Words: Charl van der Walt, Head of Security Research – Orange Cyberdefense
Ransomware is modern piracy. Where it comes from, why we should care, and what we should do
The by-line from an eWeek article in 2012[1] read: “Rather than encrypt the entire hard drive, criminals are using fairly unsophisticated ransomware to lock a victim’s PC and then demand cash for the keys.” It was one of few early observations of the emerging new threat that was ransomware – one of the myriads of business models that cybercrime was experimenting with at the time. But the journalist ends the article with a quote: “I think it is just a temporary trend until someone finds a better idea to make money easier”.
The quote turned out to be an ironic but eerily insightful prediction. The crime, as it turns out, was anything but ‘temporary’. This form of cyber extortion has come to dominate the current security discourse, impacting thousands of businesses and costing the economy millions of dollars each month.
Ransomware is “a subset of malware in which the data on a victim’s computer is locked – typically by encryption – and payment is demanded before the ransomed data is decrypted and access is returned to the victim.”. The first malware that meets this definition was the AIDS Trojan, which targeted all delegates at the 1989 World Health Organization AIDS conference in Stockholm.
When the Bitcoin boom took hold in the mid 2010’s it signaled a surge in ransomware attacks and a shift in focus for the attackers. Cryptocurrency provided cyber criminals an easy way of being paid, and laundering that money, with very little risk.
Ransomware was put firmly in the public eye in 2017 when the WannaCry ransomware attack had a global impact. The UK’s NHS was one of the highest profile victims of WannaCry with thousands of NHS hospitals and surgeries affected and costs running to £92 million. In total computer systems in 150 countries were impacted and the total losses caused globally was estimated at $4 billion.
Fast forward to 2020 and ransomware is a well-established and highly lucrative part of the cybercrime ecosystem. In recent times several attacker groups have shifted to so-called ‘double extortion’ attacks, using ‘public’ websites that list their victims with samples of stolen data as a way of coaxing them to cave into demands.
This bold new strategy has proven to be very successful for the criminal but has also give us an opportunity to methodically track this subset of the cybercrime ecosystem. Our data shows a startling trend.
In this presentation we will tell the story of ransomware – a fascinating take of Somali pirates and East European crime lords. We will examine the current form and impact of the crime and discover why the GÉANT community should be seriously concerned about this insidious threat. Finally, we will discuss what we need to avoid being a victim, and how we should prepare if the worst unfortunately happens.
Charl van der Walt,Head of Security Research – Orange Cyberdefense
Charl van der Walt is Head of Security Research for Orange Cyberdefense, where he now leads a specialist security research unit that identifies, tracks, analyses & communicates significant developments in the security landscape that may impact customers. Previously Charl was a co-founder of SensePost – a penetration testing company that has made a mark on the industry globally for two decades. Charl and his team are globally recognised and frequently showcased at international security events such as Black Hat, RSA & BSides.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
