Ransomware has evolved to take on bigger targets, and has become more dangerous along the way.
Ransomware was already becoming a higher priority before the WannaCry epidemic of last week, but it’s clear that it has now made the shift from nuisance to serious threat.
Ransomware has been an irritation for more than a decade, but only in the last few years has it become a real problem. In the early days the victims were mostly home users, who had unwisely clicked on an a bogus attachment in an email and found their PC locked and their files and family photos encrypted. In the last couple of years, however, the focus has turned to businesses, who have more PCs and more data to compromise — and deeper pockets to pay the ransom
But now the UK’s National Cyber Security Centre has described WannaCry as a “global coordinated ransomware attack” on thousands of private and public sector organizations across dozens of countries, showing how ransomware has taken another big step — becoming a threat to nations and not just businesses.
What makes ransomware so effective is that it targets what’s really important: data, be it a family’s wedding photos or a company’s invoices. It might lack finesse — the malware simply encrypts anything it can find — but it’s brutally effective.
This evolution has not gone unnoticed: both the head of the US Cyber Command Admiral Michael Rogers and US Director of National Intelligence Dan Coats mentioned the risks of ransomware in recent testimony to US senate committees. But neither will have expected such immediate confirmation as the WannaCry epidemic, which went global last week.
Rogers warned that over the last year the US has seen increased use of ransomware against individuals and businesses. While this is usually seen as a standard police issue, or for the FBI to deal with, Rogers said ransomware was something that could become a military concern.
“Criminal actors become a military concern when malicious state cyber actors pose as cyber criminals, or when cyber criminals support state efforts in cyberspace. This means that we take notice when cybercriminals employ tactics, techniques and procedures used by state adversaries,” he said (PDF).
The WannaCry ransomware was so potent largely because of a software exploit stolen from the NSA — also, ironically, headed by Rogers. This also reflects the complicated set of factors underlying WannaCry’s effectiveness.
The US Intelligence worldwide threat assessment (PDF) presented by Coats to the US senate select committee on intelligence also highlighted that ransomware had become a particularly popular tool of extortion, noting that criminals employing ransomware had turned their focus to the medical sector, “disrupting patient care and undermining public confidence in some medical institutions”.
There are over 50 different ransomware variants in circulation and — as the rise of WannaCry shows — it’s relatively easy to bolt on additional features that can make the malware more powerful. In this case, what made it so effective was the ability for the malware to spread from PC to PC without user intervention.
Some police forces and cybersecurity firms have done a good job of making it easier to foil ransomware — for example, the No More Ransom initiative hosts a number of tools that can free encrypted data without having to pay a ransom.
But the difficulty of finding and prosecuting those behind ransomware attacks, plus the ease with which they can be assembled, mean that this threat is likely to be with us for the foreseeable future.