Ransomware is a relatively new type of cybersecurity threat. It amounts to an attacker taking and encrypting your valuable data, and then charging you to de-crypt it. The idea came about 10 years ago, as a theoretical concept called “cryptovirology”. Although the idea is not new, it has only become a real threat in recent years. The economics of ransomware is different than the threats we have seen before it, new economics that give hope to cyber-defenders hoping to combat it successfully.
First, there is money in trafficking ransomware. The criminal usually demands to be paid in bitcoin to de-crypt. Bitcoin fits this need perfectly; it is hard to trace and easy to launder. In terms of US dollars, the amounts demanded were in the low hundreds, but are steadily climbing higher; some estimate that $1 billion USD will be paid in 2016. Compared to spam botnets, where criminals make pennies per bot, and the actual income from spam email click through have plunged to almost nothing. If there’s money to be made, criminals will focus on using the most effect manner with the highest payout. Today that happens to be ransomware.
Second, the business of ransomware is scalable. When a new tool becomes available in the hacker market, criminal organizations mount campaigns, just like sales and marketing departments all around the world advertising their product. Much like a successful commercial, each of these campaigns continues as long as it makes money. If a threat is widespread and therefore scalable, then defense for it become scalable, too. There are enough artifacts to effectively study the campaigns, and build defenses for it that are based on the behavior of the campaign, not the specific signatures used. This behavioral defense is more sustainable and can limit the life of ransomware campaigns.
Third, ransomware, surprisingly, relies on open-source. Ransomware has started to appear as Github repositories, where it is modified by other hackers to create new variants. While this may sound scary, compare this another threat in past years: zero-day exploits that were secretly developed and may only be possessed by a few actors around the world. If hackers have access to open source, then security product developers have access to it as well. For those who are active members of the open source community, this puts the cyber-defender on a more even footing.
Ransomware represents a new combination of economic factors in a cybersecurity threat. The revenue stream is more direct; from the consumer to the criminal, with no middlemen. It operates on a larger scale and it does not rely as much on limited supply inputs. This attracts a lot of attention and innovation from the malware community, but it gives security products a chance for strong innovation.
As Chief Data Scientist at JASK, I study the network behavior and tools of Ransomware to better defend companies against a dominant threat in cybersecurity today.