Understanding the Evolving Threat

Ryan Olson
Director of Threat Intelligence, Palo Alto Networks

Ransomware is a relatively new type of threat, and like most malware it is constantly changing. Ryan Olson is the director of the threat intelligence team at Palo Alto Networks, and he spoke with the Cipher Brief about the threat posed by ransomware. He suggests making sure you keep your backups up to date, since ransomware is likely to only get more effective. 

The Cipher Brief: How has the threat represented by ransomware and similar types of malware changed over the last five years? How do you expect it to change moving forward?

Ryan Olson: Earlier forms of ransomware would attempt to extort victims by claiming they had broken a law, typically related to piracy or pornography, and that they owed a fine to their local law enforcement agency. These attacks were common but don’t appear to have been very effective at generating income for attackers.

The “crypto” ransomware families, which encrypt victims’ files and demand a ransom for their return, have been much more effective at generating income. The early versions relied on prepaid cards to transfer money, which help the attacker remain anonymous, but the attackers’ success didn’t really take off until they embraced Bitcoin. Bitcoin allowed them to retain their anonymity and made it easier for victims to obtain the currency required for payment.

In the future, I expect ransomware to grow more specialized. The current attacks primarily charge victims the same amounts no matter what types of files are encrypted. If attackers can capitalize on the fact that a business will pay more for its high-value intellectual property than an individual will to retrieve personal photos, they may begin to more specifically target businesses, even certain types of businesses.

TCB: What types of bad actors use ransomware? What types of businesses do they target?

RO: Ransomware is deployed by actors who we classify as “Cyber Criminals.” A cyber criminal’s primary goal in perpetrating a ransomware attack is monetary gain by extorting a payment from victims who want to retrieve their files. Those who have been most successful, like the group behind CryptoWall, have built significant amounts of infrastructure to ensure their victims can pay them and retrieve their files. Last year, along with the Cyber Threat Alliance, we published a report identifying over 800 CryptoWall command and control servers that impacted hundreds of thousands of victims and resulted in over $325 million in damages worldwide.

Many of the perpetrators of these attacks likely conducted other types of cybercrime in the past. Stealing banking account credentials and credit card numbers can be quite lucrative, but it also results in a lengthy paper trail that the attacker has to side step. Ransomware attacks, relying on Bitcoin or other hard-to-trace forms of payment, are very profitable and appear less likely to result in an arrest.

TCB: Does ransomware pose a threat to government systems? Are there any defense implications or applications for this type of malware?

RO: Any system can be impacted by ransomware as long as it stores data that people value. The actors responsible for these attacks target systems indiscriminately. For the attackers’ approach, the more systems they infect, the more money they can make.

However, critical defense systems are typically operated on secure networks that aren’t connected to the Internet. Without an Internet connection, most ransomware will not be able to generate the cryptographic keys it needs to encrypt the system’s files, and so it will leave them untouched.

TCB: How can organizations and individuals most effectively protect themselves and their devices from ransomware?

RO: The most effective way to defend yourself from ransomware is through maintaining up-to-date back-ups and testing your restoration process regularly.  In many ways, the impact of a ransomware infection is the same as a failed hard drive or a lost laptop, except ransomware might actually be cheaper to recover from. Ensure that your back-up process stores your files on a drive or service that isn’t directly connected to your computer (where the ransomware could access it) and regularly confirm that you can restore from your back-ups.

Ransomware infections occur in the same way as other malware infections, so best practices will also help keep your system clean. For example, make sure your software is kept up-to-date, and don’t click on links or download files from unknown sources.

The Author is Ryan Olson

Ryan Olson is the director of Palo Alto Networks' threat intelligence team; responsible for collection, analysis and production of intelligence on adversaries targeting organizations around the world. Prior to joining Palo Alto Networks, Olson served as Senior Manager in Verisign's iDefense Threat Intelligence service. His area of expertise is detecting and identifying actors and groups conducting cyber-crime and cyber-espionage operations. He was a contributing author to the book,... Read More

Learn more about The Cipher's Network here