are victimized. Too often, backups are nonexistent or untested and fail when needed — if there’s one thing that organizations take from these attacks, it should be how important it is to get backups right.

There’s no legitimate excuse to get this one wrong.

Endpoint Security Vendors #

Slow, invasive, error-prone, ineffective, expensive, productivity inhibitors, privacy nightmares, security threats — these are just some of the ways I’ve heard endpoint security products described over the years. Unfortunately, this field has a real problem. This isn’t just a perception issue; it’s a real problem that professionals see every day.

It’s fairly uncommon to hear genuinely go things about an endpoint security product from those that work with them regularly. For all the marketing hype and bluster, they often fail to do the one thing they are meant for, and too often have a huge attack surface and excessive privileges that can lead to attacks that wouldn’t otherwise be possible.

These vendors need to look at their products and listen to the feedback that those in the field have been shouting at them for years. Then, stop spending so much of their budgets on impressing the C-suite and focus on building something that really does make the world a safer place. This is a field with substantial potential, but has failed to live up to it.

While there are substantial consequences to these crimes, prosecutions are still too rare. Greater international cooptation is needed, and there need to be more significant penalties for the gangs and all of those that support them — especially those that touch their money.

Cryptocurrency exchanges that handle money that came from an attack (and that have a reasonable way of learning this) should be targeted aggressively, making these ransomware gangs too toxic to work with. Making it harder for them to launder their money effectively will reduce their profits and thus their motivation and ability to finance future attacks.

The entire support infrastructure for these gangs should be targeted with all available tools.

Financial #

Governments have a strong interest in stopping these attacks, from protecting national security and critical infrastructure to economic stability. Governments also have powerful tools at their disposal that can aid in this fight. I will focus on the U.S. government here, but there are typically equivalents for other countries.

Disrupting the business model that these criminal enterprises are based on should be a key goal for governments; by attacking the ability to easily profit from attacks, it’s possible to reduce the motivation and increase the risk for those involved. While there are many ways to fight this scourge, this is one that can be enacted quickly and is likely to have a notable impact.

In 2020, the Office of Foreign Assets Control (or OFAC) issued guidance pointing out the risk to companies that pay ransomware, as they may be violating sanctions that the government has implemented. This guidance was released following the 2019 decision to sanction Evil Corp for their attacks; though since then, this tool has been underutilized.

To stem the flow of easy profits, the government needs to take quick and decisive action against these gangs — reducing their profits and making their companies less attractive targets.

  • Implementing sweeping sanctions against known gangs, their members, and those known to support them. Targeting their support infrastructure, be it cryptocurrency exchanges, infrastructure providers, or even nation-states, will make these groups too dangerous to work with safely. While they may go further underground, anything that makes it more challenging to collect profits is a win for all.
  • OFAC should only grant licenses to allow payment when there is a demonstrated need and substantial impact. This shouldn’t be a rubber stamp process, but instead, one that demands proof that it’s vital that the victim works with the attacker to recover.
  • The IRS has proposed a reporting requirement that would demand that companies treat cryptocurrency transactions like cash transactions; thus, a transaction worth over $10,000 would have to be reported. This would help to identify these crimes, and support the sanction effort.

There are a variety of other tools the government could leverage, but these have precedent and allow enough flexibility to minimize the risk of unintended harm to victims.

Prohibition vs. Regulation #

There are some that wish to implement a blanket ban on ransom payments, or even cryptocurrency itself, as a way of addressing this problem — this would be a mistake.

If these payments were made illegal with no opportunity to seek approval when there’s no other practical option, victims would be left in an impossible position. Face the loss of critical systems and perhaps face complete collapse, or violate the law. If they chose the latter, they would expose themselves and their organization to criminal penalties, and would open the door to ongoing blackmail to keep the payment secret. This would be an absurd outcome.

Proper regulation can achieve the goal of making targets less attractive without the risk of turning victims into criminals. Of course, it will require striking a careful balance, but it’s a safer route than an outright ban.

In Summary #

The war on ransomware will never truly be won, and the fight will go on forever. However, the rate of successful attacks demonstrates how urgent it is that more be done, and that we all take steps to fight them.

As I said above, there’s no silver bullet, but there is a lot we can do.

Adam Caudill

Related Posts

  • Breaking the NemucodAES Ransomware

    The Nemucod ransomware has been around, in various incarnations, for some time. Recently a new variant started spreading via email claiming to be from UPS. This new version changed how files are encrypted, clearly in an attempt to fix its prior issue of being able to decrypt files without paying the ransom, and as this is a new version, no decryptor was available1. My friends at Savage Security contacted me to help save the data of one of their clients; I immediately began studying the cryptography related portions of the software, while the Savage Security team was busy looking at other portions.

  • Checklist: Starting a Security Consulting Firm

    Recently a friend of mine asked for input on what would be needed to launch a new security consulting company, to help him out I drafted a detailed list of what would need to be done for a successful launch. Here is an expanded version of that list, hopefully others will find this useful as well. This isn’t the simplest route to setting up a new business, but is intended to set the business up for long-term success.

  • The Door to Nowhere

    Today I was walking around, exploring the local downtown area, and I noticed a door. Or more accurately, what used to be a door, and the symbolism was too perfect to ignore. It’s a door to nowhere. A door once stood here, carefully built, thoughtfully placed, well crafted. Long ago someone decided that they didn’t want the door to exist anymore — so they filled it in. They made an attempt at reversing the decisions of the past to suit their desire at the moment — but they couldn’t.

  • On The Ethics of BadUSB

    Last Friday, Brandon Wilson and I gave a talk on BadUSB at DerbyCon – I wrote some about it yesterday. Yesterday, Wired published an article on the talk, kicking off several others – only the authors of the Wired and Threatpost articles contacted us for input. There has been some questions raised as to the responsibility of releasing the code – so I want to take a few minutes to talk about what we released, why, and what the risks actually are.

  • First, Do No Harm: Developers & Bad APIs

    Primum non nocere (first, do no harm) – an iconic phrase in modern medicine, yet also applicable to many other fields. This is something I wish more people would think about, developers especially – and primarily when writing new APIs. In general, developers don’t have an impressive history with security – quite frankly, developers suck. Seeing as I consider myself a developer, that’s painful to admit. Chris Andrè Dale posted an interesting article some time ago that got me thinking: Why it’s easy being a hacker: A SQL injection case study – Chris pointed out the problems with educational material that developers are using, and just how bad the examples are.