What’s your prediction, and why?
Yes, predicting the future of cyber crime may be a bit of a “fool’s errand” (Richard Caplan). But ransomware is not a new phenomenon, it’s been around since 1989, as Jake Olcott points out below.
In spite of such a long history of mayhem, ransomware is more prevalent than ever. So we asked information security industry thought leaders, analysts and observers to extrapolate, and received a wide range of responses for this installment of our "InfoSec Luminary Lineup" series of blog posts.
27 years after ransomware made its first appearance, the internet weaknesses and vulnerabilities that allowed it to flourish are now exploited on an industrial scale by criminals. As an industry, could we look more foolish?
Granted, as Dave Strom writes below - “human nature is always exploitable.” But let’s at least learn from the past (or we will be condemned to repeat it). That seems to be what Pete Kofod has in mind when he advocates more “intuitive solutions”.
Judging from our experts’ responses, virtualization and containment in the cloud will play an important role in eradicating or at least reducing the ransomware threat by 2020. Or, to sum it up in Tom Pageler’s words:
“Ransomware will continue to be a threat in 2020; however those who move to cloud based storage and SaaS applications will likely see less of an impact.”
“More insidious and more difficult to detect” (Dave Strom)
Yes. As long as there is an economic incentive to penetrate networks, it will still be around, only more insidious and more difficult to detect and remove.
The problem is not the networks, but the people who use them, and they will remain our biggest vulnerability. Human nature is always exploitable!
David Strom (Twitter: @dstrom) is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years.
“Important to develop intuitive solutions” (Pete Kofod)
Ransomware is very much here to stay. First and foremost, ransomware should not be considered a technology threat; rather it is a criminal tactic that exploits any set of endpoint vulnerabilities.
The age-old crimes of theft, fraud and extortion have merely found new homes in a cyberspace. It is important to note that criminal enterprises require the ability to anonymize and subsequently launder their ill-gotten gains.
This involves operating in cash, making online analogies to traditional property crimes difficult. Certainly credit card fraud has been a key factor, but often those losses are borne by financial institutions. The real game changer has been the advent of crypto-currencies, in particular Bitcoin.
With Bitcoin, cyber criminals are now in a position to engage in traditional extortion schemes against end users. Unlike banks which team with highly motivated law enforcement agencies to discourage financial crimes, end users often have little recourse in recovering lost data. Pay up or else.
Ransomware will continue to plague consumers and businesses relying on most endpoint computing platforms for the foreseeable future and it is important that industry develops intuitive solutions.
These solutions include disaster recovery solutions, data and computing isolation solutions such as Authentic8 Silo, compelling training and awareness for the broader population, as well as continuous technical and law enforcement prosecution of malfeasance.
Pete Kofod (LinkedIn: https://www.linkedin.com/company/the-sixth-flag) is the co-founder and CEO of The Sixth Flag, Inc. Pete has served in the Information Technology field in various leadership positions for over twenty years, including as President of Datasages Consulting Group. Prior to entering the commercial IT sector, Pete served as a United States Army officer, serving as a platoon leader and Detachment Commander as well as a staff officer.
“Malware authors will continue to develop their techniques” (David Mizra)
Ransomware is an endpoint security problem that disproportionately affects individual users and small-to-medium sized organizations, and I believe it will be a nuisance for years to come.
Distinguishing malicious software from non-malicious software running on an end-user computer system is a fundamentally difficult problem. Anti-virus and host-based security solutions will always be reactive and one step behind the malware authors for as long as users run programs and store files on their computers.
Larger organizations can manage the data loss risk ransomware poses through backup infrastructure, and offer support staff to identify, stop, and recover from workstation or laptop infections.
Individuals and small-to-medium sized organizations may not have these resources, or they may be ad-hoc, increasing their risk of having to face the choice of paying the ransom or suffer unrecoverable data loss if there is an infection.
Cloud-based storage is improving the back-up situation for individuals and small organizations, but malware authors will continue to develop their techniques correspondingly to target user credentials to get at stored data.
Encrypted backups and user lock-outs could be the future of this type of malware, and it remains to be seen how cloud storage vendors can help produce mechanisms to help affected users in a way that scales to the massive consumer user base.
In any case, it's fundamentally important to help secure the endpoint to make sure that the malware doesn't run in the first place.
One way to do this is to isolate the applications that most often expose the user to infection: web browsing and email.
David Mizra (Twitter: @attractr) is the founder of Subgraph, an open source security company working on an adversary resistant computing platform called Subgraph OS. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications.
“Users who migrate to cloud based solutions would be harder to attack” (Tom Pageler)
Ransomware will continue to be a threat in 2020; however those who move to cloud based storage and SaaS applications will likely see less of an impact.
Ransomware works by infecting local systems and encrypting the user’s content and holding the keys to the encrypted data hostage. Users who migrate to cloud based solutions would be harder to attack with ransomware, as the fraudster would have to encrypt all versions of documents and storage backups in order to be effective.
If a fraudster encrypted my hard drive, I have everything locked up. Going to my multiple online storage and software applications would be more cumbersome and difficult. If one version did get encrypted, I likely could retrieve an early saved version, thus the impact would not be as great.
2020 may see a shift by fraudsters toward targeting SaaS and cloud providers. We may see large scale attacks where all servers for a SaaS or cloud provider are encrypted and impact multiple users.
This likely would be a productivity impact as server backups would exist; however, some data could potentially be lost.
These larger providers may pay the ransom in order to not deal with the costly and time-consuming backup restore.
Tom Pageler (LinkedIn: https://www.linkedin.com/in/tom-pageler-5ab3251) is Chief Risk Officer and Chief Information Security Officer, Neustar, where he leverages more than 15 years of security and risk management. Prior to Neustar, Pageler served as CRO and CISO at DocuSign, where he designed, implemented and managed its successful enterprise risk and security departments. Prior to DocuSign, Pageler served as Deputy CISO, JPMorgan Chase, and before that as Head of Risk Assessments and Director of Emerging Risk and Fraud Control, Visa.
“SMBs will bear the brunt” (Mike Baukes)
As long as we don't have appropriate detective controls in place that are easy enough to use and fast enough to respond to, the nature of these threats will continue to escalate.
The really unfortunate side effect is that more often than not the small to medium businesses will be the ones to bear the brunt.
Technologies like disposable browsers (Authentic8 is a great example) will go a very long way to protecting the majority of businesses like this.
As these threats escalate, it's only a matter of time before the ransomware capabilities extend deeply into the enterprise. Expect larger companies to fall prey to increasingly sophisticated threats in the future.
“On pace to be a $1 billion crime” (Richard Caplan)
Asking for tech predictions about what will be happening four years from now is something of a fool’s errand. Asking people, in June 2005, what the value of Myspace would be in four years would likely not have yielded the best insights.
But ransomware is based on a simple concept: taking something of value away from someone, and keeping it until they give something (usually money) in return.
Society hasn’t been able to stop that type of behavior in all sorts of criminal contexts having nothing to do with the computer. That being the case, as the question is whether ransomware will “still [be] a threat” in 2020, it’s hard to see how it can’t.
Especially in light of the fact that it’s on such an upswing at the moment, on pace, according to FBI data, to be a nearly $1 billion crime this year.
Have we hit peak ransomware? That’s a harder question. The answer: not likely.
Richard B. Caplan (LinkedIn: https://www.linkedin.com/in/richard-caplan-bb4966b1) is a litigation associate with LeClairRyan in the firm’s Atlanta office. Richard practiced law in New York City for five years and clerked in Washington, D.C. for Judge Robert L. Wilkins on the United States District Court for the District of Columbia and then in Atlanta for Judge Beverly B. Martin on the United States Court of Appeals for the Eleventh Circuit.
“May be an even greater threat in 2020” (Jake Olcott)
Though ransomware has evolved in complexity and scale in recent years, infecting large and small organizations alike, it is not necessarily new. In 1989, the “AIDS Trojan” - circulated on old-fashioned floppy disks - hid file directories and encrypted the names of all files on a hard drive.
Today’s ransomware attacks are relatively “quick-wins” for attackers: once they successfully lock an organization’s files, they typically demand a modest ransom and move on and repeat the process. As organizations harden their defenses, encrypt their files, and deploy advanced backup systems, the successful ransomware attacks we see today should decrease in frequency.
However, hackers always adapt, and new forms of ransomware may be an even greater threat in 2020 than it is today.
It is easy to imagine a more sophisticated ransomware attack that pinpoint the most critical data for organizations, leading to even greater catastrophic data loss and business disruption than we have seen in the last few years. Ransomware will still be a threat in 2020: it may be less pervasive, but it may also be more costly for organizations.
Jacob Olcott is the Vice President of Business Development at BitSight Technologies, a security ratings organization. He served as legal advisor to the Senate Commerce Committee and also served as counsel to the House of Representatives Homeland Security Committee.
P.S.: Would you like to be included in future InfoSec Luminary lineups? Drop me a line here.