Ransomware—From Humble Beginnings to Monster of Masses

Webinar

Ransomware—From Humble Beginnings to Monster of Masses

After you have watched this Webinar, please feel free to contact us with any questions you may have at general@anomali.com.

 

BRANDON MCKAVANAGH: I guess I'll start with a bit of myself.

My name's Brandon McKavanagh.

I'm a security researcher in the Belfast office.

Today, as this says, I'm going to be giving a talk on ransomware from its so-called humble beginnings and how it transitioned over the years to as the monster of masses, as it says.

Like, how it became a nightmare for reality for everyone.

Well, first of all, I'll be going-- these are the certain topics I'll be going over.

So what will be discussed?

Obviously, what is ransomware.

I'll be giving a periodic tale on the past, present, and future of it.

Certain topics will be what is ransomware, how it came about, how it developed, massive influences, and changes, impacting society, and where it could go.

Now, an obvious pretty first question when it came to me for ransomware is, well, what is ransomware [INAUDIBLE],, plain and simple?

Well, for those wouldn't know, it, I'd call it a huge inconvenience but maybe using a bit more colorful language.

Well, here's a bit more of a formal definition of it.

It's a type of malware which blocks/encrypts user's data or blocks normal access unless a ransom is paid.

And the two main types, blockers, encryptors, one blocks access.

And then the other one encrypts files.

This is all fine, but everyone kind of gets the point of that.

But another question came to my mind about this was, yeah, it's fair enough.

We understand that.

But where did ransomware actually become?

So if we kind of just accepted the idea of it, well, initially, when I came to this question, I naively know this because I watch a lot of crime and espionage, I thought it was some new method used by Russians in the Cold War maybe to gain advantage over the Western powers.

And so well it turns out, I was a bit off with this guess.

In fact, the earliest track case of ransomware and the potential firestarter of all wasn't developed in some secret Russian Cold War base.

It was, in fact, developed by Dr.

Joseph L.

Popp, an Evolutionary Biology PhD student from Harvard.

Now, Popp developed the AIDS Trojan in 1989.

And he distributed it by sending 20,000 floppy disks to attendees at the World Health Organization's annual AIDS Conference, talk about snail mail.

Now, each disk perceived.

In the snail mail, it perceived to be a questionnaire on the likelihood of a candidate, depending on their answer, on them contracting AIDS.

Fair enough, it did actually have a questionnaire that said this.

But also didn't say it also encrypted all the file names using symmetric encryption and requested a ransom of $189, which was equivalent to around $395 today.

And this money was to be sent to a Panamanian PO box in order to get the decrpytion software.

Now, it was taken down quite quickly because of its use of symmetric encryption.

Yes, symmetric encryption is quite fast.

It can take down-- encrypt large pieces.

But using the same piece, the same key to encrypt and decrypt, probably not the most secure.

And-- so far.

But the gossip generated from it did not go down gently into that good night.

Well, with this, you're kind of curious, why would a PhD student from Harvard do something this crazy?

Well, it's like, why would he do it?

Well, the actual intentions, well, as I say, were quite humble, I guess.

He intended to use the money generated from it to fund AIDS education programs, so very Robinhood kind of thing, which I'll get onto ransom-based on the [INAUDIBLE].

Now, after these events of Popp getting arrested, then getting extradited to New York and all of that, the '90s was quite a quiet period for ransomware development.

And it was mainly used for pranks or vandalism, which was very reflective of the time period.

Now, let's fast-forward a bit to 2006.

It's the first step forward for ransomware and being asymmetric encryption, which is went one step forward, then symmetric, where it became the public-private key kind of concept, where everyone has the public key, which can be used to encrypt, and very few people, or a select individual person, to decrypt the files.

Well, the first notable two cases were that of GPCode Trojan and the Archiveus Trojan.

One thing to clear up first is that the initial concept of the GPCode Trojan actually only use RSA of 660-bit, but I couldn't find an earlier case, because there's not a lot of photos of ransomware from 2006 apparently.

Well, beyond this, GPCode worked by being spread by the email attachments pretending to be job applications, but actually encrypt the files on your drives, and expected a ransom of $120 initially.

The Archiveus Trojan, on the other hand, was a bit different.

It encrypted your My Documents directory completely, and the victims must buy items from a pharmacy for some reason.

And you would receive a 30-digit password to decrypt and everything.

This seems a bit weird.

But maybe it's an independent pharmacist trying to make ends meet I guess.

From 2006 we shall go to 2008, which is an updated version of the GPCode Trojan to GPcode.AK.

Now, as you see, the main difference is that it used an RSA key of 1024 bits.

And there's a previous photo of that.

But I couldn't get an earlier case of it.

Now, up to this case of the mid-noughties of ransomware, it had one particular fault that brought the downfall of a lot of attackers or groups.

It was the fact that money could be easily traced to the attacker or group, and it didn't include how difficult it was for attackers to even get the money.

In the case of Popp, he had to go to the PO box itself or get it transitioned.

And the likelihood of getting all that money-- that took a lot of time.

However, a development in 2009 would become one of the biggest developments-- if not the biggest one of all-- for ransomware's current identity-- the creation of bitcoin, the first cryptocurrency.

So it was developed by a person or group using the alias Satoshi Nakamoto with the intention of just being an alternative payment system that operates anonymously and decentralized from any third party wishing to control it.

Well, Bitcoin didn't get initially valued until to mid-2010.

And even at that, its value was quite minimal.

At most, around 2010, it was like $0.08.

And I don't think you want to ask a Bitcoin ransom of 10,000 bitcoin.

It's not really worth it.

By 2011, Bitcoin's value became a lot more usable in ransomware.

Which is why 2011 was one of the earliest known years for anonymous payments and services for ransomware.

Obviously, the benefit for attackers was that it made it easier for them to collect the ransoms and not have to worry as much as being traced.

And from this, it would appear that cryptocurrency affects the number of ransomware attacks just a little bit.

Now, this is a source I got from McAfee on the state of ransomware at this state of time.

One curious thing, I would say, is from 2010 Q1 to Q2 2011, I'd say it's fairly gradual.

Then it just spikes.

I would make the fair guess and the estimate that cryptocurrency transactions start in around the summer of 2011, just for the sheer jump.

And it continuously rised and then jumped again.

This jump I'm quite curious about, because that's a trend there.

That's not.

With that, it just jumped again.

And I would say that the number that increased was down to the creation of the Citadel Trojan toolkit.

The toolkit was bought by criminals to make it easier for them to spread their infection.

They did this by the use of [INAUDIBLE] botnets from Citadel's C2, the command and control.

It made it easier to spread the infection, only as long as you paid a minimal fee for the toolkit and a small cut of the money made from the ransom.

It's fair to say the success of the toolkit is pretty miniature by Q1 and Q2 of 2012.

Obviously that raised pretty highly.

But then, I'd say, more people became aware of the tool kit, and it just rised, and rised, and rised, and kept rising.

Now, a particularly effective was the result of the Reveton worm.

It attempts to extort money in the form of fraudulent emails of fraudulent criminal fines.

The use of the Citadel toolkit for spread of the infection was such a success that ransomware detections increased by more than 200,000 samples by July of 2012-- research found from [INAUDIBLE].

We're getting to and there's only one particular around somewhere that was on everyone's mind.

When I was googling 2013, this is the only thing that really anyone was carrying about.

And this was CryptoLocker.

CryptoLocker was one of the first round somewhere to be spread by downloads from compromised websites and sent in the form of email attachments to pretend to be customer complaints.

Once executed, the files in the computer are encrypted and original versions are deleted.

And then an image like this will be sent on screen, and the victim would have to pay for a ransom in the appropriate currency.

If payment wasn't met in the time frame, the private key would be deleted.

And what did this all mean?

The numbers of ransomware were increasing, but not many were consistent to staying aware.

They would fizzle quite quickly because there was faults.

They weren't very technical.

Some people were still using asymmetric.

Whereas CryptoLocker had no intention of stopping.

To put its success-- no, not it's success, its impact-- the first iteration was released in September of 2013, and by late December of the same year, it had infected over 250,000 PCs, just as shown in this article from the BBC.

From CryptoLocker, we are learning that ransomware is becoming a lot more aggressive with their attacks.

This is down to them wanting to ensure that victims do not get any chance of returning their files.

They don't want to go to some security researcher to reverse engineer the malware or to find any way of getting their files back decrypted by paying.

Now, due to CryptoLocker's success, as shown, it was pretty obvious that people were trying to piggyback off it and create copycats, the first notable one being CryptoDefense.

It used the Tor network and Bitcoin for its anonymity, as well as 2048-bit encryption.

This didn't last long though, because for some reason, during the cryptography, the attackers let the private key be seen in plain text on their victim's machine.

So that didn't last long.

You would think with this, maybe they would just fizzle out and go back to normal jobs.

Nope.

They didn't let this roadblock stop them.

In April of 2014, the attackers released CryptoWall.

CryptoWall took a step forward with CryptoDefense.

It did use 2048-bit encryption, but it didn't make the mistake of leaving the decryption key in plain text.

It worked by using spam emails, exploit [INAUDIBLE] for malicious ads, or compromised sites where victims were infected with it.

It then encrypts all that drives in your device.

It's pretty easy.

To get the decryptor, the user must pay the ransom within the time frame or the price will increase.

With all this going on, CryptoLocker copycats did not have all the fun in 2014.

Android became a target.

Now, the biggest cases include Sypen, aka ColdBrother, or SimpleLocker.

Now, Sypeng became noted for being the first ransomware to actually lock phones and accused the users of watching pornography.

SimpleLocker went a bit further than this.

Yes, it did actually lock phones.

But it actually encrypted all the files on the user's phone and accused the user certain various perversions.

Once 2015 came around, CryptoWall didn't let didn't let researchers slow it down.

It just got smarter and faster.

Here you can see the developers behind it we're making a lot of improvements, because they wanted to make sure it prevailed in making them a lot of money.

In version 2, they incorporated direct C2 communications to the Tor network, instead of proxying into it.

Version 3 was experimenting with new C2 communications, but ultimately return to the old model, but added an extra proxy layer.

It's pretty clear that they were pretty committed to making this work.

And by October of 2015, they were pretty much seeing the fruits of their labor.

This is an article taken from KnowBe4 on CryptoWall's damage.

To say the least, they made a lot of money, and they caused a lot of damage in society.

And I don't know if everyone at the back can see, but it was $325 million dollars.

There's a bit of a funny coincidence once this report was released from the Cyber Threat Alliance.

Just after this was released, they released CryptoWall version 4.

So someone's been reading KnowBe4.

It was a bit improved.

It had a streamlined C2 control channel, modified random messages, and encrypting filenames as well as the files themselves.

So you got even more confused and frustrated.

CryptoWall wasn't the only significant ransomware in 2015 causing havoc.

There was the introduction of the TeslaCrypt Trojan, which was actually also a copycat of the CryptoLocker ransomware.

And it's fair to say that gamers got hit the most, losing their precious loot.

Once a user was infected, the ransomware would specifically target and encrypt gaming files.

This includes game saves, and game recordings, user profiles.

Obviously, the gamers would have to pay the ransom to get their precious gaming files back.

An interesting fact in all of this is that TeslaCrypt was such a success in the 2015-2016 period, TeslaCrypt made up 48.81% of all encryption ransomware.

Now, why?

I would say this is down to an attacker's change of tactics to a more targeted approach.

They knew who they were targeting, and they knew that the victims would likely pay.

And it's fair to say gamers love their files.

They're grinding all that loot.

Whilst all of this is going on, 2015 had another big development, and it was massive beyond realization.

Ransomware became open source.

The Hidden Tear Trojan and was released on GitHub in 2015 in August, and its impact was beyond significant.

When it was intended for educational purposes, they wanted the people to become more aware of ransomware.

But the reality-- do you really think the public actually listened?

Attackers took the base code , modified it, and released it as their own.

The number of attacks spiked a lot due to the number of variants.

As you can see in the number of ransomware, it just kept going.

It's quite erratic.

I don't get what the spike [INAUDIBLE],, but it kept going up.

So I'd say that the Hidden Tear variants caused a massive spike.

And also from this article-- and I don't know if everyone can see at the back-- nearly 50% of all businesses in 2015 were infected with ransomware.

Now, as 2016 came around, the number of ransomware didn't just spike, it broke for the roof, and it was going for the Stairway to Heaven kind of thing.

This is an article I took from Forbes and the state of ransomware in the 2016 period and the realization of how massive it became.

In it, it referenced SonicWall, which is another cybersecurity firm.

And in it, their report said that in the 2014 period there was around 3.2 million ransomware attacks, which is fair to say that But in 2015, you would expect a bit of a rise.

And yes, it did.

There was a recorded That's a rise of 19%.

We would expect this.

There's more variance.

There's more resources for people to release.

And you would expect this certain trend to increase and be consistent.

Well, apparently 2016 didn't get the memo.

Because in 2016 there was a reported 638 million ransomware attacks.

That's an increase of And I was like, what?

I was like, how?

What?

How?

So here's a couple of variables that could have increased it.

There is the concept of open source ransomware.

Yes, we talked about Hidden Tear, where people were taking [INAUDIBLE] of the Hidden Tear ransomware and building upon it.

And obviously, this increased the number of ransomware attacks due to the number of variants of it.

Now, when I'm talking about changing attack methods of attackers, I'm referencing back what I said about TeslaCrypt.

Attackers are changing their attack methods just to ensure more money's made.

Up to this point, I'd say a fair amount of ransomware was going with the spray and pray approach of ransomware.

They were [INAUDIBLE] infection, near and far, commonly for email phishing in the hope of catching victims.

This generally worked well, though quite inconsistent, because not everyone can get access to Bitcoin, not everyone can afford it.

And how many people do you even think know what cryptocurrency is?

So what attackers did to improve their chances of making money, they targeted victims who were definitely more likely to be able to pay the ransom.

And this could be gamers, like with TeslaCrypt, banks, cities, hospitals, just to name a few.

By changing their focus, the attackers are able to make more progress with their attacks and make more money.

And more ransomware will be apparent, because people know that they're making more of a success with it.

Ransomware as a service is an interesting one, because with ransomware, what if it was like Amazon, where you could just purchase, click, collect a ransomware, have it distributed for you, and you just make the money from it, and you have to do nothing.

Well, that became a lot more apparent with this, and people were just distributing toolkits for people to just make money off them.

They send to the distributor-- hey, you send this, and I'll give you a 30% cut, and I'll make all this money.

It was crazy, because this massively increased the number of ransomware talks.

And not just that, the demographic of ransomware just varied completely.

You'd have to have a pretty aware knowledge of computers, and ransomware, and software, and servers to be able to manage all this.

But everyone from different ages, from a little kid to an old Granny, could distribute, make money from ransomware but very little technical capabilities.

Because of 2016's significance in ransomware, I'm going to go over a couple of instances that were pretty notable.

I'm going to work with SamSam, Locky, and Petya.

I'm going to go briefly over them.

So SamSam was observed in 2016 making targeted attacks mostly towards hospitals.

This is done by targeting vulnerable JBUS host servers.

A JBUS was used for making Java-based applications.

They have developed since then, mainly using Remote Desktop Protocol, RDP, and the File Transfer Protocol, FTP.

Locky was around somewhere that appears as an attachment written in an email that encrypts your files in your fixed drives, removable drives, network drives, and round disk drives.

Petya was a bit different, in the sense it didn't specifically encrypt files on your computer.

What it did, it overwrote the Master Boot Record.

And the Master Boot Record itself is the first sector of any hard disk used to locate and identify the operating system which could be booted or loaded into the main storage or the round.

Petya is a good example-- is that attackers are not following the trend of, oh, I'm just going to encrypt and hopefully make money.

They're getting a lot smarter and they're trying to make as much money with their ransomware.

And they're progressing their development in different areas to make sure that it's very unlikely for victims to get their files without paying the decryption.

Now, we will look into 2017.

And it's fair to say that 2017 itself was no fairytale bedtime story.

Before I continue, I must clarify one thing, that I do have NotPetya on here, and NotPetya is technically not a ransomware.

It's technically a cyberattack pretending to be one.

But its significances cannot be ignored, just the amount of damage it caused.

When I refer to ransomware as the Boogeyan, I mean that in every sense.

Because in 2017 the reality of ransomware is that it was horrifying.

Everyone was afraid of it.

Most people who didn't know what ransomware was [INAUDIBLE] became very aware because of cases like WannaCry and NotPetya, of which I'll get in to.

The first one being WannaCry-- everyone's pretty much heard of WannaCry.

I'm not going to make this a WannaCry lecture, because I'm pretty sure that that's a dead story.

Now, I'll give a brief overview.

WannaCry was a ransomware worm which spread through networks to increase its numbers.

It encrypted many files and used an extension of wcry, WannaCry file extension.

What made it so successful was the use of the worm-like EternalBlue exploit, which was at a zero-day exploit found in Microsoft's version of the Server Message Protocol, SMP, use for transferring shared resources.

Now, it was discovered by the NSA.

But instead of reporting it, they decided to make tools from it.

From this, they did make tools.

But eventually, it got stolen by the Shadow Broker group, another hacker group that got their name from the Mass Effect game series.

And what they did is released it online.

But the annoying thing is, with this exploit-- the EternalBlue one-- Microsoft released a patch for this specific exploit even released to the public.

Which was crazy, and that was just because of poor patch management.

Within a couple of days of WannaCry being released, over 230,000 computers were infected in over 150 countries.

Now, WannaCry's success was pretty worldwide, as shown by this screen of the world.

It has been said that the likely attacker behind this, who took advantage of the exploit, was North Korea.

The reality of the attack is that it's not just a ransomware for financial gain, but is being used as a weapon of war.

Yes, North Korea would probably like to make a lot of money, but it's probably not the only reason why.

Because North Korea pretty much hates everyone.

And so it would be fair to say that ransomware as a whole has influenced not just money-making schemes but nation-state methods of attack.

We'll get into the not-ransomware NotPetya.

It would appear pointless to talk about this, but it's pretty significant because of the amount of damage it caused.

The malware itself used the same payload as Petya.

But it had a couple of tweaks.

It did use the EternalBlue exploit to spread its infection.

But here's the caveat, Petya, if you paid the ransom, did give you the decryption software to get your files back.

NotPetya didn't do that.

It just destroyed everything.

It just had no intention of paying anything out.

So NotPetya is technically a wiper that takes your money.

Now, the infection started out as a rogue update of the MeDoc software, which was used by anyone to file taxes or does business.

And it was heavily and most likely created in Ukraine.

Cyberattackers were able to get the backdoor into any computer that used the MeDoc software and implanted NotPetya.

Now, the reason it was so effective is that the position of Ukraine and a lot of countries did business with Ukraine.

It was kind of in the middle.

And the group behind it was likely Russia trying to attack Ukraine and cause as much colossal damage as they could.

An interesting article that goes onto the attack itself is one taken from Wired and from the perspective employees from Maersk, which is one of the largest shipping companies in the world, based in, I believe, the Netherlands or Denmark.

[INAUDIBLE] It goes in-- it's quite an interesting article for multiple reasons.

It talked about the impact it had on families, businesses, and it goes into a lot of detail on how they actually recovered from it.

A couple of reasons I love this article is the cost is like $870 million from an American pharmaceutical company.

The most popular well-known one was probably-- oh, it's Denmark-- Maersk, which was $300 million.

And the total, apparently, was from $10 billion.

Now, companies would probably reduce this number to not scare everyone.

I'm presuming it's a lot more than $10 billion.

The other thing I love that's interesting about this, it's probably not just a money-making machine it's a nation and state attack.

It's changed its weapon as war.

Because you don't have to be concerned with national borders.

You couldn't do this with physical weapons.

And effectively, in a way, war is becoming more digital.

It's crazy.

Now, as 2018 came around, the trends of attackers change quite significantly.

Now, this may surprise a few, but in 2018 resource expectation for cryptojacking-- no cryptomining or cryptojacking-- took over ransomware as the main cyberthreat of the time.

What it does is it allows attackers to install cryptocurrency mining software onto a victim's machine.

It is more than likely not a malware, it just uses a computer's processing power and the victim's electricity to mine cryptocurrency.

The attackers were able to gain access to a user's computer, mainly done by clicking on a malicious link in an email or infecting a website that commonly used JavaScript with autoexecutes once loaded in the victim's browser.

Now, the [INAUDIBLE] itself was quite curious, because why would there be a breakout and why would cryptojacking overtake ransomware.

When you think about it, it's quite obvious-- money.

With ransomware, attackers didn't have complete assurance that they were going to make money from their attacks.

Yes, you could maybe get a bit of money, but there wasn't complete assurance that everyone was going to pay out.

You would send all this work, and you didn't know if you're going to make money.

Well, cryptomining is a bit different.

You have a bit more surety of it.

A particularly good case of ransomware failing after a large attack was the SamSam attack on Atlanta.

Now, the attackers mainly focused on preventing people to use applications for paying bills and taxes, or viewing official documents.

The city of Atlanta did not pay, because if you pay out for a ransom that gives more temptation for more attacks.

And the ransom itself was $55,000.

And the thing is, the attackers got nothing from it.

But eventually, they were rewarded with prison.

So much effort went on their behalf to get from this, and they got nothing for it except for a prison meal.

For reasons like this, attackers want to ensure, with their efforts, they're going to make money.

That's fair enough.

You want to make sure that anything legal or illegal-- you want to make sure you have money made from it.

Now, cryptomining gave you a bit more assurance of this.

And from the way I am describing it, it would make it appear that ransomware was just a trend that kind of fizzled out in 2018.

Well, this couldn't be more wrong, because crypto ransomware didn't die in 2018, it just evolved into something a lot worse.

Numbers increase continuously, as you can see.

The blue is 2017.

And you can see, the numbers have increased a lot.

And the samples compared to that of 2017 are up as well.

There was a release of the GandCrab service, an extremely successful RaaS Ransomware as a Service.

And that gives you the idea-- click, collect, make money from ransomware by having to do nothing.

The GandCrab was a particularly interesting one, because it was such a success that the guys behind it actually shut it down.

They said, in mid-2019, and I quote, "We have earned more than $150 million per year, and we are leaving for a well-deserved earned retirement." Now, the scary thing is that RaaS didn't disappear.

GandCrab wasn't the whole King Kong of ransomware as a service.

There was a lot of others.

There was Philadelphia, Stampedo, [INAUDIBLE],, Satan.

Raspberry-- I think I'm saying that right.

So it's fair to say that RaaS was pretty much here to be indefinitely now.

I'm going into a bit of more of a targeted approach in 2018.

And I'm referencing-- I don't know if anyone was here in Christopher Ellison's talk yesterday, Navigating the Shift from Opportunistic to Targeted Ransomware Attacks.

It relates how there is a larger transition to extremely selective targeted targets of higher ransoms.

Two good examples of that are Lockergoga and RobinHood.

In the case of Lockergoga, it affected Norsk Hydro, a Norwegian aluminum producer.

The attack caused a cease in automotive production, and it caused for automotive production in smelting plants, factories, and offices, which forced workers to resort to more manual pen and paper tactics.

Now, Norsk Hydro didn't pay the ransom, and it resulted in damages in excess of $40 million in just one week.

This is quite small in comparison to other companies like Maersk, the pharmaceutical company, after the NotPetya attack.

Their damage bill was up to around $870 million.

Yeah.

Now, The RobinHood ransomware was behind the attack of the city of Baltimore, which I'm pretty sure is like an hour's drive from here.

This recent attack on the city of Baltimore, doesn't come long after another attacker on Baltimore which targeted the 911 and 311 emergency systems.

The RobinHood attack specifically targeted email systems for city workers, and phone lines, and online bill payments for water, electricity, et cetera.

The attackers demanded a ransom of 13 Bitcoin, which was, apparently at time, around $76,000.

The city of Baltimore did not pay the ransom, and the result of damages of over $18 million.

Even though cities like Baltimore, Atlanta, and companies like Norsk Hydro didn't pay the ransom, there are cases that the cities did pay the ransom.

There was a recent attack in Del Rio near Texas that actually paid their ransom.

I can't remember how much.

But a couple of others, interesting ones, is a couple of cities and in Florida, like in the case of Lake City.

They paid around some of 42 Bitcoin, which is around $500,000.

And another one is that of Riviera Beach.

They paid a ransom of 65 bitcoin, which is around $600,000.

So in some extreme cases, attackers do actually make a lot of money.

This takes us on to 2019 and what could be in the store for us in the future.

Emails-- I'm talking about this, because it's the main platform for a lot of spam and a lot of them, they're distributed through clicking on links, and attachments, downloads.

This form of social engineering has been the main platform for years, and it's probably going to be consistent for a long time.

Backups beware-- I'm talking about in the sense that a lot of people here not the most knowledgeable of ransomware are probably feeling a bit more secure.

Oh, I've got a hard disk, and I've got this NAS of my drives.

I'm safe, right.

Wrong.

What this is, attackers are becoming a lot more aggressive, and they want to make sure that you're going to pay the ransom.

You're not getting your files back.

I don't care.

You can hide the hard drive under your mattress, we will get it.

But this is ransom prices are-- and because of this, they're becoming a lot more aggressively attacked.

So backups are being destroyed as a new platform for attack.

Ransoms rise-- it's pretty obvious.

More attackers, more money made, and ransomware rising.

More targeted attacks that spike in prices, like with the case the Florida cities, $600-500,000 for the price of ransoms.

It's just going to get bigger and bigger and bigger.

Now, for anyone who gets my hydra reference, what I'm talking about there is, cut off one head, many more will take its place.

I am saying that if we stop one variant of ransomware, this isn't just going to kill ransomware.

There's just going to be thousands and thousands of variants based on it.

And researchers-- I'm pretty sure most of you are aware of this-- we can't keep up with ransomware.

It's pretty difficult, just because of the number in variants and in [INAUDIBLE]..

It's just crazy.

Cyber insurance is something that is quite common today, but it's still some questionable thing.

Because we have house insurance, car insurance, life insurance-- those are all things that we can kind of quantify and we know.

But with cyber insurance-- I was talking to Christopher Ellison yesterday-- that's based on a certain level of security you have, and you can't really be secure for a zero-day exploit kind of thing, because you can't really know too much about it.

Now, cyber insurance [INAUDIBLE],, it would allow companies to get more money back from damages made from ransomware.

But this can be called into question, because why not go to a security research company-- like I'm presuming a lot of these are from-- and get research to help get the decryption software.

Because [INAUDIBLE] sharing, nobody really likes insurance companies, and they're just not going to give the amount of money you actually need back.

IoT is a bit of an interesting one, because as IoT is becoming more big news and is developed, it gives a lot more devices being smart, like smart cars, smart houses, and even smart toilets.

This raises the question why attackers aren't going after this.

Why aren't ransoms being paid?

So we're not giving you your car.

It won't stop or start.

We will open all the doors and windows in your house.

We will flood your house unless you pay a ransom.

And it's fair to say smart doesn't actually mean safe or secure.

And I'm expecting them to be a lot more IoT, which is why I'm never getting into a driverless car.

So in conclusion, ransomware intentions have transitioned a bit from 1989, trying to fund AIDS programs, to being used as a weapon of war to destroy people and their lives.

Now, that's a bit of a transition.

Tactics have changed, from starting [INAUDIBLE] snail mail a floppy disk in front of a conference to email phishing platforms.

It's just getting-- a lot more tactics have changed.

Money motivates maliciousness.

Many of the developments in ransomware have gone down to the value of currency.

Be it anonymity or its value, attackers are changing their payloads in whatever way necessary to make as much money as possible.

Be it they drop Bitcoin, because as Bitcoin become more popular, attackers were going away to something like Monero.

And cryptomining as a case-- they want to make sure there is money.

Oh, we didn't realize ransomware wasn't making me money, so I'll just go to cryptomining.

And it's fair to say, wherever money goes, attackers will follow.

Now, on a final note, ransomware cannot be ignored.

It's in news articles, games, movies, books.

It's not just some dark fairy tale we tell ourselves that doesn't exist.

It's a monster let loose on the masses and it only get bigger, badder, scarier, and smarter.

Thank you.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.