Mikko Hypponen has had a front-row seat to the evolution of cybercrime during his 30-year career with F-Secure and now WithSecure, starting with email viruses and worms, to the development of phishing and banking malware, all the way to today’s relentless corporate ransomware attacks, which began in force a decade ago.
Ransomware is arguably the biggest threat facing enterprises, including those in critical infrastructure sectors such as manufacturing, utilities, and healthcare. Even within ransomware as a threat, there’s been a rapid progression of capabilities during the past 10 years. The earliest samples locked down computers and there were nominal demands for ransoms to be delivered via prepaid credit cards and the like. This was before Cryptolocker in 2013, which was distributed by the Zeus botnet and demanded payments in Bitcoin.
“It’s almost impossible to remember anymore how different the ransomware problem was back then,” Hypponen said during his appearance on the Claroty Nexus podcast, recorded during the RSA Conference. “All of the early Bitcoin-enabled ransomware cases were all targeting home users. This was a consumer problem; none of those were hitting companies.”
Instead of encrypting corporate documents and critical servers and endpoints, Cryptolocker and other early ransomware families instead were harassing home users and encrypting their personal photos and locally stored documents in exchange for nominal ransom demands.
That quickly changed, Hypponen said, once criminal elements saw the potential profits in infecting corporations in 2014 and beyond. Using cryptocurrency such as Monero and others for remittance gave criminals a measure of anonymity, and cybercrime was off to the races. Before long, ransomware-as-a-service surfaced, turning malware development and distribution into a multi-million dollar business for some gangs and their affiliates.
Eventually, extortion was added to the equation as threat actors combined data theft with ransomware, enabling them to demand exorbitant ransoms from victims in targeted industries where uptime and availability is paramount. Victims faced with a stressful decision of whether to pay or recover from backups often decided the quickest route to preventing costly and embarrassing data leaks and recovering data was to meet ransom demands.
There is some light. Ransomware has forced organizations to improve security hygiene, in particular around having regular, available, encrypted backups in order to recover quickly from a known good state. Organizations are also sharpening risk management and incident response, and are learning from attacks across the industry exploiting weak authentication practices or lax exposure management practices as an initial entry point for ransomware attacks.
In the end, however, victims are going to have to weigh paying a ransom demand to recover systems and data against the advice of law enforcement and security experts who are adamant that paying ransoms only funds these criminal gangs to continue spreading and developing this threat.
“I always tell (victims) ‘Don’t pay the ransom, it’s only going to make the problem worse for everybody.’ But of course, entities I’ve given this advice to haven’t followed it and have paid the ransom. And I understand that,” Hypponen said. “I don’t recommend it, but I understand it.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.