avatarRonke Babajide

Summary

The web content provides an in-depth analysis of the current state of cyberattacks, focusing on ransomware and cryptolockers, and discusses the impact, history, and business behind these cyber threats.

Abstract

The article "What You Need to Know About Cyberattacks — Part 2" delves into the world of cyber security, particularly the prevalence and severity of ransomware and cryptolocker attacks. It highlights the evolution of such cyber threats from the first known ransomware attack in 1989 to the sophisticated use of encryption by modern malware like CryptoLocker. The piece underscores the critical infrastructure targets, the financial incentives driving hackers, and the difficult decisions organizations face when their data is held hostage. It also touches on the futility of paying ransoms, the importance of cybersecurity measures, and the reality that no system is entirely secure. The author emphasizes the professional nature of cybercrime syndicates, the massive global cost of cybercrime, and the need for a robust response to combat these threats.

Opinions

  • The author views the current cyber threat landscape as a full-blown intelligence war, with hackers motivated by financial gain rather than ideology.
  • There is a clear opinion that the situation with cyberattacks is dire, necessitating the creation of rapid response cybersecurity forces, as seen in the EU's actions.
  • The article suggests that paying the ransom is a numbers game for organizations, balancing the cost of downtime against the ransom demand, despite the ethical implications.
  • It is implied that hackers are professional and operate with a business-like mindset, ensuring that paying the ransom is a viable option for victims to recover their data.
  • The author acknowledges that even with substantial security measures, no system is completely safe from cyberattacks, and backups may not always be a foolproof solution.
  • The piece conveys a sense of inevitability about the continuation of cybercrime due to the immense profits involved, comparing the scale of the cybercrime economy to that of major world nations.

What You Need to Know About Cyberattacks — Part 2

Cyber Security 101, Terminology, Actors, Solutions: Ransomware and Cryptolockers

Graphic by @nicescene on

In the first part of this series, we saw how the different stages of a cyberattack are linked in a kill chain that — if executed correctly — will lead to an attacker breaching the defenses and setting up shop in the victim’s infrastructure.

Every day there are new reports about companies struggling with massive outages due to these breaches, and sometimes we’re affected directly.

The recent Colonial pipeline hack is a prime example of the carnage we’ll see if we don’t shore up the defenses around our critical infrastructure.

The situation is so dire that the EU has announced the creation of a rapid response cybersecurity force to push back against the deluge.

We’re in the middle of a full-blown intelligence war. Waged between people trying to make money from sabotage on one side and underfunded, overworked security specialists desperately trying to keep our systems alive on the other.

Hackers are targeting our water supplies, our hospitals, our universities, and our pipelines. Knowing that if they breach and control these systems, there’s little room for negotiation, money will be paid to get them back.

The daily onslaught the SOC (Security Operation Centers) teams face is relentless but mostly invisible from the outside. The only time we get a glimpse is when it goes wrong, and the other side wins.

These hackers aren’t idealistic activists who battle with sinister corporate or government actors. This is a mundane war. There’s no ideology. It's simply about money, lots of money.

Cybercrime is a massive business.

What is ransomware?

In part one, we learned how hackers craft weapons (malicious software) to breach organizations.

Their current weapon of choice is ransomware. It has mostly replaced the DDoS for bitcoin attacks that were popular a few years ago.

The term ransom in the name indicates what they’re up to. They’ll gain control of your assets to extort money — usually in the form of bitcoins.

There‘s ransomware that causes limited damage. Some types will pretend there’s unlicensed software on your computer and ask for a license fee to be transferred.

Other strains steal data and send it to the hackers who threaten to publish it on the internet if you don’t pay them.

And there is malware that claims to have found illegal content such as child pornography, ripped music, videos, or cracked software and threatens the user with law enforcement or public shaming.

But, the ransomware we see in the crippling attacks that make the headlines is another kind:

Crypto ransomware will make your data unreadable and blackmail you into paying money to get it back.

A brief history of ransomware

Extorting money from computer users has a surprisingly long tradition.

In 1989 we saw the first-ever malware extortion attack, with the AIDS Trojan aka “PC Cyborg” written by Joseph Popp.

Compared to today’s malware, it was benign. It didn’t destroy data or make it unreadable. Instead, it played a game of “hide and seek” and only made the file names unreadable (encryption).

The ransom requested was 189 USD— not cheap but affordable. Yet, it wasn't very successful because the key needed to unlock the data (decryption key) could be guessed from the malware itself.

Unfortunately, things quickly went downhill from there. The mid-2000s brought the first genuinely dangerous encryption malware; It didn’t contain clues on how to get your data back without paying.

In September 2013, CyrptoLocker appeared on the scene. Its name is often used synonymously with cryptographic malware.

It worked like most ransomware we see today. It was distributed through email. When activated, it scrambled (encrypted) files. It then asked the user to pay a ransom to make them readable (decrypt) again.

To increase pressure, it threatened to destroy the information needed for this (the decryption key) if the ransom wasn’t paid by a specific date. This meant that after that date, the files would be unrecoverable.

What is encryption?

Historically encryption was developed to protect data from unauthorized eyes and to enable secret communication.

Encryption works by scrambling your data to make it look like gibberish. This is done with the help of an encryption key.

To return the data to its original state, we need that key. The longer the key used for scrambling, the less likely it is to guess the correct key.

I once forgot the combination for my suitcase lock. It had only 3 numbers. Trying out all possible sequences until I found the right one was boring but doable.

Imagine your suitcase has a lock with a 2048 number code (key), and you’ve forgotten the combination. With a standard computer, it would take around 300 trillion years to guess the right combination. We can’t wait around for that.

Modern crypto-ransomware like WannaCry, BadRabbit, or Petya uses 2048-bit keys, which are uncrackable with today's tools. So if your data is scrambled with one of these, you are left with few options.

What happens when you fall victim to a ransomware attack?

Decrypting your data without the decryption key is impossible. Likewise, finding the correct key in a reasonable time frame is unlikely.

Once your data is encrypted, you have two options:

  • pay the ramson and get the decryption key from the attackers
  • or refuse to pay, and hope your recovery plan works and you’ll be able to restore your data from your backups.

I don’t want to weigh in on the ethics of paying a ransom. This is between you and your conscience.

The reality is that it’s a numbers game. Once your systems are down, you start bleeding money. The loss of productivity can be calculated and weighed against the cost of paying the hackers.

Every day offline costs money. Employees aren’t working; production is halted, your products can’t be shipped, income is lost.

Finding the malware and scouring the systems to ensure it's no longer hiding in some dark corner, ready to strike again, costs time, expertise, and money. Likewise, recovering your data from backup systems costs time and money.

The longer this takes, the more the balance shifts in favor of paying the ransom.

Some people say you can’t be sure you’ll receive the key after payment. But, as mentioned, this is a business. So even though there is no absolute certainty, you can expect the hackers to give you the key and move on.

If they didn’t help you restore your system, the next victim wouldn’t pay them. It’s not something they would risk. They’re professionals looking for a payday.

Whose fault is this?

Whenever there is a high-profile incident, some wise guys pop up boasting how this could never have happened to them. How the victim should have had better backups etc.

I think they’re deluded amateurs. Granted, some victims might have neglected some obvious precautions. Still, most have spent a lot of money and energy on their security plan.

Experts know there is no absolute security against cyberattacks. And, a backup will not necessarily save you.

Statistics show that, on average, ransomware has been hiding in your infrastructure for 43 days before it’s detected. During this “dwell-time,” it can easily encrypt your backups before targeting current data.

If there are no clean backups, you might still recover something, but you’ll lose weeks of work. To restore everything, there is sometimes no avenue left except paying.

How big is the business?

Organizations are paying exorbitant sums because their continuous existence depends on it. Some are upfront about it; some do it under the table.

We know Colonial paid the hackers 4.5 Mio USD to get their pipeline back.

Since last August, the hackers responsible, DarkSide, have made at least $90m in ransom payments from about 47 victims,

Given the immense amount of money that can be made with these attacks, we can’t expect them to stop any time soon.

If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

In part 3 of the series, I’ll look at the actors running the business behind these attacks. At hacker groups like Darkside, the Deep Web, the Dark Net, and the role of Bitcoin.

The first part of the series, showing how the hackers get into the systems in the first place, can be found here:

Security
Cybersecurity
Technology
Digital Life
Data
Recommended from ReadMedium
avatarLars Wiik
GPT-4o vs. GPT-4 vs. Gemini 1.5 ⭐ — Performance Analysis

Measuring English Language Understanding of OpenAI’s New Flagship Model

5 min read
avatarPeter Shanosky
The Most Idiotic “Trend” in Hiring

We’ve finally reached peak insufferableness.

9 min read
avatarLORY
A basic question in security Interview: How do you store passwords in the database?

Explained in 3 mins.

7 min read
avatarThomas Smith
Google’s New Feature is the Most Impactful Use of Generative AI Ever

It’s an even bigger deal than ChatGPT

7 min read
avatarRaphael Moutard
The Controversial Truth about Tech Debt

Of all the buzzwords invented by the software industry, Technical Debt is the most frustrating. I know this will be controversial, and I…

5 min read
avatarZhimin Zhan
What Happened to ThoughtWorks?

Why has a leading software technical consultancy firm, once renowned for its innovation and positive impact on Agile practices, gradually…

11 min read