Russia’s war on Ukraine is not only being fought on the ground; the war has now manifested itself into the cyber world. Everything from critical infrastructure to the economy is being attacked by infecting computer systems with various forms of malware intended to wreak havoc. I have long predicted that a cyber-terrorism attack could cause more devastation than many physical acts of terror seen throughout history. Unfortunately, that prediction is quickly becoming a reality as cyber war tactics continue to evolve.
Ransomware, a form of malware, has gained much attention recently. In a ransomware attack, the victim’s data is accessed and then encrypted preventing the owner from being able to use the data. A ransom payment is then requested in exchange for a key to unlock the data and make it useful again.
Ransomware has evolved at light speed since the first known attack was launched by Joseph Popp, a Harvard-educated biologist, over 30 years ago. Popp’s distribution method was mailing floppy disks claiming to be AIDS Medical Research to 20,000 fellow researchers. Once the floppy disk was inserted into a computer, it would lock the data and demand payment of $189 in cash to be mailed in an envelope to a PO Box in Panama. Once the cash was received, the attacker claimed a key would be provided to unlock the data.
Today ransomware is instantly distributed over the internet to millions of victims and demands ransom payment through untraceable and immediately transferable cryptocurrencies. The speed of attack has grown exponentially, and the ability to pay the attacker in crypto leaves little trace evidence for an investigator.
Two relatively new ransomware strains request dramatically different ransom payments. AlumniLocker, which is built on a variant of Thanos ransomware, immediately demands 10 Bitcoins, about $450,000 as of this writing. In contrast, another new variant called Humble only asks for 0.0002 Bitcoins, about $10. It is likely that Humble will target individuals, and their competitive differentiator is the low price point to remove the angst in deciding to pay the ransom to the cyber-terrorist.
The choice to pay or not pay the ransom is further complicated by double extortion attacks. This new trend not only renders the data useless but also sends a copy of the data to the cyber-attacker. If the ransom is not paid in a timely manner, the attacker threatens to publish the stolen data on the dark web. Not only is this double extortion attempt embarrassing for the victim, but it will likely trigger a very costly disclosure requirement, compliance fines, reputational damage, and a host of other problems. Even worse, the attacker may analyze the stolen data to identify vendors, customers, employees, etc., and threaten to attack them directly if the original victim decides not to pay the ransom. Or, to use the data to harm a 3rd party doing business with the victim.
Such was the case in 2021 when the cyber-terrorist group ReVil announced it had stolen data pertaining to unreleased Apple products from Quanta Computer, an Apple vendor. While Apple was not directly attacked, the group demanded $50M from the Cupertino-based company or threatened it would publish design details on unannounced MacBook Pros and iMacs.
Paying the ransom may seem to be a smart business decision given regulations around personally identifiable information (“PII”) such as the EU’s GDPR. Giving the terrorist $1M may seem like a smart business decision over trying to recover from the attack and disclosing the breach at a cost of, perhaps, $2M. Unfortunately, these decisions are being made at the Board of Directors level in many companies while you are reading this article, and many are deciding to pay the terrorists.
As technology continues to advance, cyber-terrorists are finding new ways to distribute and execute ransomware, and are now targeting a gigantic addressable market, from individuals to governments, and everything in between. Make no mistake, ransomware is a very large business.
In my opinion, it is not possible to outsmart the bad guys. This is big business, funded by foreign state governments such as Russia, China, India, Pakistan, North Korea, and many others. It employs some of the brightest technical talent on the planet. Some attacks are for-profit while others are simply to steal trade secrets and others to inflict damage to the economy. Cyber warfare is now very real, and I argue that it is not possible to keep malware and ransomware out of your network.
In order to solve the problem, we need to start with the premise that the bad actor has already reached your data. This is a major shift in mindset and something most cybersecurity experts are very uncomfortable with.
If we start with the knowledge that all cybersecurity defenses have been breached, and the attacker is now in a position to encrypt or steal the data, we can begin to think about innovative strategies to minimize or eliminate downstream damage.
One concept that is gaining traction is to make the data valueless to the cyber-terrorist. This change in mindset assumes the attacker WILL penetrate your environment and WILL exfiltrate the data that resides there. But if the stolen data is incomplete and does not contain any actual useable information, there is nothing for the attacker to use to create harm.
This innovative data-protection strategy changes the game for cybersecurity and puts control squarely back into the hands of the data owner. This change in mindset is required to finally defeat the adversary.
Joseph Pott created an entire industry around ransomware when he launched the first attack in 1989. Decades later, we are finally focused on truly finding a solution to this global problem.
About Paul Lewis
Paul is a serial cybersecurity entrepreneur with more than 30 years in the industry. Formerly the Founder and CEO of PG Lewis LLC, a cyber security and data forensics company that was strategically acquired by Robert Half International (NYSE:RHI), and the Founder and CEO of MC2, a data security company that was strategically acquired by Volt Information Sciences (NYSE:VOL), Paul’s been granted numerous patents to advance data privacy and protection and is a court-appointed expert in data security and incident response.