Ransomware is about denying you access to your data via
encryption. But that denial has to be of
a great enough magnitude create sufficient motivation for the victim to
pay. Magnitude of the denial is a factor
- Value of the encrypted
copy of the data which is a function of
- Intrinsic value of the data (irrespective of how
many copies exist)
- The number of copies of the data and their
availability
- Extent of operations
interrupted
If the motivation-to-pay is about the value of the data,
remember that the data doesn’t need to be private. It just needs to be valuable. The intrinsic value of data (irrespective of
copies) is only the first factor in determining the value of the criminally
encrypted copy of the data. The number
copies of the data and their level of availability exert upward or downward pressure
on the value of the encrypted data. If
the victim has a copy of the data online and immediately accessible the
ransomware encrypted copies has little to know value. On the other hand, if there’s no backups of
the data the value of the encrypted copy skyrockets.
But ransomware criminals frequently succeed in getting paid
even if the value of the encrypted copy of data is very low. And that’s because of the operations
interruption. An organization may be hit
by ransomware that doesn’t encrypt a single file containing data that is
intrinsically valuable. For instance,
the bytes in msword.exe or outlook.exe are not valuable. You can find those bytes on billions of PCs
and download them at any time from the Internet.
But if a criminal encrypts those files you suddenly can’t
work with documents or process emails. That
user is out of business. Do that to all
the users and the business is out of business.
Sure, you can just re-install Office, but how long will that
take? And surely the criminal didn’t
stop with those 2 programs.
Criminals are already figuring this out. In an ironic twist, criminals have co-opted a
white-hat encryption program for malicious scrambling of entire volumes. Such system-level ransomware accomplishes
complete denial of service for the entire system and all business operations
that depend on it.
Do that to enough end-user PCs or some critical servers and
you are into serious dollar losses no matter how well prepared the
organization.
So we are certainly going to see more system-level
ransomware.
But encrypting large amounts of data is a very noisy
operation that you can detect if you are watching security logs and other file
i/o patterns which just can’t be hidden.
So why bother with encrypting data in the first place. Here’s 2 alternatives that criminals will
increasingly turn to
- Storage device level ramsomware
- Threat of release
Storage device level ransomware
I use the broader term storage device because of course
mechanical hard drives are on the way out. Also, although I still use the term ransomware, storage device level
ransomware may or may not include encryption. The fact is that storage devices have various security built-in to them
that can be “turned”. As a
non-encryption but effective example take disk drive passwords. Some drives support optional passwords that
must be entered at the keyboard prior to the operating system booting. Sure the data isn’t encrypted and you could
recover the data but at what cost in terms of interrupted operations?
But many drives, flash or magnetic, also support hardware
level encryption. Turning on either of
these options will require some privilege or exploitation of low integrity
systems but storage level ransomware will be much quieter, almost silent, in
comparison to application or driver level encryption of present-day malware.
Threat of release
I’m surprised we haven’t heard of this more already. Forget about encrypting data or denying
service to it. Instead exfiltrate a copy
of any kind of information that would be damaging if it were released publicly
or to another interested party. That’s a
lot of information. Not just trade
secrets. HR information. Consumer private data. Data about customers. The list goes on and on and on.
There’s already a burgeoning trade in information that can
be sold – like credit card information but why bother with data that is only
valuable if you can sell it to someone else and/or overcome all the fraud
detection and lost limiting technology that credit card companies are
constantly improving?
The data doesn’t need to be intrinsically valuable. It only needs to be toxic in the wrong hands.
Time will tell how successful this will be it will happen. The combination of high read/write I/O on the
same files is what makes ransomware standout right now. And unless you are doing transparent
encryption at the driver level, you have to accomplish it in bulk as quickly as
possible. But threat-of-release attacks
won’t cause any file system output. Threat-of-release also doesn’t need to process bulk amounts of
information as fast as possible. Criminals can take their time and let it dribble out of the victim’s
network their command and control systems. On the other hand, the volume of out bound bandwidth with threat of
release is orders of magnitude higher than encryption-based ransomware where
all the criminal needs to send is encryption keys.
As with all endpoint based attacks (all attacks for that
matter?) time is of the essence. Time-to-detection will continue to determine the magnitude of losses for
victims and profits for criminals.
“This article by Randy Smith was originally published by EventTracker” https://www.eventtracker.com/newsletters/ransomware-is-only-getting-started/