On a Sunday in 2012, while serving as the Director of Current Operation of Army Cyber Command, I was leaving church in northern Virginia, when the pastor stopped me in the procession line. He whispered to me: “Jeff, I hear you’re in cyber security – we have a problem. Someone has locked up our laptops and file shares, and we’re being extorted. Have you ever heard of ransomware?”
At the time, I was more focused on trying to get ahead of the Chinese and other nation-state actors who were interested in stealing government secrets and intellectual property, so, needless to say, it wasn’t on my radar at the time.
Later that year, I transitioned from the Army to operating a global incident response team for SecureWorks. By then, ransomware was becoming more commonplace as a plague for small businesses and individuals who were unfortunate enough to fall for a poorly crafted phishing email. Between 2012 and 2015, the end target didn’t seem to change; ransomware actors were still pursuing workstations and file share services.
However, the phishing emails began to improve (e.g. to resemble legitimate FedEx or UPS tracking emails), making the exploits even more successful. For the most part, the payoff was small, anywhere from $100-$1000 per victim. I used to advise victims to consider paying if they didn’t have reliable good backups. We used to joke, and it was true, the ransomware actors actually had pretty good customer service and informative FAQ sites because they really wanted repeat customers.
Going big time
In early 2015, we began seeing the first indications that ransomware actors were pivoting to the cloud. They did not start out at scale. Criminals would go after open source content management system web servers that are normally not well-patched. They locked out administrators and blocked user access, then sent a ransom demand. This evolution raised return on investment tenfold. Later, and through the spring of 2016, we saw specific threat groups, going after industry verticals such as healthcare, using shared scanning tools and looking for vulnerable systems running JBOSS, which is a Java application.
Now, organized criminal gangs could identify thousands of potential victims to compromise at will. Again, a potentially exponential ROI.
And, just when we had thought we’d seen it all, the summer of 2016 saw the debut of a threat actor known as The Dark Overlord (TDO) who offered source code for what appeared to be from a healthcare SaaS. With this, TDO claimed that this popular SaaS (never named in reports) and its thousands of customers could be held for ransom.
Another progression of ransomware is the Miria code that builds an IoT botnet with the capability to generate 1 TB/Sec of DDOS power. This means DDoS attacks for ransom are back in the game and real threat. The code is very simple to operate, which drives down the skill it takes to be utilized by less sophisticated actors.
The next evolution
The ultimate question is, where is the hockey puck going next?
My theory: Ransomware actors are going to try to take down business systems, such as payment processors or eCommerce sites, that CFO’s measure hundreds of thousands of dollars of rev/minute output. The business calculus of paying a few hundred thousand dollars to get a system that generates millions of dollars back online becomes quite linear and easy to solve.
In fact, I strongly believe that an incident like this has already happened, we just haven’t heard about it publicly. But, with lucrative payoffs, volume inevitably increases. And, we will.
The fact is, ransomware and ransom campaigns are in their infancy. Organizations must take steps to educate employees, protect websites and lock down vulnerable databases or expect to fall prey. It’s everyone’s responsibility to remain diligent to avoid catastrophe.