Ransomware is only getting started

By Randy Franklin Smith

Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor –

  • Value of the encrypted copy of the data, which is a function of:
    • Intrinsic value of the data (irrespective of how many copies exist)
    • The number of copies of the data and their availability
  • Extent of operations interrupted

If the motivation-to-pay is about the value of the data, remember that the data doesn’t need to be private. It just needs to be valuable. The intrinsic value of data (irrespective of copies) is only the first factor in determining the value of the criminally encrypted copy of the data. The number copies of the data and their level of availability exert upward or downward pressure on the value of the encrypted data. If the victim has a copy of the data online and immediately accessible, the ransomware encrypted copies have little to know value. On the other hand, if there are no backups of the data, the value of the encrypted copy skyrockets.

But ransomware criminals frequently succeed in getting paid even if the value of the encrypted copy of data is very low. And that’s because of the operations interruption. An organization may be hit by ransomware that doesn’t encrypt a single file containing data that is intrinsically valuable. For instance, the bytes in msword.exe or outlook.exe are not valuable. You can find those bytes on billions of PCs and download them at any time from the Internet.

But if a criminal encrypts those files, you suddenly can’t work with documents or process emails. That user is out of business. Do that to all the users and the business is out of business.

Sure, you can just re-install Office, but how long will that take? And surely the criminal didn’t stop with those two programs.

Criminals are already figuring this out. In an ironic twist, criminals have co-opted a white-hat encryption program for malicious scrambling of entire volumes. Such system-level ransomware accomplishes complete denial of service for the entire system and all business operations that depend on it.

Do that to enough end-user PCs or some critical servers and you are into serious dollar losses no matter how well prepared the organization.

So we are certainly going to see more system-level ransomware.

But encrypting large amounts of data is a very noisy operation that you can detect if you are watching security logs and other file i/o patterns which just can’t be hidden.

So why bother with encrypting data in the first place. Here’s 2 alternatives that criminals will increasingly turn to:

  • Storage device level ransomware
  • Threat of release

Storage device level ransomware

I use the broader term storage device because of course mechanical hard drives are on the way out.  Also, although I still use the term ransomware, storage device level ransomware may or may not include encryption. The fact is that storage devices have various security built-in to them that can be “turned.”  As a non-encryption but effective example, take disk drive passwords. Some drives support optional passwords that must be entered at the keyboard prior to the operating system booting. Sure the data isn’t encrypted and you could recover the data, but at what cost in terms of interrupted operations?

But many drives, flash or magnetic, also support hardware level encryption. Turning on either of these options will require some privilege or exploitation of low integrity systems but storage level ransomware will be much quieter, almost silent, in comparison to application or driver level encryption of present-day malware.

Threat of release

I’m surprised we haven’t heard of this more already. Forget about encrypting data or denying service to it. Instead exfiltrate a copy of any kind of information that would be damaging if it were released publicly or to another interested party. That’s a lot of information — not just trade secrets. HR information. Consumer private data. Data about customers. The list goes on and on and on.

There’s already a burgeoning trade in information that can be sold – like credit card information. But why bother with data that is only valuable if you can sell it to someone else and/or overcome all the fraud detection and lost limiting technology that credit card companies are constantly improving?

The data doesn’t need to be intrinsically valuable. It only needs to be toxic in the wrong hands.

Time will tell how successful this will be it will happen. The combination of high read/write I/O on the same files is what makes ransomware standout right now. And unless you are doing transparent encryption at the driver level, you have to accomplish it in bulk as quickly as possible. But threat-of-release attacks won’t cause any file system output. Threat-of-release also doesn’t need to process bulk amounts of information as fast as possible. Criminals can take their time and let it dribble out of the victim’s network and their command and control systems. On the other hand, the volume of outbound bandwidth with threat of release is orders of magnitude higher than encryption-based ransomware where all the criminal needs to send is encryption keys.

As with all endpoint based attacks (all attacks for that matter?) time is of the essence. The time-to-detection will continue to determine the magnitude of losses for victims and profits for criminals.