The Ransomware Social Contract

I had been anticipating this for a while: there has finally been a publicly known case where the social contact between ransomware extortionists and their victims had been broken. The contract? That after paying the ransom, the victims would be given access to their files.

What is ransomware? Extortionist criminals are now using this tactic to make money. They break into their victims computer systems and encrypt their data. The victims are then told to pay a ransom in order to get the key to decrypt the data. Imagine the situation where all your photos and work in your computer are inaccessible, despite still being in your computer. If you could pay a small amount to make this problem go away, odds are that you would.

Now multiply the volume of data a million-fold. A business is hit. Their daily operations requires this data to be accessible. Every second that they do not have it is money lost. If it is a hospital? Hospitals have been hit and left unable to provide effective care to their most vulnerable patients for short periods. Most would be willing to just pay the small amount in ransom than put their work in jeopardy.

Low ransoms and the fact that the extortionists have kept their promise of providing the decryption key have made ransomware a viable business model. This may be finally over. One hospital paid the ransom only to have the extortionists ask for more. The ‘social contact’ is broken. It was always a possibility that the attackers would go back on their word. It has happened.

Ransomware is not a new phenomenon. It has been around almost since three decades ago. For some reason, it just took off as something big in the last three years. Perhaps the existence of commercial software such as exploit kits that package various methods of attack without requiring much technical skill on the part of the attacker helped its rise.

What now? Ransomware is not about to go away. We should practise some IT security 101 to protect the data that is precious to us (yes, really). Backing up data is the old-fashioned and effective method that protects against the loss of data (ransomware or otherwise). Knowing not to click on unknown links or open dubious email attachments helps too. Keeping your operating system and software updated and having an anti-virus enabled is another. These things are all IT security 101 and knowing and practicing them will protect you against more than ransomware.

What if you have been hit and do not have a backup? You could pay, but be aware that you are depending upon the mercy of criminals.

Also read:
http://www.essaysonsecurity.com/blog/shit-just-got-real
https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

Shit just got real

Over the past few years, we have had plenty of time to read about the exploits of malicious hackers. These have appeared on the news so many times that we have had the (mis) fortune to get desensitised to them. Why does it matter? Why should anyone care about who got hacked? And then, what can one (the layman) do about it?

It matters because it can affect us, and affect us badly. Our personal details are stored by many companies and governments. Not all of them put effort into securing this information that they have been entrusted to keep safe. Details such as our birth date and our address may be used by our bank or our email provider to verify our identity over the phone. Imagine if someone were able to access our email just because they knew our birthday and our address. This happened to to the director of the CIA, James Brennan. It has happened to ordinary people as well.

What about the companies that got hacked? Sometimes the hacking is (relatively minor) reputational damage in the form of website defacement. It is a serious matter when personal information, email contents and proprietary data are stolen – things that can directly affect a company’s bottom line and harm its customers. Theft of money or something like money (such as credit card information) also happens. How do we not get habituated to ignoring these things when the show up in the news?

Last week presented something that I found to be quite scary: the “shit just got real” moment. A hospital in Hollywood had great difficulty doing the job of caring for its patients because on an attack on their IT infrastructure. The hospital’s files were affected by a type of malware called ‘ransomware’, which encrypts the data until decrypted with a key obtained after paying the ransom. Staff used pen and paper to record new patient details, transferred some patients out to other places. Patients’ records are stored in computers. Their details are digitised so that a doctor or nurse can easily pull them up on a monitor when getting to do their work. What happens when something as basic as a hospital is unable to function because their IT is hit? This is why security is important, and why we have to demand that our various service providers take it very seriously.

What can we do about this?

  1. Educate yourself about personal information security.
  2. Vote with your feet against companies that do a bad job; especially against companies that are unrepentant and against companies that claim that they were hacked by “sophisticated” attackers (don’t take their word for it).

If you happen to work in IT, operations, or risk management, make the effort to understand how information security risks may affect your organisation and your clients and take steps to reduce the risks.