No More Ransom? Activism Won’t Prevent Ransomware.

Illustration: Thumbnail No More Ransom (screenshot)SECURITY, NEWS

The European Cybercrime Centre (EC3) of Europol, the European law enforcement agency, is driving a new public/private initiative that, according to the Washington Post, “may offer a glimmer of hope for victims” of ransomware.

No More Ransom, is the campaign’s motto. As nice as that would be, I think the slogan and the site promote a false sense of security.

I’d call it feel-good activism. Here’s why:

***

In its Midyear Cybersecurity Report, Cisco warns that ransomware is now “the most profitable malware type in history.” Widespread ransomware attacks against individuals, businesses and critical infrastructure providers have reached record levels in the first half of this year.

The new initiative’s goal is to help victims of ransomware retrieve their encrypted data without having to pay the criminals. For that purpose, the No More Ransom site offers a selection of decryption tools developed by IT security professionals to unlock the files that have been taken hostage by the extortionists.

Sure, raising the level of threat awareness about this scourge certainly cannot hurt. And the tools offered on the No More Ransom website may even help a few users regain access to their  encrypted data, without paying a ransom to criminals.

A “few” users being the watchword here. This is not a serious approach to combatting ransomware. It amounts to a capitulation, in my view.

NoMoreRansom.org (screenshot) - a "glimmer of hope" for victims of ransomware?

To me, this looks like putting on your helmet after you’ve had the crash. The “helmet” here being a secure browser, which would protect the user against all web-borne threats - including, but not limited to, ransomware - from the get-go.

Here’s what I’m getting at: Regular (non-secure) browsers have become the primary attack vector for ransomware attacks because they fetch code from the web and process it on the local computer.This opens the door for ransomware to infiltrate individual computers, spread through enterprise networks, and start encrypting data. To the user, it’s just a simple click on a link. To the browser, it’s a command to execute a payload.

The local browser’s security weakness, made worse over the years by exploits of Flash, Java and other add-ons, is as old as the web (and ransomware, btw).

What’s new is that sophisticated “Ransomware-as-a-Service” distribution tools now enable criminals to exploit this vulnerability of the local browser on an industrial scale - as outlined in the Cisco report. And that’s just the beginning:

“On the horizon: faster and more effective

propagation methods that maximize the impact of

ransomware campaigns and increase the probability

that adversaries will generate significant revenue.”

Cisco 2016 Midyear Cybersecurity Report

With a grim outlook like this, the “solutions” suggested on the No More Ransom site seem even more questionable to me.

Three reasons why No More Ransom remains an empty promise

  • The extortionists already have a steady and widening stream of ransomware profits to reinvest. It won’t take long before they move on to encrypting files with methods for which the No More Ransom decryption tools are no match.
  • The resulting encryption / decryption arms race doesn’t address or solve the underlying issue. Instead, just like traditional antivirus software, the No More Ransomware model will perpetuate the scheme, with the bad guys always a step ahead.  
  • Speaking of AV tools - they rank 2nd (after “Back up! Back up! Back up!”) on the campaign’s “Prevention Advice” list, as in: “Use robust antivirus software.” What’s robust, you ask? Good question.

Here’s one answer: A study presented at this year’s Network and Distributed System Security Symposium found that all AV products examined by the researchers make accessing the web less secure.

On its website, the No More Ransom campaign concedes that “it is much easier to avoid the threat than to fight against it once the system is affected.”

So why rely on a historically disproven remedy?

Instead, let’s remove the primary attack vector - the browser - from the local computer. Only a secure browser that insulates the local computing device and network from the web, by processing all content in a secure container in the cloud, will protect users against ransomware web exploits - including (future) ones not covered by the No More Ransom website.

I suggest checking out Silo, the secure browser developed by Authentic8. Silo is used by a rapidly growing number leading financial institutions, law firms, healthcare providers and federal agencies.

Secure browser helps users prevent ransomware infections

Silo provides a perfect shield from ransomware-infected websites and booby-trapped web or email links. When users access the internet, all content - web pages, audio, video, downloadable files - stays in a secure remote container.

Through an encrypted connection, only the display of the web session gets through to the user - essentially, pixels instead of code. At the same time, Silo provides the same rich web and webmail experience like local browsers, but with perfect insulation from the bad stuff.

So even if users click the wrong link when accessing the internet: with Silo, no more ransomware worries.

5-phases-of-ransomware-attack.jpg

Source:  LogRhythm

 Instead of empty activism and hoping for the best after the fact, let’s aim for prevention. “No More Ransom” sounds good, but does little to consolate the (future) victims who won’t be helped by the decryption keys offered on the site.

Let’s aim higher than "no more ransom." Let’s go for “no more ransomware” instead.

Check out Silo here.

###


About the author: Gerd Meissner writes, edits, and manages content at Authentic8.

Gerd Meissner - Gerd writes, produces, edits, and manages content at Authentic8. Before, he covered information technology and data security as a journalist and book author in the US and in Europe.