Ransomware image

Ransomware has become the attack 'du-jour' for cyber criminals, with successful attacks and reported payments all over the news (Brian Krebs being one of my all time favorite resources on the topic). However a question I have not seen answered is WHY are we seeing such an explosion?   Running the Honeynet Project for ten years taught me that to defend against a threat, you have to know your threat.  Understand the cyber criminal and you will understand the WHY of Ransomware.

Ransomware is nothing more than another type of  malware, a tool used by cyber criminals to make money.  It encrypts your files or entire system, denying you access to your or your organization's information.  The attacker then demands you or your organization pay a ransom for the key to decrypt the files and regain access to them.   The only way you can recover the files without paying the ransom is from backups.  Based on what we are reading in the news, it appears a lot of organizations are not doing good backups.

So let's get back to the why, why are we seeing such an explosion of growth in the past two years? Cyber criminals, especially organized crime, are really nothing more then a businesses.  They deal in the world of revenue, growth and profit margins, for them its ultimately about the bottom line.  Credit card fraud has proven very profitable, but there are costs.  First, there is the cost of compromising Point of Sale (POS) systems and gaining access to credit card data. Organizations are getting smarter on how to securely deploy POS networks, it take more work now to infiltrate those networks. Then there are the additional costs converting the card holder data to cash in the bank. Those steps can include printing counterfeit copies of the credit cards,  organizing and hiring mules to purchase items with those counterfeit credit cards, then selling those items and converting them back to cash (a common favorite is gift cards).  Others option for converting cardholder data to money includes purchasing items online with credit card data.  Or for debit cards, there is the cost of organizing and paying  mules to withdraw money from ATM's.  The problem with all this infrastructure is costs.  Each stage and each middle-man involved has a cost, and that hurts profit margins.  Any businessman, including cyber criminals, do not like diminishing profit margins.

Now, think about Ransomware. There are no intermediary stages, there are no middle man.  Cyber criminal gets all the money directly from the victim (usually via Bitcoin).  Cyber criminal infects you, you pay cyber criminal directly, cyber criminal has money waiting in the bank.  No middle man, no converting money - that is pure, 100% profit and that's good business.   Whenever trying to answer the question WHY, take a step back and think like the threat.  In this case, cyber criminals want to make the most money the fastest, easiest way possible, and Ransomware is proving to be both very easy and very profitable.  As long as it continues to stay that way, we will continue to see it grow.  Now that you understand your enemy (the cyber criminal) and the motive (easy money), this explains the explosion in Ransomware. To help the community better understand and defend against this threat, the August edition of the OUCH! Security Awareness Newsletter will be on this very topic.

To learn more about building mature awareness programs to mange these types of risks, consider the SANS MGT433 two day course or attend the Security Awareness Summit 03/04 August in San Francisco.