Ransomware’s Perfect Storm

In the literature and in conversations about it, ransomware appears as a curious oddity on the canvass of cybercrime, a menace for which a healthy dose of cyber hygiene will serve as a satisfactory antidote. The standard advice is: “Watch for shady Web sites and phishy emails, and you will be OK.”

Nonsense. Ransomware is software that achieves intimate access to its victim’s database, then exploits this access to encrypt the data. The hacker then offers the attacked organization a pricey recovery tool that is still cheaper than the cost of losing the data. Those of us who battle hackers every day are more than alarmed.

The rise of ransomware is not hard to understand when you consider the economics of hacking. The majority of hackers are motivated by greed, not by malice and not by ideology. Lately, their mainstay revenue from stolen identities has dwindled. There are so many stolen identities for sale, and prices have come down.

Enter Bitcoin, a means to get paid and keep law enforcement in the dark. It affords payments between strangers, who remain so. That includes thieves, who have found their mask in Bitcoin and its imitators.

Why peddle stolen identities at reduced prices if you can shake down a merchant flush with cash and driven by a simple business rationale: It’s much more sensible to pay a limited sum to make a problem go away than it is to be pulled into an uncertain war that does not help the business anyway. After all, companies settle frivolous lawsuits by the same logic.

Every merchant has a price he would be willing to pay to get his data back and move on. The hackers simply try to guess that ceiling, above which, instead of being paid they are being hunted by the FBI.

Take the hacker’s point of view. He has the tools to crack the typical cyberwall with which merchants surround themselves. Now, once inside, he can steal some identities, with low returns. Or he can destroy the data, with no return. Or he can use a small key that hides deep inside a tiny piece of malware. With that key, he can encrypt all the data he has access to (backups included).

The moral footprint of this crime is minimal. Nobody dies. No elderly person loses her life savings. There’s no pain of stolen identity. Once the victim recovers his or her data, the net result is simply some money changing hands. From here on, it is simply business. The hacker merely names a price to invoke in his victim the expedient rationale of “Let me pay, get the recovery key, and move on,”

It is this flexibility of the ransomware criminal in gauging his price that undermines all the high-minded attempts to cajole victims not to surrender, report to the FBI, and attract bad publicity. So more and more hackers come around to realizing this criminal route is the most profitable.

The textbook advice to avoid suspicious emails and be careful with cyber strangers is good and solid, and it indeed saves many would-be victims. But all these cyberfences, by their nature, have many gates and entrances (after all, merchants wish to engage the public), and cracks are to be found. It can’t be helped. Backups, if done right, do work. but what a burden they are! Also, even if 99% of the encrypted data is recoverable, the most recent 1% has a price the merchant would rather pay than lose his data.

It’s a perfect storm in the making. We will be talking about it more and more very soon and for a long time. It will take time (these things always take a long time) for the community to understand that the root of this crime is the newfound cryptographically enabled financial anonymity so naively celebrated by privacy proponents.

BitMint “BreadCrumbs” technology and similar tools can ensure law-abiding privacy along with law-enforcement accountability. Digital money can be stealthily marked to trace its history, unbeknownst to its traders. Activating these marks requires exposure, thereby preventing abuse against innocent payors. Such tools hark back to the old police strategy, “follow the money,” insuring it will be used to hunt malicious and greedy criminals, not to hurt privacy-seeking innocents. No sooner would it be reasonably likely for the ransom collector to be caught than this crime would dry out.

Until then—brace yourself!

—Gideon Samid • Gideon@BitMint.com