CryptoWall ransomware campaigns are carried out by a small set of attackers; pattern mirrors that of traditional organized crime
What do you do when someone holds hostage something very precious to you and demands a ransom? Do you pay or consider the precious item lost forever? Most likely you would call law enforcement, and they would take action. Now, if the most valuable data on your personal computer is under the siege of ransomware and you call the FBI, the FBI will most likely respond with “pay the ransom.” Is the average citizen savvy enough to protect themselves from ransomware? What is the impact of FBI’s current strategy towards ransomware?
Ransomware is a type of malware that encrypts all the data of an unsuspecting victim when s/he downloads it onto their computer, making the data inaccessible by applying strong encryption. A message appears on the screen telling the victim that their data has been encrypted, and refusal to pay a ransom — often in Bitcoin — within a short period of time, will lead to the destruction of the data.
Ransomware is getting a free pass. Organized crime rings running the campaigns are netting millions of dollars by exploiting anonymous networks, Bitcoin wallets, and strong encryption. Ransomware gets more sophisticated every year and can bypass most endpoint security measures. While attribution is extremely challenging in cybercrime, there is a strong suspicion that FBI can uncloak users behind the Tor network.
Contrary to common belief, Bitcoin transactions and addresses can be tracked down. Imperva recently published this report which analyzes Bitcoin wallets and shows conclusive evidence that a small, organized cyber-crime ring is profiting from CryptoWall ransomware. A small number of backend wallets are responsible for collecting more than $330,607 in ransom from the samples under analysis.
CryptoWall 3.0 alone is estimated to have resulted in $325 million in damages. It is safe to assume that proceeds from the ransomware are funding other nefarious activities. “We don’t negotiate with terrorists, but we will let anyone rob you as long as they use ransomware” pretty much sums up the FBI’s current stance. How long before some major threat/attack gets linked to gains from ransomware? Maybe then action will be prompted.
The UK has been consistent in their “never endorse the payment of a ransom to criminals” stance. Authorities can surely go further by peeling back more layers and bringing these organized cyber criminals to justice as a step toward controlling the unfettered growth of ransomware. The lack of a consistent cyber crime policy is playing into the hands of bad actors.
Enterprises are not immune from the menace of ransomware as seen here. Even with backups, it can take days to restore all of the data, and there can be a significant impact on normal operations when the main data store is locked out.
Here are some recommendations we can make:
Enterprises should deploy File Monitoring
While it may be difficult to stop the rapidly evolving ransomware from encrypting data on endpoints, it is much easier to discover it early and prevent your file share from being locked out. A few simple monitoring rules on a file share can prevent this malware from encrypting your data.
The best way to protect yourself is to regularly backup of all your important data. Barring minimal data loss and some inconvenience, this is by far the best way to recover.
For more information, please read this report.