by John Bandler
Ransomware is an innovative scheme within the cybercrime-for-profit economy that has caused vast destruction to governments, organizations, and individuals. Let’s explore what ransomware is, how it fits within that criminal economy, the role of virtual currency, and how to prevent and investigate it.
Ransomware - a criminal mixture
Ransomware is a mix of malware, ransom, and encryption. Malware is malicious software, an application programmed to do something harmful. Ransomware is a specific type of malware designed to induce the victim to pay a ransom in return for a code to unlock encrypted data.
Encryption is an important and powerful tool which has been around for thousands of years, starting with the Caesar Cipher. Encryption is a process that encodes data, scrambles it so that it is not readable unless it is decoded with a special key. In today’s information age, encryption is essential for a variety of purposes, including to keep our information confidential. Some laws and regulations even require encryption for certain data to protect it from cybercriminals. With ransomware, criminals weaponize encryption to lock up the victim’s data and demand a ransom in exchange for the code to decrypt the data. In sum, ransomware infects the victim’s computer, encrypts the victim’s data, and then demands payment of the ransom in exchange for the code. It has disabled local governments, hospitals, and all types of organizations.
Ransomware and the cybercrime economy
Ransomware should be understood in the context of the cybercrime economy, a capitalistic system of thieves and criminals seeking to profit from theft and fraud. Like any capitalistic system, there are many participants, each with different abilities and skills, and all attempting to profit at the expense of victims. Ransomware exploits the value of the data to the victim to generate profit. The victim might be willing to pay money to regain access to their own data. Under this scheme, the cybercriminal’s workload is streamlined: distribute the malware, receive payments, and distribute the decryption keys. Even within the ransomware ecosystem, workloads can be divided.
In contrast, much of the cybercrime economy initially developed around the theft of data and its subsequent exploitation for follow-on crimes such as identity theft. Stolen data has value because it can later be used by criminals for crimes of theft. Thus, the data has value for use by the cybercriminal, it can generate profit, though the cybercriminal must expend effort to fully obtain this value.
As further comparison, consider a third value proposition for criminals — blackmail. Some victims might be willing to pay to prevent the release of confidential information, as seen by certain sextortion type schemes.
All of the above ties in with the fact that most cybercrime is for profit. Understanding value and its transfer is essential for comprehending cybercrime activity and how to investigate and reduce it.
Ransomware has been around for a while, but only recently has it become scalable and profitable for cybercriminals. Malware delivery can be automated, and criminals only need a small success rate. The ransom can be collected with relative ease and anonymity thanks to virtual currency such as bitcoin, plus sophisticated money laundering techniques.
Prevention of ransomware
Prevention of ransomware is worth pounds of cure. Prevention includes:
- Backup data.
- Ensure the backup can be recovered (test it)
- Protect the backup
- Prevent from getting malware
- Improve cybersecurity
Organizations need a comprehensive cybersecurity program, which could start with Bandler's Four Pillars of Cybersecurity. They need to have a broad plan to attain and exceed "reasonable security" and this of course includes backing up data and malware prevention.
For everyone, the key is preparation, avoiding malware in the first instance, and being prepared to recover and restore data if infected. My first book Cybersecurity for the Home and Office outlines my four pillars of cybersecurity, including knowledge and awareness, securing devices, securing data, and securing networks and internet access. We try to prevent malware by keeping devices malware free, running periodic scans, and being safe with email and web surfing. We must make periodic backups of data, store those backups securely, and be sure we can restore those backups if ransomware (or other disaster) should strike. Where backups cannot be restored, the decision to pay the ransom is a difficult one. Paying ransom makes the crime lucrative and successful for thieves, and ensures it will be repeated.
We need government to investigate and prosecute
Every organization and individual needs to consider the risks they face from cybercrime, and make informed decisions about improving their cybersecurity and complying with laws and regulations. That said, we should remember that building higher and thicker walls will not stop attackers, but induce them to innovate further. Crime-for-profit requires risk analysis by the criminal—what are the chances they will get caught, and with what potential consequences?
Unfortunately, cybercrime prosecutions are still too few and far between, allowing many of these cybercriminals to act with relative impunity. All sectors need to improve their response, and that’s why I co-authored Cybercrime Investigations. Law enforcement is the only sector with the ability to apprehend and bring the criminal justice system to bear, and thus their investigation is required as to ransomware. This means investigating the delivery mechanisms for ransomware, following the money, and developing intelligence on the criminals perpetrating these frauds.
Following the money is essential for all profit motivated crimes, but especially for cybercrime where attribution of cyberconduct is especially challenging. We need appropriate attention from all levels of government to investigate and apprehend the cybercriminals. We also need our federal government to use its wide range of powers and options to encourage and pressure other nations to do their part to prevent and address cybercrime.
Summing up my main thoughts
To protect against ransomware prepare and plan with a cybersecurity program and incident response plan. Make backups, store them securely, improve individual and organization cybersecurity.
More broadly (I will move this to another article on addressing cybercrime someday), cyber threats come from two main places:
- Cybercrime for profit – many independent actors and groups
- Nation states – for a variety of motives and reasons
- (Of course, cyber threats also come from areas other than the above two).
There are three things we need to better address cybercrime:
- Better cybersecurity, for all organizations and individuals
- Improved cybercrime investigation
- By our governments at all levels, but with emphasis on improving capacity of state, and local cybercrime investigation
- By the private sector too
- Reliable deterrence and consequences for all cyber attackers. This job falls to federal, state, and local government (not the private sector).
This is a brief summary with some simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help with improving cybersecurity, creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.
- The Three Priority Cybercrime Threats
- Policies, Procedures, and Governance of an Organization
- Cybersecurity and Privacy for You and Your Organization
- Cybersecurity Laws and Regulations Part 1
- New York Cybersecurity Requirements and the SHIELD Act
- Cybersecurity review and improvement for your organization - a checklist
- Bandler's Cybersecurity Tips
- Virtual Currency (a/k/a digital currency, cryptocurrency, virtual assets, and "value that substitutes for currency")
- Addressing Cybercrime Properly (coming someday)
- My services page
- My books
- My articles
- Ransomware and your business, by John Bandler, published by Westchester & Fairfield County Business Journals, November 18 2021, https://westfaironline.com/142669/ransomware-and-your-business/
- FinCEN Advisory FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (October 01, 2020), https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf (FinCEN is the U.S. Financial Crimes Enforcement Network, part of the Department of Treasury, and is a financial intelligence agency)
- OFAC Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (September 21, 2021) https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf (OFAC is the Office of Foreign Assets Control, part of the Department of Treasury, and deals with trade sanctions)
This article is hosted at https://johnbandler.com/ransomware and is about a priority cybercrime threat. Copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/ransomware-4799508bc678 (though not updated as frequently and without the references).
Originally posted 1/22/2020. Last updated 09/20/2022.