Why the Colonial Pipeline ransomware attack is a sign of things to come
Ransomware has grown fouler than ever, but it’s also grown up. The practice of using malware to encrypt files on a victim’s devices and then demanding a ransom payment for unlocking them has advanced far beyond its origins as a nuisance for individual users. These days, it’s a massively profitable business that has spawned its own ecosystem of partner and affiliate firms. And as a succession of security experts made clear at the RSA Conference last week, we remain nowhere near developing an equivalent of a vaccine for this online plague. “It’s professionalized more than it’s ever been,” said Raj Samani, chief scientist at McAfee, in an RSA panel . “Criminals are starting to make more money,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42, in another session . She added that the average ransomware payout now exceeds $300,000, fueled by such tactics as the “double extortion” method of exfiltrating sensitive data from targeted systems and then threatening to post it. That method figured in recent ransomware attacks against Colonial Pipeline and Washington, D.C.’s Metropolitan Police Department . “It’s such a lucrative business now for the criminals, it is going to take a full court press to change that business model,” agreed Michael Daniel, president and CEO of the Cyber Threat Alliance, in that panel. (Just five years ago, the $17,000 ransom reportedly paid by a compromised hospital was a newsworthy figure.) Having this much money sloshing around has given rise to networks of affiliates and brokers. Samani’s colleague John Fokker, head of cyber investigations at McAfee, explained the rise of “ransomware as a service” (“RaaS”), in which you can buy or rent exploit kits or back doors into companies. He showed one ad from an “access broker” that listed a price of $7,500 for compromised Virtual Private Network accounts at an unspecified Canadian firm. The ad vaguely described this target company as a “Consumer Goods (manufacturing, retailing, food etc…)” enterprise with about 9,000 employees and $3 billion in revenue. “The commoditization of these capabilities for the criminals makes it so easy,” said Phil Reiner, CEO of the Institute for Security and Technology, during one of the RSA panels. RSA speakers noted how often ransomware attacks start with exploitations of known, avoidable vulnerabilities. Samani called Microsoft’s Remote Desktop Protocol “the number-one most common entry vector for corporate networks related to ransomware attacks.” Fokker added that companies that use RDP often make this remote-access tool too easy to compromise, joking that RDP also means “really dumb passwords.” The pandemic has helped grease the skids further for ransomware attacks—both by requiring companies to rush into remote work and by making people a little more tempted to respond to COVID-themed phishing lures. As Samani put it, phishing is “still there, still works, people still click on links.” Two other factors make ransomware especially resistant to any suppression attempts. One is cryptocurrency enabling hard-to-trace online funds transfers. Bitcoin and other digital currencies may not be too useful for everyday transactions , but they suit the business of ransomware well Read More …