With the rapid expansion of the ransomware threat landscape, defenders are scrambling to find ways to fight back. RSAC 2017 dedicated a full day for a ransomware seminar.
The ransomware threat is not strictly new, but the expansion of the threat over the past year is enough to get a full-day seminar at RSA Conference 2017, with over a dozen experts scheduled to examine the latest malicious-attack phenomenon.
Andrew Hay, CISO of DataGravity Inc., in Nashua, N.H., and host of the ransomware summit, opened the first panel of the seminar by asking for a show of hands of those who had been affected by ransomware; hands shot up throughout the large hall. Hay asked the two questions likely on everyone’s mind: “Just how big is ransomware, and should victims pay the ransom?”
Panelist Michael Duff, CISO at Stanford University, said “ransomware is nothing more than monetized malware,” adding that while money is behind the vast majority of cyberincidents, ransomware is not actually entirely bad when compared with other types of attack. “It’s very loud — you know almost immediately when you’re attacked, and you know what you need to do to recover.”
And panelist Gal Shpantzer, CEO at Security Outliers Inc., in Arlington, Va., said ransomware is much easier to monetize than any other type of malware. Ransomware shortens the attack lifecycle, Shpantzer said, adding that it’s a way to “lob a grenade into your LAN, and now you owe me some money.”
Ransomware threat is a business
When considering the moral question — whether or not victims should pay — virtually all speakers during the day echoed the same sentiment: Victims should do all they can to avoid paying ransoms, while at the same time being pragmatic about paying to get access to critical systems.
Panelist Neil Jenkins, director of the Enterprise Performance Management Office at the Department of Homeland Security, pointed out that “paying a ransom encourages the business model,” adding that every time a victim pays, “it’s a good thing for the criminals.”
“I will not moralize to you,” Shpantzer said about paying if there’s no other option, but at the same time, he pointed out that it’s not always so cut and dried. If there are backups available, but it will take some time to determine whether they are recoverable, Shpantzer suggested taking a two-pronged approach of testing the backups, while also opening a line of negotiation. “You can test them. And parallel to testing them, you can negotiate with your new ‘friends.'”
“You can actually negotiate; it’s like kidnapping,” Shpantzer said. “It cost them nothing” to attack, and “you can and should negotiate” to extend the payment deadline and to get the attacker to accept less. That way, if the backups are good, you don’t need to pay the attackers anything. And if the backups aren’t usable, at least you can get a better price.
Dmitri Alperovitch, CTO at CrowdStrike, based in Irvine, Calif., told SearchSecurity that the increased volume in ransomware threat attacks “is a proxy for the fact that there’s been a merging on the botnet underground marketplace.”
For many years, it’s been possible for hackers with a new piece of malware to go to botnet owners and do a “pay per install” to distribute their ransomware. Now, ransomware authors are able to deploy their own botnets and get immediate payoffs. “No need to get clicks — it’s just a guaranteed success.”
In a session titled, “What the Kidnapping & Ransom Economy Teaches Us About Ransomware,” Jeremiah Grossman, chief of security strategy at SentinelOne Inc., based in Palo Alto, Calif., explained how the rapid rise in ransomware attacks is fueling a parallel growth in cyberinsurance offerings — and that has the potential to protect everyone.
Grossman said “seven-figure” payments for ransomware threats have already been paid, though he had to withhold details for obvious reasons. “There’s going to be professional ransomware negotiators,” a new job description for the people who will help cyberinsurers deal with attacks in the future.
The insurers will soon be able to tell everyone what to do to avoid ransomware, and they “will soon have the best data in the world” about ransomware threats and defenses. “They have all the actuarial data,” Grossman said.