Why the rise of ransomware attacks should worry you

Sean Gallagher does an excellent job of running down the economics and technology behind the rise and rise of ransomware attacks: ransomware has become a surefire way to turn a buck on virtually any network intrusion, and network intrusions themselves are trivial if you don't especially care whose networks you break into.

Before ransomware, the options for a crook who broke into a network were limited: they could turn the machines they captured into a botnet, or go looking for blackmailable or sellable secrets. Crooks who break into networks today can still do all that, but if there's nothing juicy to steal, the crooks can just take your data. If your organization relies on data, in other words, it is a potential target.

Worse: there's a massive talent shortage in IT. Top IT people can find lucrative work in the commercial sector, or in startups that can offer options against a potential (if unlikely) huge payout. Thankfully, there are many public-spirited IT people who want to work for hospitals, nonprofits, family businesses, etc, but not nearly enough, leaving critical gaps in the IT infrastructure of even large organizations (like the DC-area hospital network that lost ten hospitals to a ransomware attack).

In short: this is probably going to get a lot worse. Ransomware crooks are unlikely to ever get caught, and can reap easy money with minimal work. The slightly smarter ones that do a little homework once they break into the network can seriously increase their gains with targeted attacks. For crooks who're engaged in more ambitious acts (blackmail, theft of trade secrets, denial of service), a ransomware attack is an easy distraction.

The worst part of this new development is that there are likely already compromised systems in these networks or out-of-date or misconfigured software that can easily be compromised to help spread ransomware. As demonstrated by a number of documented attacks by the group spreading Samsam, the ransomware operators behind an attack today likely have access to the targeted network for weeks or months. These crypto-crooks can bide their time before springing an attack.

Part of that may be because attackers are waiting to see if their presence gets detected, judging whether the target is actively monitoring systems. It's also likely that attackers simply have a long list of other networks to attack already in queue. In the current network climate, the operators of Samsam have a target-rich environment to go after.

Carvey emphasized that while the Samsam attacks have been associated so far with exploits of JBoss, future attacks could use any of the other well-known vulnerabilities already in circulation. "I'm waiting for the next one to come in where they didn't have a JBoss server," he said. "Somebody's going to say, 'We don't use JBoss—we use IIS so we're safe.'"

That thought was echoed by Craig Williams of Cisco's Talos Research. He told Ars that the way ransomware was evolving, the next attacker could easily use a common content management system vulnerability to get in to launch their attack. One misconfigured Drupal server or an improper file permission setting on a file upload utility could easily lead to a backdoor into many organizations' networks.

OK, panic—newly evolved ransomware is bad news for everyone
[Sean Gallagher/Ars Technica]

(Image: Cryptolocker ransomware, Christiaan Colen, CC-BY-SA)