Adam Caudill

Security Engineer, Researcher, & Developer

Declaring War on Ransomware

It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.

For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent. The story here is that for too long, this issue hasn’t been addressed seriously by too many, and it’s time for that to change.

Today’s Ransomware Landscape #

To understand where we are today, it’s important to look at how ransomware has evolved over the years.

Ransomware has been around for many years, starting no later than 1989 with the AIDS Trojan, which targeted the healthcare industry and charged $189 per infected machine (via a P.O. Box in Panama). If we fast forward to the mid-2000s, ransomware was becoming more popular, and the fee being extorted was up to $300 per machine — a decent payday for not much work. Then, jumping ahead to 2013, we see the introduction of CryptoLocker, which charged $400 per device. But CryptoLocker was different from others in a significant way; it provided proof that there was serious money to be made — estimated to be up to $27 million. This changed the game.

As the years have gone by, the ransom demanded has increased quite significantly, with payments in the millions now being so common as to barely warrant notice. Of the major players, DarkSide is reported to have pulled in $90 million, Ryuk is estimated to have made $150 million, REvil has made $100 million, and Maze comes in at $75 million.

The profit these attackers make is simply extraordinary, and this has changed tactics and created a dangerous business model.

In the past, ransomware attacks were largely untargeted, going after anything that stumbled across them. The operators didn’t concern themselves with who they hit or how much money they had. Now, it’s very much about finding companies with weak security and taking them for as much money as possible. Ransomware moved from opportunistic to targeted, and the profits have soared.

Another significant change is the move to ransomware as a Service (RaaS), professional teams developing the ransomware and providing it to attackers that find vulnerable targets and deploys it. While one may talk about a group such as REvil conducting an attack, the reality is more complex. REvil provides software and a service to the actual attackers, and then the profit is split between them. This has allowed a division of work, the development of better ransomware, and allowed attackers to focus on finding vulnerabilities (instead of needing to write code for the ransomware first). All in all, this is a logical evolution from a business perspective.

A final note to set the stage for what’s going on today is that many of these RaaS operators treat their enterprises as genuine businesses; legality isn’t part of the equation for them.

Paying Ransom Hurts Everyone #

When a ransom is paid, everyone suffers. Funneling money to criminals allows them to expand, finance new attacks, recruit more people, and continue their crusade to make the world a little more dangerous.

While some may find themselves in a position where, due to their organization’s failures, they have no hope but to pay the ransom and hope the criminals actually help them, they do so at the cost to everyone. Funding criminal enterprises is, without question, morally wrong — it’s also self-defeating as it reverts funds away from better investments, and provides additional resources that will be used for future attacks. Just because an organization has paid the ransom doesn’t mean that the gang will leave them alone forever.

Each dollar that these gangs receive makes the world a little worse, and a little more dangerous for everyone. Each dollar they receive enables them to do more damage. Each dollar they receive motivates them to do it again.

Disrupting their business model must be a key goal of everyone involved, and that means making sure they receive as little money as possible.

Fighting on Multiple Fronts #

There is no silver bullet that will suddenly bring this problem to a halt; it needs to be addressed on a number of fronts simultaneously. This requires actions on the part of all stakeholders, and requires this action to be taken quickly and effectively. While ransomware will never be eliminated, the growing profits and increasing impact of attacks make it clear that not enough is being done.

Technical #

The industry, the entire technology sector, has largely failed to address this issue adequately. While some progress has been made, it’s still far too easy to successfully execute these attacks.

Platforms #

O.S. vendors should be investing far more heavily in sandboxing applications, limiting their ability to quietly access all of the data on a system. Something akin to AppArmor on all platforms would go a long way to limiting what these destructive tools can do.

Vendors should also reevaluate the traditional tiered approach to permissions, where system management functions also permit access to files and information that is unlikely to be needed. The principle of least privilege isn’t appropriately applied in O.S. permission models; instead of giving administrative users only the necessary access to perform the specific tasks needed, administrative users are often able to access things they have no real need to, greatly increasing the attack surface. Instead of tiers of administrative users, each level gaining more access, there should be a greater focus on types of administrative users, with each being limited to the least privileges possible. The concept of all-powerful user accounts is, and always has been, a mistake.

Platform vendors have a responsibility to address this issue and implement reasonable controls that limit what malicious software can do; while there are commercial tools that address these concerns, it’s the platform itself that should be providing more robust protection and providing organizations with a safe by default environment.

MSPs, Services, MDM, & Integrations #

Too often, the keys to the kingdom are passed out freely, creating massive new attack vectors. The Kaseya attack is an excellent example of this; the attackers leveraged the privileged access that the Kaseya VSA product has to attack MSPs, and then used their access to attack their clients. This type of excessively privileged scenario creates such a large attack surface that an organization’s security because entirely dependent on a third party.

As above, there should be a greater focus on properly adhering to the principle of least privilege and minimizing the risks and attack surfaces created. Too often, such integrations require levels of access and privilege that genuinely aren’t needed; this needs to change.

When a third party takes on privileged access to a client, they accept a substantial responsibility, one that not enough take as seriously as they should.

IT & Infrastructure Management #

I.T. is a mess. It’s that simple. In the decades that the field has had to evolve, many of the same problems persist from year to year, decade to decade.

The tools to manage systems in a secure way are often inadequate or introduce their own issues (here’s a fun example). Corners are often cut, taking the easier approach over the more secure approach; it’s easier, it’s faster, and often results in fewer complaints. In penetration tests, it’s common that the tester gains a substantial degree of access due to countless errors and missing controls. The list of issues goes on and on.

To gain the upper hand, organizations need to invest in making resilient networks that are both resistant to attacks and able to recover quickly.

Where’s the Backup? #

An absolutely critical change that needs to occur is that backups should be protected, readily available, and tested. The fastest way to recover from a ransomware attack is restoring the encrypted data from backup; it doesn’t require approvals, payments, or supporting international criminal gangs.

Every organization should implement a robust backup strategy to recover effectively and efficiently if they are victimized. Too often, backups are nonexistent or untested and fail when needed — if there’s one thing that organizations take from these attacks, it should be how important it is to get backups right.

There’s no legitimate excuse to get this one wrong.

Endpoint Security Vendors #

Slow, invasive, error-prone, ineffective, expensive, productivity inhibitors, privacy nightmares, security threats — these are just some of the ways I’ve heard endpoint security products described over the years. Unfortunately, this field has a real problem. This isn’t just a perception issue; it’s a real problem that professionals see every day.

It’s fairly uncommon to hear genuinely go things about an endpoint security product from those that work with them regularly. For all the marketing hype and bluster, they often fail to do the one thing they are meant for, and too often have a huge attack surface and excessive privileges that can lead to attacks that wouldn’t otherwise be possible.

These vendors need to look at their products and listen to the feedback that those in the field have been shouting at them for years. Then, stop spending so much of their budgets on impressing the C-suite and focus on building something that really does make the world a safer place. This is a field with substantial potential, but has failed to live up to it.

While there are substantial consequences to these crimes, prosecutions are still too rare. Greater international cooptation is needed, and there need to be more significant penalties for the gangs and all of those that support them — especially those that touch their money.

Cryptocurrency exchanges that handle money that came from an attack (and that have a reasonable way of learning this) should be targeted aggressively, making these ransomware gangs too toxic to work with. Making it harder for them to launder their money effectively will reduce their profits and thus their motivation and ability to finance future attacks.

The entire support infrastructure for these gangs should be targeted with all available tools.

Financial #

Governments have a strong interest in stopping these attacks, from protecting national security and critical infrastructure to economic stability. Governments also have powerful tools at their disposal that can aid in this fight. I will focus on the U.S. government here, but there are typically equivalents for other countries.

Disrupting the business model that these criminal enterprises are based on should be a key goal for governments; by attacking the ability to easily profit from attacks, it’s possible to reduce the motivation and increase the risk for those involved. While there are many ways to fight this scourge, this is one that can be enacted quickly and is likely to have a notable impact.

In 2020, the Office of Foreign Assets Control (or OFAC) issued guidance pointing out the risk to companies that pay ransomware, as they may be violating sanctions that the government has implemented. This guidance was released following the 2019 decision to sanction Evil Corp for their attacks; though since then, this tool has been underutilized.

To stem the flow of easy profits, the government needs to take quick and decisive action against these gangs — reducing their profits and making their companies less attractive targets.

  • Implementing sweeping sanctions against known gangs, their members, and those known to support them. Targeting their support infrastructure, be it cryptocurrency exchanges, infrastructure providers, or even nation-states, will make these groups too dangerous to work with safely. While they may go further underground, anything that makes it more challenging to collect profits is a win for all.
  • OFAC should only grant licenses to allow payment when there is a demonstrated need and substantial impact. This shouldn’t be a rubber stamp process, but instead, one that demands proof that it’s vital that the victim works with the attacker to recover.
  • The IRS has proposed a reporting requirement that would demand that companies treat cryptocurrency transactions like cash transactions; thus, a transaction worth over $10,000 would have to be reported. This would help to identify these crimes, and support the sanction effort.

There are a variety of other tools the government could leverage, but these have precedent and allow enough flexibility to minimize the risk of unintended harm to victims.

Prohibition vs. Regulation #

There are some that wish to implement a blanket ban on ransom payments, or even cryptocurrency itself, as a way of addressing this problem — this would be a mistake.

If these payments were made illegal with no opportunity to seek approval when there’s no other practical option, victims would be left in an impossible position. Face the loss of critical systems and perhaps face complete collapse, or violate the law. If they chose the latter, they would expose themselves and their organization to criminal penalties, and would open the door to ongoing blackmail to keep the payment secret. This would be an absurd outcome.

Proper regulation can achieve the goal of making targets less attractive without the risk of turning victims into criminals. Of course, it will require striking a careful balance, but it’s a safer route than an outright ban.

In Summary #

The war on ransomware will never truly be won, and the fight will go on forever. However, the rate of successful attacks demonstrates how urgent it is that more be done, and that we all take steps to fight them.

As I said above, there’s no silver bullet, but there is a lot we can do.

Adam Caudill


Related Posts

  • Breaking the NemucodAES Ransomware

    The Nemucod ransomware has been around, in various incarnations, for some time. Recently a new variant started spreading via email claiming to be from UPS. This new version changed how files are encrypted, clearly in an attempt to fix its prior issue of being able to decrypt files without paying the ransom, and as this is a new version, no decryptor was available1. My friends at Savage Security contacted me to help save the data of one of their clients; I immediately began studying the cryptography related portions of the software, while the Savage Security team was busy looking at other portions.

  • On Automatic Updates and Supply Chain Attacks

    Once again, a supply chain attack is in the news; this time, it’s a ransomware attack against Kaseya which has impacted hundreds if not thousands of businesses. According to Kevin Beaumont, the attackers used a 0day vulnerability in the Kaseya VSA appliance to deploy a fake update to all systems it managed; that update is actually the REvil ransomware. As this is a VSA is used by Managed Service Providers (MSPs), this resulted in an attack not just on the MSPs but also their customers.

  • Best Practices vs Inane Practices

    A Full Vindication of the Measures of Security Practitioners, from the Calumnies of their Enemies; In Answer to A Letter, Under the Signature of A. Gwinn. Whereby His Sophistry is exposed, his Cavils confuted, his Artifices detected, and his Wit ridiculed; in a General Address To the public, And A Particular Address To the dedicated members of the security community. Veritas magna est & prœvalebit. Friends and Colleagues, It was hardly to be expected that any man could be so presumptuous as to openly controvert the equity, wisdom, and authority of the measures, adopted by the practitioners of information security: a group truly dedicated to the protection of business and individuals around the world!

  • Threat Modeling for Applications

    Whether you are running a bug bounty, or just want a useful way to classify the severity of security issues, it’s important to have a threat-model for your application. There are many different types of attackers, with different capabilities. If you haven’t defined the attackers you are concerned about, and how you deal with them – you can’t accurately define just how critical an issue is. There are many different views on threat models; I’m going to talk about a simple form that’s quick and easy to define.

  • Crypto Crisis: Fear over Freedom

    Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors. Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here: