Has ransomware become the Chicken Little of the security industry?
That ransomware is a problem cannot be doubted. Whether the current level of media coverage, fuelled by vendor press releases, is doing more harm than good is more open to debate..
Just today SCMagazineUK.com reported how Avecto research had revealed that 30 percent of UK councils suffered at least one ransomware attack in 2015. That is big news.That Smart TVs have been infected by the Flocker ransomware maybe less so. Unless it's your TV that is asking for cash to start working properly again of course.
Ian Trump, Global Security Lead at LOGICnow, thinks that "ransomware on Smart TVs is a natural evolution for cyber criminals, with an increase in poorly secured IoT devices connecting to the internet." Although, as Cesare Garlati, chief security strategist for the prpl Foundation points out, "if we're getting technical, I think the term ransomware is improperly used in this case. Users can always reset the TV to factory defaults and get rid of the problem."
But how do we get rid of the problem of overplaying the ransomware threat, if indeed it is being overplayed?
After all, we know that properly backed up data is usually restorable, that sometimes keys will be available through security vendors, that all is not inevitably lost. So is the level of hype/hysteria surrounding ransomware doing more harm than good?
Sean Sullivan, Security Advisor at F-Secure Labs strongly rejected the Chicken Little metaphor when SCMagUK.com spoke to him. "I've been expressing serious (not panicked!) concerns about crypto-ransomware since late 2014" Sullivan said, continuing "the right message is that backups are very important, backups that aren't routinely tested aren't really backups and being compromised by crypto-ransomware doesn't need to result in data loss but it will result in business disruption."
What about the FBI chap who advised people pay ransoms, was that the right message as well? Erka Koivunen, cyber security advisor at F-Secure, suggests that levels of 'customer care' being provided by the criminals involved makes it ever harder to promote a 'do not deal with bad guys' message. "Combined with the technical efficiency of modern ransomware and the persistence with which they seek to bypass security controls on all levels" Koivunen concludes "I would not subscribe to the claim that the threat is overrated."
And Koivunen is not alone. Ilia Kolochenko, CEO of High-Tech Bridge, told us that "unlike other exaggerated trends, such as APT or IoT, ransomware is a fundamental economic problem. Cybercriminals understand that they can easily and safely make quick-money on extortion." A position backed up (no pun intended) by Ziv Mador, VP of Security Research at Trustwave, who says "we conducted an ROI analysis in the 2015 Trustwave Global Security Report which revealed that even novice cybercriminals can generate monthly revenues of $90,000 by spreading ransomware, with monthly expenses of around $6,000."
Adam Kujawa, Head of Malware Intelligence at Malwarebytes, insists "the amount of attention that ransomware has been getting from the media is the most accurate danger vs exposure that we have ever experienced." Based on Malwarebytes own statistical analysis of ransomware drops through Malvertising attacks, Kujawa says "the bad guys are giving up other malware types and adopting ransomware."
And Jeremiah Grossman, Chief of Security Strategy at SentinelOne, goes even further telling SC that "if anything ransomware is not getting the attention it deserves by the media or the industry. We'll probably witness a new billion dollar plus cyber-crime industry within the next 2 years. ransomware needs more attention before things get really out of hand."
Not that everyone is singing from the same hymn sheet. Mark James, Security Specialist at ESET told us that "scare-mongering is always a concern when we talk about malware, whether it's the latest breakthroughs or a new “super strain” of an old forgotten Trojan" continuing "the hardest part is getting the information over without it sounding like it's the end of the world." The truth being, James insisted, that malware ransomware can be recovered from. "It may be restoring from backup or just hard work and experience" he concludes "but with the right help there is often a way out."
Steve Hultquist, Chief Technical Evangelist at RedSeal agrees and says that there's a risk that "continuing to hammer on about the ransomware threat which, at its root in virtually every case, is caused by a human error in opening a file that shouldn't be opened, will redirect efforts better spent elsewhere." By which he means that it's more important to protect infrastructure, find ways of building resilience into systems and networks, and protect weaknesses that would allow much greater damage.
Ryan O'Leary, VP of the Threat Research Centre at WhiteHat Security, warns that the bad guys aren't dumb and the huge spike in ransomware threats that has stirred up a media reporting frenzy has caught their attention. "They realise that there is this paranoia and fear" O'Leary says "so it's really easy to send an email saying "Send me 10 bitcoins or else", and inevitably a few will actually cough up." Even if there is no actual encryption. As David Kennerley, director of threat research at Webroot, confirms "we have already seen cases where file extensions are changed but no encryption takes place."
Meanwhile, Charl van der Walt who is head of security strategy at SecureData, blames the "growing trends of celebrity researchers, branded vulnerabilities and stunt hacking in the news" as serving to spread panic and confusion. "These do little inform a balanced and strategic information security program" van der Walt insists "a situation that's often compounded by media outlets sensationalising dramatic but relatively unimportant issues like Internet TV hacks..."
Asking the Chicken Little question of the security industry has certainly proved to be an emotive issue. With plenty of informed opinion on both sides of the 'how much hyperbole is healthy' fence. We will leave the final word with Prof. Steven Furnell, a senior member of the IEEE and professor of IT Security at Plymouth University.
"The problem we face more generally is that it's always the threats that are headline-grabbing. By contrast, the advice on protecting against them seems rather more mundane - especially when it often comes down to highlighting the same principles and good practices again and again (Data can be safeguarded by backups? Well, who knew?!). Framing the reporting around the lack of protection rather than the existence of the threat would often be a good way to direct attention towards the actionable parts of the problem."