The European Cybercrime Centre (EC3) of Europol, the European law enforcement agency, is driving a new public/private initiative that, according to the Washington Post, “may offer a glimmer of hope for victims” of ransomware.
No More Ransom, is the campaign’s motto. As nice as that would be, I think the slogan and the site promote a false sense of security.
I’d call it feel-good activism. Here’s why:
In its Midyear Cybersecurity Report, Cisco warns that ransomware is now “the most profitable malware type in history.” Widespread ransomware attacks against individuals, businesses and critical infrastructure providers have reached record levels in the first half of this year.
The new initiative’s goal is to help victims of ransomware retrieve their encrypted data without having to pay the criminals. For that purpose, the No More Ransom site offers a selection of decryption tools developed by IT security professionals to unlock the files that have been taken hostage by the extortionists.
Sure, raising the level of threat awareness about this scourge certainly cannot hurt. And the tools offered on the No More Ransom website may even help a few users regain access to their encrypted data, without paying a ransom to criminals.
A “few” users being the watchword here. This is not a serious approach to combatting ransomware. It amounts to a capitulation, in my view.
To me, this looks like putting on your helmet after you’ve had the crash. The “helmet” here being a secure browser, which would protect the user against all web-borne threats - including, but not limited to, ransomware - from the get-go.
Here’s what I’m getting at: Regular (non-secure) browsers have become the primary attack vector for ransomware attacks because they fetch code from the web and process it on the local computer.This opens the door for ransomware to infiltrate individual computers, spread through enterprise networks, and start encrypting data. To the user, it’s just a simple click on a link. To the browser, it’s a command to execute a payload.
The local browser’s security weakness, made worse over the years by exploits of Flash, Java and other add-ons, is as old as the web (and ransomware, btw).
What’s new is that sophisticated “Ransomware-as-a-Service” distribution tools now enable criminals to exploit this vulnerability of the local browser on an industrial scale - as outlined in the Cisco report. And that’s just the beginning:
“On the horizon: faster and more effective
propagation methods that maximize the impact of
ransomware campaigns and increase the probability
that adversaries will generate significant revenue.”
With a grim outlook like this, the “solutions” suggested on the No More Ransom site seem even more questionable to me.
Three reasons why No More Ransom remains an empty promise
- The extortionists already have a steady and widening stream of ransomware profits to reinvest. It won’t take long before they move on to encrypting files with methods for which the No More Ransom decryption tools are no match.
- The resulting encryption / decryption arms race doesn’t address or solve the underlying issue. Instead, just like traditional antivirus software, the No More Ransomware model will perpetuate the scheme, with the bad guys always a step ahead.
- Speaking of AV tools - they rank 2nd (after “Back up! Back up! Back up!”) on the campaign’s “Prevention Advice” list, as in: “Use robust antivirus software.” What’s robust, you ask? Good question.
Here’s one answer: A study presented at this year’s Network and Distributed System Security Symposium found that all AV products examined by the researchers make accessing the web less secure.
On its website, the No More Ransom campaign concedes that “it is much easier to avoid the threat than to fight against it once the system is affected.”
So why rely on a historically disproven remedy?
Instead, let’s remove the primary attack vector - the browser - from the local computer. Only a secure browser that insulates the local computing device and network from the web, by processing all content in a secure container in the cloud, will protect users against ransomware web exploits - including (future) ones not covered by the No More Ransom website.
Secure browser helps users prevent ransomware infections
Silo provides a perfect shield from ransomware-infected websites and booby-trapped web or email links. When users access the internet, all content - web pages, audio, video, downloadable files - stays in a secure remote container.
Through an encrypted connection, only the display of the web session gets through to the user - essentially, pixels instead of code. At the same time, Silo provides the same rich web and webmail experience like local browsers, but with perfect insulation from the bad stuff.
So even if users click the wrong link when accessing the internet: with Silo, no more ransomware worries.
Instead of empty activism and hoping for the best after the fact, let’s aim for prevention. “No More Ransom” sounds good, but does little to consolate the (future) victims who won’t be helped by the decryption keys offered on the site.
Let’s aim higher than "no more ransom." Let’s go for “no more ransomware” instead.
About the author: Gerd Meissner writes, edits, and manages content at Authentic8.