Ransomware Is the Bootleg Liquor of the 21st Century

Criminals are swarming to the ransomware business — and targeting you — because it’s highly profitable.

Last week, we offered a high-level overview of the malware menace known as ransomware: what it’s like to be victimized by a ransomware attack (it’s no fun to discover that your hard drive has been encrypted by a malicious program), how the criminals extort money from businesses and consumers (if you don’t pay an online ransom, you never get your files back), and how big this illegal business has become (ransomware criminals will extort $1B from victims in 2016, says the FBI).

So, how did ransomware suddenly become the biggest IT security threat of the 21st century, and why isn’t your anti-virus (AV) software able to stop it? The short answer is, “Follow the money:” Ransomware has become so widespread and tough to defeat because it’s an extremely profitable illicit business, much as bootlegging of illegal alcohol was during America’s Prohibition era. Here are a few reasons why this high-tech racket is exploding, and why you need to shore up your defenses against it:

• Malware (any software designed to disrupt, damage or steal sensitive information from computer systems) in general has evolved from its roots as a cottage industry into a much more industrialized enterprise, with production and distribution methods similar to the legitimate software industry. Writing effective malware still requires arcane programming skills and vast knowledge of hardware, operating systems, applications, networks and their defenses. But even dumb criminals can make money at the game simply by purchasing kits on the Dark Web, snapping together new viruses and distributing them with very little technical know-how. Malware in general, and ransomware in particular, has gone pre-fab. It’s like an aspiring burglar, who instead of spending years learning the fine art of lock-picking, now simply goes to a seedy flea market and buys a set of skeleton keys. Ransomware is the perfect tool for anyone who want to get into online extortion but isn’t skilled enough to write their own code.

• Today’s most popular ransomware distribution method is getting unwary users to click on malicious attachments or links in phishing emails. Other methods include embedding malware in pirated software or entertainment downloaded from BitTorrent sites; performing a drive-by download when a user visits an adult-content site or clicks on a fake online ad; exploiting unpatched vulnerabilities in server software; and distributing USB drives that bear a malware payload. You can be sure the bad guys are dreaming up new ways to infect your machines at this very minute.

• Profits from the lucrative ransomware trade – one ransomware author and distributor raked in $121M in the first nine months of 2016, according to McAfee — are being re-invested into developing new variants that are smarter at defeating IT security measures. Techniques like dormancy — going to sleep for a few days after a successful infection before firing up and running — can lull behavioral detection systems into ignoring some infections. Many species of ransomware delete “zone identifiers” that AV software uses to label the origin of a downloaded file and so decide if a new executable is safe to run. Still others will kill critical system processes to prevent AV scans, embed themselves by creating Windows registry keys and infiltrating startup files to ensure they are always executed and maintain control of the system after a reboot.

• The ransomware ecosystem includes criminals selling add-ons to other criminals to make their malware more effective. For instance, it’s now easy to buy cheap “wrapping” services on the Dark Web: for a few bucks, a black-market service provider will take your ransomware, enclose it in an obfuscating envelope that makes it appear harmless to signature-based AV scanners, and even demonstrate how it fools the dozen most popular AV programs.

• Anonymous online crypto-currencies like BitCoin have made it much easier for high-tech miscreants to collect their ill-gotten gains without fear of being tracked down through the payment system by law enforcement.

In short, ransomware has become a highly sophisticated billion-dollar software industry, full of shady entrepreneurs employing armies of skilled coders on the back end and not-so-smart breaking-and-entering artists up front. Some ransomware gangs even offer tech support via email or chat to help you figure out how to pay your BitCoin ransom online.

During Prohibition, organized criminal mobs in the US grew rapidly and got rich selling illegal liquor, despite the efforts of the FBI’s Elliot Ness and his Untouchables. The pursuit of staggering profits made the crooks much better organized, innovative and effective; despite a few high-profile successes, law enforcement simply couldn’t keep up. Similarly, ransomware developers and distributors are maintaining their lead in this new arms race against the IT security industry. Every time your security vendor builds a new wall, ransomware makers find a way to tunnel underneath it. You may not get hit by a ransomware attack next week or next month, but it is increasingly inevitable that you will get hit. There’s just too much easy money in the business, and too many online thieves eager to scoop it up.

As dire as that sounds, you can build a solid defense against the ransomware crime wave, starting with the foundation of a rigorous data protection  regimen with both local and cloud-based backups. For a look at how a Toronto-area car dealership managed to successfully evade a ransomware attack, download this case study, “Ready Honda Recovers from Ransomware with Acronis .” In future editions of this series, we’ll look in more detail at the ransomware distribution model, describe how some managed service providers  are successfully defending their customers against ransomware attacks, and show how you can build your own defense-in-depth approach to defeating ransomware. Stay tuned!