Decrypting Ransomware’s Era
In 1989, a British evolutionary biologist named Dr. Joseph Popp distributed a floppy disk through a mailing list with the title “AIDS Information Introductory Diskette”. When recipients loaded the disk, the files on their hard drives became hidden and their file names encrypted which effectively disabled their computers. What made this piece of malware now known as the AIDS Trojan particularly notable, however, is what it instructed victims to do next: send a $189 check to a post office box in Panama to “renew their license” and recover their files.
Popp may have been a pioneer of sorts but his scheme was short lived and it isn’t hard to see why — the technology of his time forced him to use the mail to both distribute his ransomware and accept payments which severely compromised his anonymity. Popp’s contemporary successors in the ransomware business are fortunate to enjoy a far more conducive environment for their criminal activities:
- The world wide web — another 1989 invention — has become a global phenomenon which facilitates the flow of data across the globe at near light speed
- Cryptocurrencies have emerged to help solve the problem of accepting ransom payments anonymously
- The scope, scale, and value of data has rapidly risen across both the public and private sector as computing has become more pervasive
- Cybersecurity investment hasn’t kept pace with rise of IT due to lack of regulation and contribution to revenue generation
- Governments willing to shelter ransomware groups in exchange for them targeting foreign adversaries rather than the homeland
These conditions have combined to make ransomware the perfect crime for the times we now live in. Data is often an organization’s most valuable and confidential asset — loss of access to it even temporarily can disrupt operations and data exposure can cause loss of intellectual property, reputational damage, and threats to employee or customer security if personal data is exposed. Organizations may not be equally attractive targets for ransomware but they all have valuable data that they would pay to get back, prevent from being sold to the highest bidder, or released publicly for free download.
While to many observers the current ransomware scourge may seem like it came out of nowhere, don’t expect it to go away anytime soon. As its technology and operational models become more sophisticated and automated, the cost and difficulty of initiating an attack will decline which will expand the pool of economically worthwhile targets. The total quantity and value of data being produced will continue to increase and this will inevitably attract more attention from malicious actors intent on exploiting vulnerabilities in how it is secured. Perhaps most concerning of all is that ransomware groups are earning hundreds of millions of dollars per year which can be reinvested into their enterprises and be used to attract skilled threat actors to help improve their technology. Ransomware groups are the hottest startups in the cybercriminal underworld — keeping their total addressable market in check is a collective responsibility that will require everything from threat intelligence to attack surface management and I’ll be discussing it all here at Tales From Decrypt.
