SAN FRANCISCO—Ransomware was the cyber-security story of 2016, and it is likely to be a big story again this year, with malicious operators upping the stakes by going after bigger and more lucrative targets like corporations, public infrastructure and industrial control systems.
Those were some of the conclusions from vendors and researchers during a daylong seminar on ransomware here at the RSA Conference 2017.
Throughout the day, experts discussed ways of not only preventing malware but also dealing with it once it hits, including whether to pay or not to pay. But paying or not, there is still a lot of work to be done for a victim as part of the mitigation process.
There must be strategies in place for properly restoring data, patching the holes and training staffers to be on the alert for ransomware possibilities. In other words, ransomware is an ongoing security issue that should involve the entire company.
Ransomware Is Big Business
Ransomware netted cyber-criminals more than $1 billion last year, mostly from individuals and small businesses. The technique of locking or encrypting files and then demanding ransom for the key is an evolution of traditional cyber-crime business models of merely stealing data or taking down networks. Those methods take a lot of effort and don't always deliver a lot of money, if any.
"Bad guys are sick and tired shoveling PII [personally identifiable information] around," said security researcher Gal Shpantzer. "The market is saturated. It's no longer a seller's market."
Rather than peddle stolen data on the black market, cyber-criminals have opted instead to go direct to the customer, so to speak, which significantly shortens the attack life cycle and overhead and delivers money more quickly, he said.
Ransomware actors also act like business people, for the most part. They are known to negotiate on price. Hollywood Presbyterian Hospital last year paid only $17,000 in Bitcoin after an original demand of more than $3 million.
But the business side of ransomware goes deeper than that because the business needs to operate on a level that commands enough respect that victims pay up. And once they do pay, the hackers must honor the deal and deliver the keys to unlock the data or the entire business proposition goes out the window.
In other words, there must be rules to the game, said Jeremiah Grossman, chief of security strategy at cyber-security firm SentinelOne. Grossman compared today's ransomware criminals with the modern-day kidnapping and ransom market—which includes Somali pirates—in which a cottage industry has evolved that includes security personnel, ransom negotiators and insurance syndicates such as Lloyd's of London.
Likewise, ransomware campaigns are increasingly being "professionalized" and funded, with sophisticated money laundering schemes, Grossman said. Ransomware negotiators are emerging, and cyber-insurers require clients to keep ransomware policies secret.
"Who really is profiting from the kidnapping and ransom business? It's not the pirates," he said. While pirates earned about $150 million in 2010, $1.85 billion was paid out in insurance against the pirates. By 2021, Grossman contends, the ransomware protection market will reach $17 billion.
Critical Infrastructure on the Hit List
Over the past few years at the Black Hat conference, researchers have shown ways hackers have compromised everything from cars to door locks to guns and every internet of things (IoT) device in between. Ransomware changes the dynamics of these hacks significantly, to the point where the nation's critical infrastructure will be held for ransom.
In just the past few months there have been two examples of public systems being compromised by ransomware: the San Francisco MUNI system in November and the closed circuit TV cameras in Washington, D.C., days before the presidential inauguration in January.