Cybercrime is market-driven, with criminals gravitating toward models that maximize their return on investment. Criminals will divest and lessen efforts that have lower returns in favor of campaigns that improve profitability. Regrettably, we’re seeing this happen with ransomware, which is an extremely efficient crime and is growing both in popularity and in the type of victims it targets.
The recent, widespread ransomware attacks known as WannaCry, which began in Britain targeting their national health services, are an unfortunate example. The criminals made use of software vulnerabilities as a mechanism to accelerate the spread of ransomware to impact a larger number of victims. The attack was designed to work well in business organizations, which is an increasing trend. The sophistication of the attacks is a good indicator of the value of improving models of this type of cybercrime and the fact that cybercriminals are going after a broader set of targets. Ransomware is moving from soft to hard targets, and this trend will continue. It makes sense to consider policy implications of a major ransomware attack, particularly in light of the wave of attacks that occurred last Friday.
Ransomware is an extremely efficient method of cybercrime where the victim directly pays the criminal. The criminal does not need an intermediary as there is no need to turn the data into cash, launder the cash once the criminal receives it, or worry about data becoming devalued, as often occurs with credit card or other data theft.
A typical ransomware scenario occurs when a cybercriminal gains access to a victim’s system and encrypts data that has value to the victim. The victim is then informed that their data is being held hostage cryptographically, and if they want to regain access to their data, they must pay a ransom. The payment is often in cryptocurrency based on blockchain, such as bitcoin, as it is easy to move the funds multiple times and difficult to map the underlying holder of a bitcoin wallet to an actual individual.
Contrast this with other methods of cybercrime, where the data has to be to digitally fenced before it yields a pay-off. This involves a third party, who also takes a cut of the profit. Then there’s the worry of data becoming devalued or useless as it ages, as happens with credit card numbers that could easily be cancelled by the issuing bank before they’re useful to the criminal. The cybercriminal wants not only to steal data but to monetize it very quickly, making ransomware appealing. A ransomware attack results in direct monetization – an immediate pay-off – and the criminal doesn’t have to share the profit with anyone else in the supply chain. From a market efficiency perspective, ransomware is very effective.
As with all markets, when a criminal market is attractive, multiple parties enter and saturate it. When the original market is no longer profitable, criminals look for adjacent markets. This is the pattern we’ve seen with ransomware. It began with consumers, who were targeted to pay hundreds of dollars to retrieve the keys for their data. This was a profitable business model for a while. Then, in early 2016, some cybercriminals found there was higher return on investment to go after soft target organizations, who could pay a higher ransom. Initially the organizations were small- to medium-sized enterprises that didn’t have advanced IT infrastructures and not much ability to recover from the attacks.
Now cybercriminals have turned to health care organizations – many of which have aging IT infrastructure. Part of the challenge for hospitals and other healthcare organizations is that they haven’t made the investments in cybersecurity technology or personnel that some other large enterprises have – often because they didn’t think they’d need it and prioritized patient care investment over cyber defense. They didn’t consider themselves cybercrime targets. Ransomware, however, has created an incentive for criminals to go after soft target organizations such as hospitals, universities, and municipal police departments, because these organizations lacked the cyber hygiene and defense capabilities to protect themselves from even unsophisticated targeted attacks.
The trend hasn’t stopped with soft targets. We’ve heard from organizations we consider hard targets that they’ve also been victims of ransomware. Criminals can not only hold data for ransom but also disable systems and hold them hostage. Don’t expect to see or hear much – or anything – about these events, however. One of the challenges in tracking ransomware attacks on large organizations is that if there is no data loss and the systems are restored (i.e., they’ve paid the ransom), then there is no technical loss or “data breach”– nor any obligation to report the event. While some states have data breach notification statutes, if the data is never exfiltrated – just encrypted and held hostage – the event is not considered reportable.
Because it is such an efficient crime resulting in direct payment from the victim to the cybercriminal, we can see ransomware expanding to harder targets, including, perhaps, government organizations and critical infrastructure. What would happen if a cybercriminal were to hold a dam or power plant’s system hostage? Whereas a nation state actor would have to consider the political repercussions of such an attack, cybercriminals using ransomware do not. They do not have to be concerned about being targeted for a reciprocal response or counter attack, making the stakes for them relatively low.
As a nation, we need to do a better job defending these environments from not only nation state and terrorist actors but also criminal actors. It’s critical we invest in both modernizing our critical infrastructure systems and implement high quality cyber defense architecture to enhance resiliency. We also need to consider what our response would be were a critical infrastructure or government asset to be held hostage via ransomware. Who would decide what the response would be, and would the United States pay ransom to a cyber thief? These are policy questions we should discuss sooner rather than later as the crime of ransomware moves into new areas where efficiency and profitability are the principal drivers.