Ransomware by John Bandler
Ransomware is an innovative scheme within the cybercrime-for-profit economy that has caused vast destruction to governments, organizations, and individuals. Let’s explore what ransomware is, how it fits within that criminal economy, the role of virtual currency, and how to prevent and investigate it.
Ransomware is a mix of malware, ransom, and encryption. Malware is malicious software, an application programmed to do something harmful. Ransomware is a specific type of malware designed to induce the victim to pay a ransom in return for a code to unlock encrypted data.
Encryption is an important and powerful tool which has been around for thousands of years, starting with the Caesar Cipher. Encryption is a process that encodes data, scrambles it so that it is not readable unless it is decoded with a special key. In today’s information age, encryption is essential for a variety of purposes, including to keep our information confidential. Some laws and regulations even require encryption for certain data to protect it from cybercriminals. With ransomware, criminals weaponize encryption to lock up the victim’s data and demand a ransom in exchange for the code to decrypt the data. In sum, ransomware infects the victim’s computer, encrypt’s the victim’s data, and then demands payment of the ransom in exchange for the code. It has disabled local governments, hospitals, and all types of organizations.
Ransomware should be understood in the context of the cybercrime economy, a capitalistic system of thieves and criminals seeking to profit from theft and fraud. Like any capitalistic system, there are many participants, each with different abilities and skills, and all attempting to profit at the expense of victims. Ransomware exploits the value of the data to the victim to generate profit. The victim might be willing to pay money to regain access to their own data. Under this scheme, the cybercriminal’s workload is streamlined: distribute the malware, receive payments, and distribute the decryption keys. Even within the ransomware ecosystem, workloads can be divided.
In contrast, much of the cybercrime economy initially developed around the theft of data and its subsequent exploitation for follow-on crimes such as identity theft. Stolen data has value because it can later be used by criminals for crimes of theft. Thus, the data has value for use by the cybercriminal, it can generate profit, though the cybercriminal must expend effort to fully obtain this value.
As further comparison, consider a third value proposition for criminals — blackmail. Some victims might be willing to pay to prevent the release of confidential information, as seen by the prevalent sextortion type schemes.
All of the above ties in with the fact that most cybercrime is for profit. Understanding value and its transfer is essential for comprehending cybercrime activity and how to investigate and reduce it.
Ransomware has been around for a while, but only recently has it become scalable and profitable for cybercriminals. Malware delivery can be automated, and criminals only need a small success rate. The ransom can be collected with relative ease and anonymity thanks to virtual currency such as bitcoin, plus sophisticated money laundering techniques.
Prevention of ransomware is worth pounds of cure. For organizations, this starts with a comprehensive cybersecurity program. For everyone, the key is preparation, avoiding malware in the first instance, and being prepared to recover and restore data if infected. My first book Cybersecurity for the Home and Office outlines my four pillars of cybersecurity, including knowledge and awareness, securing devices, securing data, and securing networks and internet access. We try to prevent malware by keeping devices malware free, running periodic scans, and being safe with email and web surfing. We must make periodic backups of data, store those backups securely, and be sure we can restore those backups if ransomware (or other disaster) should strike. Where backups cannot be restored, the decision to pay the ransom is a difficult one. Paying ransom makes the crime lucrative and successful for thieves, and ensures it will be repeated.
Every organization and individual needs to consider the risks they face from cybercrime, and make informed decisions about improving their cybersecurity and complying with laws and regulations. That said, we should remember that building higher and thicker walls will not stop the attackers, but merely induce them to innovate further. Crime-for-profit requires risk analysis by the criminal—what are the chances they will get caught, and with what potential consequences? Unfortunately, cybercrime prosecutions are still too few and far between, allowing many of these cybercriminals to act with relative impunity. We need improved cybercrime investigations by all sectors, and that’s why I co-authored a book on the topic. Law enforcement is the only sector with the ability to apprehend and bring the criminal justice system to bear, and thus their investigation is required as to ransomware. This means investigating the delivery mechanisms for ransomware, following the money, and developing intelligence on the criminals perpetrating these frauds. Following the money is essential for all profit motivated crimes, but especially for cybercrime where attribution of cyberconduct is especially challenging. We need appropriate attention from all levels of government to investigate and apprehend the cybercriminals. We also need our federal government to use its wide range of powers and options to encourage and pressure other nations to do their part to prevent and address cybercrime.
How does an organization protect against ransomware? Backups are essential. Backup data has part of a broader plan to attain and exceed "reasonable security". I recommend following (my) Bandler's Four Pillars of Cybersecurity, having a cybersecurity policy, an incident response plan, following them, and looking for continual improvement.
Summing up my main thoughts:
Cyber threats come from two main places:
- Cybercrime for profit – many independent actors and groups
- Nation states – for a variety of motives and reasons
Three things we need:
- Better cybersecurity, for all organizations and individuals
- Improved cybercrime investigation (especially by our governments at the federal, state, and local levels, but also by the private sector)
- Reliable deterrence and consequences for all cyberattackers. This job falls to federal, state, and local government (not the private sector)
This is a brief summary with some simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help with improving cybersecurity, creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity. Sometimes individuals need help with cybersecurity and investigations too.
References: Some additional helpful articles and resources on this site include:
- Policies, Procedures, and Governance of an Organization
- Cybersecurity and Privacy for You and Your Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Email Based Funds Transfer Frauds (priority cybercrime threat)
- Data breach (priority cybercrime threat)
- Ransomware (This article, a priority cybercrime threat)
- Cybersecurity review and improvement for your organization - a checklist
- Bandler's Cybersecurity Tips
- Virtual Currency (a/k/a digital currency, cryptocurrency, virtual assets, and "value that substitutes for currency")
- My services page
- My books
- My articles.
This article is hosted at https://johnbandler.com/ransomware and is about a priority cybercrime threat.
This article is also available on Medium.com at https://medium.com/@johnbandler/ransomware-4799508bc678 (though perhaps not updated as frequently).
Originally posted 1/22/2020. Last updated 7/16/2021.