Security Insights - Cybersecurity for Real-World Workplaces
Welcome to Security Insights, where best-practice cybersecurity meets the real-world risks facing workplaces every day. Ivanti's VP of Product Management, Chris Goettl, brings in a rotating cast of guests to discuss the strategies and tactics that truly matter to the security teams protecting organizations, agencies and businesses like yours.
Security Insights - Cybersecurity for Real-World Workplaces
The History of Ransomware: From Malware-Ridden Floppy Disks to "Trusted" Cyber Gang Tycoons
Chief Security Officer Phil Richards rejoins Chris Goettl, Head of Endpoint Security Product Management, for a history lesson of ransomware attacks: starting with its origins on malware-riddled floppy disks and ending with predictions of where ransomware gangs will go after several recent -- and highly publicized -- ransoms.
Today's talk covers:
- The start of ransomware as malware hidden in floppy disks containing AIDS education materials that required victim users to mail paper checks as ransom to Panama
- The recent explosion in value of ransomware extortions from a few thousand USD and four days down time... to $4.1 million USD ransoms of the Colonial Pipeline and weeks or months of time to restoration.
- Why the ransomware business model requires users to trust the criminal actors (as odd as that seems!)
- How ransomware gangs are expected to adapt to modern cybersecurity defenses, requiring security teams to implement multiple tactics to prevent successful ransom attempts and interruption to business operations
- Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)
Adrian: Hi, everyone and welcome to another edition of Ivanti Insights podcast. This is episode 10. I'm your host, Adrian Vernon and I'm joined by our usual cast of characters; Phil Richards, Chief Security Officer here at Ivanti, and Chris Goettl, one of our senior directors of product management.
Today, we're talking about ransomware. Now, before we dive into the present-day state with ransomware, let's do a little history lesson. Do you guys remember floppy disks back in the day?
Chris: Oh yeah.
Phil: Adrian, you're really pushing the boundary there with floppy disks. I barely remember. Unfortunately, I do remember, though. I'm old.
Adrian: If we go back just over 30 years to 1989, this, I understand, is the first documented ransomware event and it was called the AIDS Trojan. Do you guys remember this around that 1989 timeframe?
Thousands of floppy disks were set out and it was disguised as this AIDS education software. People put it in and I think they had to boot up like 90 times. And when they reached that 90th count, suddenly, they were asked to pay $189 to unlock their files. And they had to send that payment to a P.O box in Panama.
I don't know how much you guys remember of that. I didn't remember much about it, but doing a little research got me up to speed. Now, let's fast forward to today, and ransomware events look nothing like that 1989 event at all.
Chris: No, they've definitely increased in sophistication significantly. Floppy disks as a delivery system and mailing a check to Panama as the payment system; definitely very difficult because then he had to send you the discount to decrypt to be able to do that. It was not a very workable model.
Now, the world being much more connected, Bitcoin and other mechanisms being in place, definitely a lot more sophistication in the hands of threat actors today.
Adrian: Absolutely. Obviously, it is much more sophisticated as we fast forward 32 years. The threat of ransomware obviously is not going away. What do we need to know today?
Chris: Well, I think starting off we've seen a massive uptick. If you go back to early 2018 and before, ransomware was an opportunistic attack. It was spread by malware, hit a machine here, hit a machine there; hopefully, it hits and spreads across many machines in one organization because people are sending the same email or something like that.
What they were hoping for at that point was a two to three-digit payout. Somewhere around $50 to a couple of hundred dollars per machine that they encrypted. It didn't scale significantly. If you look at data from back in like Q3 2018, this is where the average ransomware payment got up to around $5,000. And the average downtime from a ransomware attack was about four days.
Right after that, they started to really focus on and scale-out their business. And as we talk about this today, ransomware isn't just an attack. It absolutely is a business. We're going to talk about it from that perspective in several ways.
When you fast forward to this last quarter, Q1 2021, we're now up to an average of 23 days as the downtime relating to an enterprise-grade ransomware attack. And the average ransom being paid is definitely up above $200,000. It fluctuated a little bit in the last couple of quarters, but quarter million, definitely not unheard of for the average ransom being paid.
Phil: Chris, this is absolutely mind-blowing to me because when I think about the fact that ransoms were literally hundreds to low thousands of dollars just two and a half years ago, it's absolutely mind-blowing. You're talking about quarter-million-dollar ransoms.
Just so everybody is aware, we are aware of much bigger ransoms. Obviously, the Colonial Pipeline ransom was a $4.4 million ransom, and that's even small by some estimates. I'm aware of $10 and $20 and $40 million ransoms that have been paid to the threat actors.
So there are absolutely some very big-ticket ransoms and ransom attacks that have occurred. The fact that this has just escalated the way it has in the past two and a half years is mind-blowing.
Adrian: Phil, let's stick with you for this next part. Chris mentioned that ransomware is not just an attack. It truly is a business. Phil, let's start with you and we'll have Chris chime in. How has this business of ransomware evolved in the last two and a half years?
Phil: Well, it's really interesting. One thing you’ve got to keep in mind is that for the threat actors, the bad guys, the ransomware is their product. And Chris mentioned this in a blog he's recently published. The key to their making money is the actual decryption key. That's the thing that actually matters.
One of the things that we've recently talked about is the fact that the threat actors are starting to realize that they need to be extremely trustworthy when it comes to being able to provide a decryption capability. If I'm going to charge a million bucks plus, the customer needs to have some assurance that they're actually going to get their data back if that decryption key is purchased.
Another component of this is one of the things that threat actors have discovered is that just having a ransom, oftentimes, isn't enough. The reputation impact of knowing that they have been attacked by a ransomware attacker, for a lot of companies, is worth more money than unlocking the files. That's why we're seeing ransom attacks frequently, if not most of the time, include exfiltration of data as well.
And the reason for that is because brand reputation matters to these customers and not having been attacked by a threat actor is worth the payment price.
Adrian: Chris, maybe you could expand upon this because Phil used the word trustworthy; that these threat actors need to be trustworthy. So, a trustworthy criminal; that just doesn't sound right to me. Expand upon that, please.
Chris: It definitely feels awkward when you first say it, but as Phil mentioned, I wrote a paper about the evolution of ransomware recently. One of the things that I was researching is a company called Coveware. Their business is built around helping companies to respond to and recover from ransomware attacks.
They have a lot of really interesting insights and information about this. One of the things that they keep is dossiers on each of these different groups. They can tell you the reputation of the threat actor you're up against. They can help you with negotiations and other things like that.
One of the interesting things that I wrote about there is that 93% of victims who paid the ransom received a decryption key. Well, if the reputation of the attacker that I'm interacting with is that they're not going to give me the decryption key if I pay up, there's a lot less likelihood that I'm going to do that.
Some of us like to go to Vegas and gamble on something, some of us don't. Do I want to gamble on whether I'm going to get these keys or not? Once I get the key, how credible is this technology that they're using? Again, like Phil said, that is the product right there.
The problem is that, yes, they created and they threw on you the whole encrypting of your environment, but the product they're selling you is that decryption. Now, 95% of people who paid the ransom and got that decryption key were able to successfully recover their data. That's important.
If they don't have a high level of success in doing that, why would any of us continue to pay those ransoms? Sure. It's disruptive to our business and everything, but we're not going to get the data back. There is no reason to pay. So credibility becomes the heart and soul of this entire business model.
There are a lot of interesting things when you start to look at ransomware in that way. I'm a product guy. I have to build a product that can solve a problem. If I can't solve a real-world problem, nobody's going to buy my product. I have to be able to have a good experience around that.
Whether it's payment; they've got very sophisticated means of having you pay them. They've got sophisticated means of delivering you the decryption keys and the success rate of those decryption keys has to be up to a high degree of success or their entire business model starts to fail.
So a lot of what we've seen in the past couple of years in how this has ramped up significantly is the emphasis that these threat actors have put on the payment systems behind their business. The model in which they're delivering and decrypting that data for you has had to be very expertly executed or their reputation falls apart and their product fails.
Phil: One of the things that we should really cover is how to stop or arrest ransomware. And we do that by attacking the actual business model of the ransomware threat actors. Clearly, one of the things that would help with that is simply refusing to pay.
That's becoming increasingly difficult. The threats actors are making it more and more challenging and more difficult to avoid paying ransoms. They're doing that through a number of techniques. They're making sure that your environment stays down for days and weeks if you don't pay the ransom.
All of a sudden, the amount of ransom that you're paying is very small in comparison to the business loss that you will take on by not paying the ransom. Additionally, we talked a little bit about the reputation angle that the threat actors are using. They're going to publicly disclose that you've been attacked by ransomware and that's worth money to make sure that that doesn't happen to a lot of companies.
When it comes to not paying, we have help from other entities. There are a lot of insurance companies that are refusing to provide insurance for ransoms. That means that the business is less likely to have access to that cash. We're finding that in the United States anyway, the federal government is actually not allowing ransoms to be paid through certain cryptocurrency venues. If you pay, then your company is going to be criminally charged.
One of the things that we're seeing is that threat actors and the companies are negotiating about how they're going to pay the ransom. If the US federal government is saying, "Nope, we're not going to allow you to pay via that particular vehicle," or something like that, it's making changes to the business model for the threat actors.
Law enforcement, as we saw with the Colonial Pipeline, is in the process of recapturing some of those funds, or they're going to try to make sure that they can do that. Again, disrupting the business model for the criminals. All those things make a change to that business model and make it less likely for the threat actors to get paid.
Adrian: In cases like that, where there is an impact to your business, Phil, if you have certain systems that are down that are being held captive and you're in a situation where maybe you're not dealing with someone who's credible, or maybe you've got some governmental restrictions and are unable to pay in a certain currency. Now your systems continue to be held captive.
What are other options there? How feasible is it that the enterprise or with help from something like nomoreransom.org can try to help decrypt the ransomware attacks? How feasible is it that you could do that without paying a ransom?
Phil: A few years ago, that was a lot more feasible than it is today. The threat actors have improved in the computer science around cryptography and have made it excruciatingly difficult to have any chance of being able to recover.
If you're talking about a brute force recovery of those systems, that becomes increasingly difficult. What typically ends up happening is that you've got backups, some of which have been preserved, some of which have been corrupted by the threat actors. Those systems where backups have been preserved are able to recover relatively quickly.
And then you spend an excruciatingly long time restoring systems from memory your own memory about what they used to do rather than being able to recover from backup. And that's really how it goes. Businesses are oftentimes coming up slowly. Some of their systems are up relatively soon and then other systems take a longer time to come to recover.
Adrian: So it's not an enviable situation to be in, obviously. Chris, with that said, what does an effective strategy to combat ransomware look like?
Chris: Yeah, that's always the hard part. Unfortunately, there's no silver bullet. Threat actors are sophisticated. Their means of attack are very diverse. In fact, it was interesting looking at Coveware has this quarterly report they put out, and one of the things they have in there is a breakdown of common attack vectors amongst the different top threat actors and also the size of companies that they're targeting.
The most common are going to be things like phishing as the initial attack vector or RDP as the initial compromise that got them in, software vulnerability, or a category called "other" where there are some other things like potential insider cases where somebody has let them in the door through extortion or other things like that, too.
In Q4, this was heavily shifted towards RDP and phishing. In Q1 2021, there was a massive shift over to software vulnerabilities for that entire quarter as being the top attack vector that was letting threat actors in. They can adapt to the circumstances of the day. They can shift rapidly to a tactic that's working more effectively.
If you look at what happened in Q1, we had a lot of attacks on exchange zero-days that happened there. We had zero days in Chrome. We had zero days in the Microsoft stack. There's a lot of different ways that they suddenly just shifted over to and targeted software vulnerabilities because that was the easy way that they could get in right now.
And once that was done, they can shift back to, "Hey, we don't have any software vulnerabilities to play around with right now. Let's go back to our age-old credential theft through phishing or walk-in through RDP, through credentials that we just bought off the dark web. "
So we need to worry about a variety of different things. We have to adopt, especially in this everywhere workplace that we now operate in, we have to be able to adopt a zero-trust strategy. Not just zero-trust the technology, but a true zero-trust strategy. That means we need to focus on securing the user, securing the device, and securing the access. Those three elements make up an effective zero-trust strategy.
Around securing the user, you've got things like security awareness training, implementing SSO, MFA technologies. In fact, shifting towards passwordless authentication is even better because that credential there's one critical weakness in our environment that we can't remove. And that's us, the end-user.
We can't remove the user from the environment, but we can take the weakness out of that user, which is that credential. That's the most effective way they're getting in today. Once they're in, they start to shift and look at a variety of other things. So anti-phishing, passwordless authentication, remove RDP from public-facing altogether. That's not a good idea, pretty much ever. But then we shift over to the devices.
We've got to secure the devices. That means mobile threat defense on our mobile devices. It means good cyber hygiene on our desktops, laptops, and servers. That's things like patch, app control, privilege management, endpoint protection.
You also need to balance that with detection response capabilities. You need a good EDR solution and a group that's trained to be able to go and do that threat hunting. One of the key pieces, though, there's been massive shifts like, "Hey, everybody, go get EDR. Go and adopt, detect, and respond." But if you haven't done those basic cyber hygiene steps, the volume of incidents that are going to happen are going to be overwhelming, your EDR solution, your trained staff of professionals will never be able to keep up.
So if we don't strike this balance and have these layers working together, we'll never be effective. Now, the last part is about that access request. We've massively shifted from on network to services and data being stored in public cloud, private cloud, a bunch of different sources. How many different systems is a user able to access? Can they do it from their phone? Can they do it from their laptop? Can they do it from unmanaged or managed devices?
We need to put better controls around the access and tighten up what they're allowed to get to. And that's where zero-trust technology comes into play. Now, those three elements working together. And in each of those elements, there are multiple layers. There's segmentation, there's access, there are software gateways, there are software-defined firewalls, all sorts of things on the access side.
We talked about many of the user and device levels as well in each of those stacks, multiple layers working together as a security mesh. You'll hear this term coming up more and more from the analysts. A security mesh is what we're designing and that's really what zero-trust strategies are focusing on.
Adrian: One final question, Phil, we're going to start with you. As we look at things today, the big question is, is ransomware winning?
Phil: Well, that's a great question. And I think by every measure that you can think of, ransomware is definitely winning. We've talked about it for over the last two and a half years. The average ransom has gone from hundreds of dollars to a quarter-million dollars. We've seen ransoms that are much larger than that.
Obviously, the amount of time that a ransom attack will decimate a company has expanded from less than a week to an average of over three weeks for a company to be completely down during a ransom attack.
Unfortunately, until we can change and alter that business model that the threat actors are operating under, we're going to see ransomware continuing to win. They're winning right now and we have to, as a society, change the dynamics so that that particular crime does not have the payoff that it has today.
Adrian: Chris, is ransomware winning?
Chris: Yeah, I'd have to agree with Phil. Right now, it is kicking our collective butts out there. It's not an unwinnable situation for the defenders of the world. The technologies are there. The strategies are there. What I think is the game changer is getting to more effective, layered approaches and shifting towards this security mesh mentality, the zero-trust strategy mindset. Assume that you're already compromised.
Microsoft started shifting that mentality a few years back. Other vendors have followed suit. It's very important that if we want to change that statement “is ransomware winning” from a yes to a no that we start to adopt these more modern counters to a very sophisticated and effective form of business that threat actors are using today.
Adrian: Okay. Well, we just about run out of time. Phil, Chris, thanks so much for a great topic. I know that we could talk about this for considerably longer, so I'm sure we'll have some follow-up there. Just hope you both have a great weekend.
I'll tell you a couple of key takeaway phrases for me that I know that my wife was in the next room. She's probably wondering if she heard trustworthy threat actors, credible criminals. She was going to ask me afterwards, what on earth were you talking about? I'm going to have to say, "Hey honey, it's ransomware. What else?"
It certainly is front and center for anyone in the security business. I'm sure that we'll be having further conversations on that. We look forward to sinking up again a couple of weeks from now, and we don't know yet what that topic will be.
Folks, until then stay safe. Be secure. Keep smiling.