The new crime model: why criminals are now holding our data for ransom rather than stealing or selling it

Ransomware has changed the economic model of cybercrime, argues Paul Farrington

2016 was dubbed "the year of ransomware" - and for good reason. Infoblox identified a 3,500 per cent increase in the creation of ransomware domains in the first quarter of the year. This ultimately led to unprecedented activity.

Ransomware is most commonly spread through phishing emails, but we've seen recent examples of criminals exploiting vulnerabilities to access and encrypt servers and databases. The recent WannaCry attack exploited a common vulnerability found in the Microsoft Windows operating system, while the Cerber ransomware campaign took advantage of the Apache Struts2 vulnerability found in web applications.

Now halfway through 2017, it's clear that the popularity of ransomware hasn't subsided. In fact, these new cases show how cybercriminals are adopting a new economic model for cybercrime: ransom rather than theft and/or resale of data.

Holding data hostage

The asking price for personally identifiable information (PII) on the dark web shows illicit resale of data is not as lucrative as it once was. New data from Equifax shows that stolen Visa or MasterCard details typically cost just £11, so it's clear that your data is worth much more to you than to a criminal.

Ransomware, however, can provide far greater returns, and this new trend is changing how cybercriminals approach vulnerabilities. Rather than merely exploiting web vulnerabilities to steal data, they are increasingly more interested in holding data hostage.

Hospitals, in particular, have demonstrated themselves as particularly vulnerable and willing to pay - the Hollywood Presbyterian Medical Center reportedly paid $17,000 in ransom to the hacker that seized control of its computer systems in February 2016.

Everything for a price

Some cybercriminals are taking this one step further, offering to "help" their victims for a fee. This happened with the San Francisco Muni ransomware attack, where, in addition to demanding 100 bitcoins to unlock the computer systems and ticketing machines on the city's public transport system, the hacker also offered to "help" his victims protect themselves against future attacks for a few extra bitcoins.

At this point, another ransom trend is emerging with cybercriminals identifying a vulnerability in the software and, instead of exploiting it, demanding money to explain what it is and how to fix it.

While not explicitly "ransomware", it's the same principle - holding information hostage unless the victim pays. Similarly, we saw this approach taken by WikiLeaks when it offered to share technical details about the CIA's Vault 7 hacking tools with a number of tech companies - including Microsoft, Google, Apple and Samsung - if the companies complied with its demands.

Defending against the new crime model

Organisations need to be proactive rather than reactive to combat this new cybercrime model. Firewalls aren't enough - it's essential that businesses prevent software vulnerabilities in the first place.

One of the most common source of vulnerabilities is the use of open source components in software, as in the case of the Struts 2 component. But open source components play a crucial role in software development, especially with the rise of DevOps, so simply avoiding them will be an unreasonable request with developers often measured on enabling a swift time-to-market.

The typical challenge organisations face is that they do not know where vulnerable open source components reside in their applications, as elements that may have been secure when first developed may now be shown to include active vulnerabilities.

To protect vulnerable applications, development and security teams should take these steps as part of a comprehensive application security strategy.

  1. Set a policy Focusing a policy around an organisation's compliance goals can help raise the priority of upgrading vulnerable software components for developers. By explicitly laying out which vulnerabilities require action, businesses can better understand and manage any trade-offs with time-to-market.
  2. Identify and remediate vulnerable components It's hard to know the magnitude of the threat if you don't know what open source components existing applications already use. Building an inventory is key and can be achieved by looking at source control or component repositories. Once identified, vulnerable components can be remediated to significantly reduce the attack surface.
  3. Keep it up to date Keeping an up-to-date inventory is crucial to maintaining the security of software, as development teams make changes to their applications. Only when knowing which open source components have previously been leveraged can software and applications be properly maintained.
  4. Educate development teams Developers are trained to be functionality focused, and some may not be aware that they should be monitoring the open source components they use for security patches, or that their preferred components may not be secure. Whether lunch & learns, one-on-one training sessions, or just reading relevant blogs and forums, the first essential step is understanding the threat.
  5. Scan the web perimeter Conducting regular discovery scans of web applications of the entire domain is key to reducing risk. Web sites can frequently be forgotten, such as outdated marketing sites or those obtained via mergers or acquisitions, with Veracode often finding up to 40 per cent more web sites than a customer initially provides as the input range. Identifying these sites is crucial so they can either be patched or shut down entirely.

As this new cybercrime model emerges, it's essential that companies prepare for hackers prioritising ransom over resale. Vulnerabilities across operating systems and vulnerable software are leaving the back door open into millions of organisations that are no longer just putting their data, but their ability to operate, at risk.

Organisations need to heed the warning of Cerber ransomware and WannaCry. It has never been more important to invest in a comprehensive AppSec programme to prevent vulnerabilities in the first place.

Paul Farrington is manager EMEA solution architects at Veracode