We're all guilty of being wowed by the details of sophisticated nation-state spying campaigns and daring cyber-crime heists. Yet at a broad level, the techniques used to effect these attacks haven't evolved a huge amount over the past few years. Cyber-crime, on the other hand – and the ecosystem in which it operates – most certainly has. To combat the current scourge of ransomware we therefore need to shift our focus away from the technology itself, to understand the economics and drivers behind it: the “why” rather than the “how”.
As security professionals, we have a vital role to play in leading education efforts. To speak meaningfully and to be taken seriously, about issues like ransomware at a systemic level will require us not just to learn the language of the boardroom but the language of society at large, and of government. That's when what we say will truly begin to hit home with the people that matter: the policy makers.
One of the vulnerabilities used to spread the Stuxnet virus from 2010 was apparently the most popular CVE exploited in cyber-attacks last year. In many ways, this is indicative of the fact that the tools and techniques used by cyber-criminals haven't actually changed all that much. In ransomware, cyber-criminals have found a new way to make the old vulnerability-exploit dynamic work to devastating effect. It has hit epic proportions: some latest estimates put related losses at US$5 billion (£3.7 billion) for 2017, up from just US$ 325 million (£243 million) two years ago. Some vendors claim to have blocked as many as 82 million ransomware threats in the first half of 2017 alone.
WannaCry and NotPetya took things up a notch, adding worm-like elements and nation state-developed tools which enabled them to spread far and wide with massive effect. Scores of NHS Trusts were forced to cancel operations, global shipping routes were disrupted, and some companies – like FedEx, Maersk and UK giant Reckitt Benckiser – have admitted that outages will cost them hundreds of millions in losses.
The ransomware ecosystem
As an industry it can be tempting to focus myopically on the bits and bytes behind each new strain of malware, and of developing and applying technology solutions to keep us safe. Yet if we want to affect a serious and lasting response, we must first view ransomware as a business like any other, albeit a criminal one. Its meteoric rise in popularity on the cyber-crime underground sprang from two separate events: the decline of business models like spam and carding as money-making strategies, and the rise of crypto-currency. Over the years ransomware has been refined as a business. Cyber-criminals tweak their prices according to their victim – consumers charged less than vulnerable organisations with bigger coffers – and have added in customer support, count downs, and other innovations over the years to boost their chances of success.
We must be clear about this: when victims pay up they effectively become co-conspirators with the criminals, cyber-insurance companies and security vendors profit as long as ransomware persists. Even though past research has shown that as many as one in five UK firms who paid ransoms never received a decryption key, many businesses still believe that it's easier to pay up than fight an inevitable compromise. As long as they continue to pay, ransomware will continue to flourish.
Our continued battle against all kinds of malware suggests that no amount of cutting-edge technology will truly eradicate this threat. Yes, there's an important place for threat protection products, but as an industry we need to look beyond the sticking plaster solution of anti-ransomware tools. The starting point is to thoroughly understand the drivers and mechanisms for money flow, including the role played by crypto-currencies, the incentives for the victim, the role of law enforcement and the IT security industry. Cyber-crime spreads like a virus – rather than vaccinating each individual who shows symptoms of an illness, you need to understand the conditions in which the virus flourishes, grows and infects the human body. The same can be said for ransomware and, indeed, any cyber- threat. How can you disrupt infection? How can you cut off the head, rather than the arms?
Time to grow up
Ransomware – along with other ever more frequent attacks – contributes to a menacing evolution in cyber-crime threatening national security and even the delicate fabric that holds our societies together. When governments and their citizens see campaigns like WannaCry causing global chaos in a matter of hours, they become afraid. It's not even a case of whether these threats are particularly sophisticated from a technical point of view; it's the impression that they are sophisticated that makes people and governments afraid. And a fearful society reacts irrationally, often with very negative consequences.
This is where we as security professionals need to step up, as one. We need to stop focusing solely on those bits and bytes and think about outreach, engagement and education. We need to collaborate more broadly with other domains and reframe our role in society as teachers, diplomats, philosophers and – most importantly – policy influencers. This is the only way we can create the conditions to snuff out cyber-crime like ransomware - just as society successfully combated infectious diseases like cholera and typhoid many years ago – but without offending principles like freedom and privacy that the Internet still promises.
From CISOs down, we need to show rational and reasonable leadership to ensure that governments and society do the right thing – but crucially not at the cost of those internet freedoms we all now take for granted, that have done so much to advance society.
Taking on this challenge won't be easy: there are no silver bullets in cyber-space. But if we grasp this opportunity, we could achieve great things and transform how others view our industry for good.
- Contributed by Charl van der Walt, chief security strategy officer, SecureData*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.