Michael Bird: Hello and welcome to Explain IT, brought to you by Softcat, this is a show for IT professionals that aims to simplify the complex and often overcomplicated bits of enterprise IT without compromising on detail. I’m Michael Bird and over the next 20 or so minutes I’ll be challenging our panel of experts to take a different area of the IT ecosystem and, of course, Explain IT. This week we are going to be talking about ransomware, what it is, why you should care about it and how an organisation might protect themselves against it. With me to help demystify this is Matt Helling, Softcat’s head of security sales, hello Matt.
Matthew Helling: Hi Mike.
Michael Bird: And Adam Louca, who is Softcat’s Chief Technologist for security, hello Adam.
Adam Louca: Hello Michael.
Michael Bird: Ransomware hit the news and public consciousness in May 2017 after users from organisations across the world started reporting a strange looking red window popping up, demanding hundreds of dollars to get their files back. So Adam, Matt, what exactly is ransomware and how long has it been about for?
Adam Louca: So ransomware is a type of malicious software, it’s a piece of malware that essentially locks people's machines and data so it locks you out of access to your data and then extorts you so it charges you to get the access back. It’s really a form of digital extortion.
Michael Bird: So what’s the first instance of ransomware?
Adam Louca: Ok so let’s have a guess, let’s see, what do you think Michael? When do you think the first instance of crypto malware was?
Michael Bird: ‘96?
Adam Louca: ’96, ok what about you Matt?
Matthew Helling: I’m not sure, I think it’s been marketed very well over the past few years, people know the name of ransomware but it’s probably been around for a bit longer. I’m going to guess early ‘90’s, late ‘80’s.
Michael Bird: Surely you need the internet for that, no?
Adam Louca: Yeah well I kind of thought the same thing if I’m honest, as part of preparing for this we did some research and had a look around and actually the first instance of crypto malware went by the name of the AIDS Trojan, written by a gentleman called Joseph Popp in 1989 so this is pre-internet and it was delivered to people. I bet you can’t guess how?
Michael Bird: By Morse code?
Adam Louca: Morse code? To be fair, carrier pigeon feels like it could be an option. It was delivered by floppy drive, so actually they would post a floppy drive pretending to contain a piece of free software, it came onto the PC and overrode something called the autoexec backfile. It then started to count how many times the machine was booted and after a certain number of times it would hide all your directories and encrypt your files and essentially render your whole computer useless.
Matthew Helling: So did they do this to make money or did they do this to be a pain?
Adam Louca: Interestingly they did it to make money, although, as you can imagine making money was a little bit more difficult back in the day.
Matthew Helling: Yeah, limited right?
Michael Bird: So how did they get the money from this attack?
Adam Louca: Ok, so they didn’t have Visa, there was no PayPal, unfortunately they had to do it very old school, so this is something I don’t think I have ever actually done in my life but you had to write a cheque and you would send it to a PO box in Panama. But think about it Panama, Panama canal, Panama, think about it you would have to airmail a cheque out.
Michael Bird: So you would have your files locked for about a month or so?
Adam Louca: Oh yeah 100%. Very interestingly one of the things that we saw within that piece of malware, well we didn’t see but what happened within it was that it didn’t actually start immediately, so it would wait for 90 reboots before it started, so it’s quite a clever distancing technique. If something happened to you 90 days ago and your car broke today, would you be able to trace it back to that thing that happened 90 days ago that you thought was totally normal?
Michael Bird: So for that technically, how did it work?
Adam Louca: So interestingly they used a symmetric encryption cypher which is a bit different to the way the crypto malware works today, we see more use of public cryptography today. That was really one of the key pieces of limitations for this malware, if you can call it that, was what it did was it encrypted using the same key to decrypt. So when people took the malware apart and decoded it they found the key inside which then gave everyone their files back.
Michael Bird: So nowadays what do they do?
Adam Louca: Nowadays we use a public key cryptography methodology. So what that means is we use a public private key pair and each encryption key is unique to that device. So in the event of someone pulling the malware apart all they will get out of it is the public key. The public key is kind of useless to the researchers or the malware investigators, and actually what you need is the private key which is held by the bad actor or the malicious guys. I know me and Matt have spoken about this ransomware as-a-service on the dark web.
Matthew Helling: So you can go out and rent platforms, you can rent infrastructure and launch ransomware malware attacks.
Michael Bird: Ah ok. So I could go on this dark web and pay for usage.
Matthew Helling: Absolutely, and they will even provide you with software and a helpdesk.
Michael Bird: Wow ok. So what kind of people are using it then because presumably back in the days of floppy disks it was a bloke trying to make some money, quite easy to trace, and making a name for themselves. But nowadays what kinds of people are using these kinds of attacks?
Adam Louca: So I guess really if you think about it there are a couple of key people who are using crypto malware, or those types of technologies, number one is the standard criminal actors so anyone who wants to make money. 2017, how much do you think the ransomware market is going to be worth?
Michael Bird: $100 million?
Adam Louca: What about you Matt?
Matthew Helling: 1 Billion?
Adam Louca: It’s 5 billion.
Michael Bird: Wow.
Adam Louca: $5 billion, when you look at the level of taskforce that’s actually on online crimes and digital crimes there has been a lag in the police, especially Interpol, and those larger international police organisations getting their heads around how they are actually going to deal with this stuff.
Matthew Helling: Absolutely.
Michael Bird: So is it easy to trace?
Adam Louca: So, maybe...
Matthew Helling: Watching the money is going to be the hard thing still isn’t?
Adam Louca: Yeah 100%. As always it’s the money trail, actually its kind of easy to use these digital currencies and that was really a shifting point in the way that the crypto malware market actually evolved. The idea that you no longer needed to send your cheque to Panama made a big difference and Bitcoin being one of the key…
Matthew Helling: …but it’s such a volatile currency as well, right? The value of it is going up and down on a daily basis.
Adam Louca: Yeah so interestingly there are some, if you look at some of the early malware you were talking 40 Bitcoins.
Matthew Helling: Wow ok.
Adam Louca: So interestingly, I had a thought about this the other day that, if you had been an early adopter of crypto malware i.e. an early pusher of crypto malware, not that I am advising this, but actually if you hadn’t transferred your money out you would of probably made more money in the increasing value of Bitcoin than you have in your ransomware activities.
Michael Bird: I’ve just had a look on the internet, a Bitcoin is around about 6 grand.
Adam Louca: Which is low, because it was around about 16?
Matthew Helling: 18 it went up to.
Michael Bird: Nowadays with Ransomware they are asking for Bitcoins, they are not asking for Visa, they’re not asking for American express or whatever because it’s really hard to trace, or harder to trace.
Adam Louca: I think people think Bitcoin is hard to trace when actually all the Bitcoin transactions that take place around the world are available in the public leisure, that’s kind of the whole point of this centralised crypto currency. What these guys do is they have used their digital skills but then they combined them with a very traditional mob mentality that you have these money mules, these people who will go and take a small percentage of the Bitcoin that you’ve got sitting there from your illegal activities. They will then transfer that into their own accounts, they will take a cut and then they will purchase another type of legitimate digital currency.
Michael Bird: So it kind of just flies under the radar.
Adam Louca: Well it kind of flies under the radar but you decentralise your risk, so if you think about it your Mr. king pin, your Mr Ransomware guy and actually you’re sitting there going hey you know I have 100 million dollars’ in Bitcoins, you don’t want to try and pull out the 100 million dollars at one time or immediately you will be flagged, and you’re going to get caught. But you take 1000 people and you give them all 1000 dollars, actually if 5 of them get caught you really don’t care, you’re playing a numbers game and you are decentralising that risk.
Matthew Helling: The other side of it is if you take into account the people that are doing it, so individuals that are trying to make money. Absolutely, they are trying to get money out, and trying to infiltrate money out of individuals, out of companies, but if you look at the nation state side of it they are not really in it for the money. They are in it for disruption. You can put it in its purest form and say well a nation state could disrupt our water systems and they could hold the country to ransom. They could take control of our power, our sewage, any utility that we’ve got and what impact would that have on us as a society, it’s huge.
Michael Bird: So, the kind of people that are behind it, there are almost two camps, there’s like the nation states where they are other governments trying to disrupt over governments and then there are the people who are just trying to extort money, basically.
Adam Louca: Yeah 100%, when you think about that Matt described, that panic that is able to be caused, we look at WannaCry, actually it plunged whole countries into mass chaos for several days.
Matthew Helling: Surgeries were cancelled, everything, it just stopped for days.
Michael Bird: So do you think we will be seeing more or less of these kinds of attacks?
Adam Louca: Interestingly I think we will see them change, previously crypto malware was a very successful industry which will continue to grow, I think that is very logical. Given the increase in value of crypto currency people are starting to move away from it being related to crypto malware so actually the crypto bit so the use of cryptography so it is less about locking people out of their devices or out of their files but more about utilizing their processing power. So it’s crypto jacking now rather than lock someone out, you would much rather fly under the radar, steal their power and their heating and their spare CPU cycles and use that to make your own money out of crypto currency. Because actually you are less likely to get caught in those scenarios. Think about how much attention you would get doing a WannaCry. Well actually if you’re just the guy that managed to get some malware onto someone’s computer that runs in the background and does not really disrupt anything and just mines some crypto currency, what is the likelihood that that will go to the police. I would say a lot lower because you haven’t actually caused a disruption, all you’ve done is nicked spare CPU cycles and you’ve still got your Bitcoins out of it at the end. So it’s kind of more of a win-win, I guess it’s more of a lower risk to the criminal actors.
Michael Bird: So presumably those kind of attacks that you saying that they are going to move away from ransomware is to hijacking someone’s machine to mine someone’s crypto currency. Nation states attacks are still going to be trying to lock machines out because what Matt was saying is if you want to take down a health service or a utility you’re going to want to disrupt them rather than taking over their computers.
Adam Louca: Yeah 100 percent. So I really agree with that the nation state stuff is really going to still stay on disruption, I would say the criminal actors really, they don’t want to disrupt, the only reason they started using encryption was because it was a really good was of extorting people. I think the really clever thing the criminal actors have realised is that, previousy if you think of cyber attacks what did they typically do, it was about nicking data. There were a lot of steps involved, but if you think about what crypto malware did they took the person who cared most about your data, which is you. You’re the only person that gives a damn about your old pictures, and what they have done is sold those pictures to the person who cares the most about it, which is yourself, which is what was really clever and really highlighted and really recognised and took advantage of. The nation state guys they are only using crypto malware as a form of causing mass destruction.
Michael Bird: So I suppose the question to lead from that is, how exactly does it make its way on to a machine? And what can organisations do, or what have they done to protect themselves against it.
Adam Louca: So I think interestingly there’s lots of different ways that it gets onto a machine. I guess we would be better to look at them individually in different scenarios so number 1 you look at the very traditional, the age trojan style which is very much you know you go looking for something, and you don’t get what you thought you were going to get. Actually you don’t get that free game you thought you were downloading or that free cd or that free MP3 from Limewire if anyone still remembers what that was, that was pretty much just a malware distribution platform. And actually that’s very much playing on our social desire to get something free. So interestingly those types of attacks are really predicated from people wanting to download something, clicking it, and running themselves that is nothing more than just human interaction. So that’s scenario one. I guess if you look at scenario one, there are a few bits that you have to kind of think about that’s defending that kind of style of attack, number one has got to be your people.
Matthew Helling: Education, awareness.
Adam Louca: 100%. I mean everyone must remember their parents saying you know if it looks too good to be true, it probably is. But I don’t think we have actually got to that point where people have actually applied that rationale and logic to the online world. Interestingly we kind of think that’s magic and I think there is a large portion of the population who would still think that when they see some fake site which says it’s Nike giving away 5000 pairs of trainers that it’s actually Nike that is giving away 5000 pairs of trainers. All of us sitting around this table would probably sit there and go no way I’m not clicking that.
Matthew Helling: But I might take a look *laughs*
Adam Louca: I mean I definitely would, I’m a guy that works in cyber security day in, day out and actually I think the best one that I ever received, that did actually get me almost to click was an Apple invoice for a Garmin download, a Garmin satnav download, which was 150 pounds, and it was a ‘’I didn’t order that’’ panic moment which bypassed my normal pretty logical assessment of ‘’wait that’s weird’’. I clicked the link and it was a phishing site, it was a phishing site to phish my Apple ID credentials. What I liked about attack and you know luckily I kind of figured it out when I saw the URL bar wasn’t right and that it was an attack. But what I liked about that was that they used panic to bypass my normal logical process and obviously you panic like ‘’oh my god I didn’t do that I need to cancel that application purchase’’ which I think is very interesting, I think there is a lot of psychology getting people to do things is very interesting in an area that we are only getting, for want of a better word, better at, or at least the bad actors are getting better at it.
Matthew Helling: I heard a very interesting story at a seminar a few weeks ago about a CEO of a very large organisation was on the Sunday watching his daughter play football, she didn’t usually get in the team, she wasn’t a great footballer, it was 0 – 0 all the way until the last 10 minutes, the daughter came on and low and behold she scored the winning goal. She won the game, he plastered it all on Facebook, on the Monday he got to work and got a message through Facebook saying Oh John, I was at the game yesterday and saw your daughter score I’ve got it on video if you want the video if you send me an email from your work address I’ll send you the video clip.
Adam Louca: So good.
Matthew Helling: So his barriers are down, he’s thinking someone’s got a video of my daughter scoring the winning goal, you know it was the biggest event of her life, and I’ve got an opportunity to watch it. So he sent an email, if you think from an email security perspective, if an email’s going out a lot of the barriers have come down anyway a lot of the security processes have been removed, email came in clicked on the video, and low and behold the machine locked, message pops up. But that’s leveraging the social element of it isn’t it, your pulling on the heartstrings and that’s very hard to defend yourself from it doesn’t matter who you are.
Adam Louca: Yeah 100 percent. I think with the first style of attack it was very much download a program something for nothing. The second style of attack is that you have not patched your infrastructure, you have not effectively performed vulnerability management, they have got a foothold in your network, whether that’s via an endpoint, potentially you have not patched the browser. You’ve gone to a webpage and download something with a trojan on. Number 2 you’ve lost some credentials maybe, you’ve allowed credential reuse so people have used their credentials out on LinkedIn and that’s been then breached. They then use those credentials to potentially jump onto a VPN you’ve got externally and then all of a sudden you have an attacker inside your environment. What they will typically do in that stage is they will it will be something like we used to see as an ATP attack. This idea that you have a real active attacker inside the network who’s going to look to laterally move and get into your network, but except what they are now doing is they’re doing all the lateral movement getting onto the PC and then they are encrypting everything. And then they’re not just stopping and standing back and putting you up an automated screen that says give me 2 Bitcoins they are saying contact me on this email. And that’s all the stuff you don’t see and that’s where the real money is paid. That’s the multibillion, tens of millions of pounds in ransom.
Michael Bird: A bit Black mirror isn’t it.
Adam Louca: Oh its very black mirror. I think at the end of the day its extortion it’s no different to racketeering it’s no different to two big guys turning up at your business and say you need to pay me some money or else I’ll break your legs, except the difference is you don’t know who these two guys are, you don’t know where they live, they don’t need to be in physical proximity to you they could be anywhere around the world. They can really go without attribution and that’s the thing that makes this quite so scary is, we don’t have the global reach that they have in terms of defending this, prosecuting this, investigating this. We still are hampered by the boundaries of countries.
Michael Bird: So all of these things your saying are coming in from different means, presumably you just have a good back up, no?
Adam Louca: I think interestingly back up is very important like actually if you value the files and that’s what you care about, your loss of access to your files then a backup is going to be very important in getting that stuff back. Interestingly there have been a number of the strains that have also sought to defeat the background mechanisms, so things like shadow copies, they have automatically deleted those, if the backup was online they try and replicate and spread across that as well so they are pretty tricky out there so you know you want a good back up that is offsite, potentially cloud based, that isn’t accessible directly.
Matthew Helling: I think the important thing as well is to have a process, is to have a plan for worst case scenario. You know the whole adage of not if but when is very viable and very honest. A lot of organisations will struggle if they don’t at least a plan or something to go to in the event of this happening. You take my example of the CEO of the organisation, imagine if that happened to an organisation that you work in and you walked into a room and they said alright what are we doing and nobody had an answer. So I think it’s important that you have awareness and training and everything and at some point you still have to assume that someone could, or would or will click on something. Something will happen, so it’s important to have a process a number of people that form a group that help you remediate these problems.
Michael Bird: So what kind of things are organisations doing?
Adam Louca: So I guess the strategy really depends on the method that the malware is delivered via. So we spoke about one specific scenario which was very much the you’re looking to get something free and we can agree that educations and awareness is very important in that area. The other pieces is making sure you have good anti-malware defences so you are trying to block and detect the crypto malware coming onto it. Ultimately some of the more traditional approaches that people have taken so signature based has been slow to react given the large number of samples created every day. When you look at the stats 1 in 4 businesses has been hit by malware, ransomware in particular not just malware generally, so what was happening with the traditional approaches was that they just weren’t keeping up with the new samples created all the time, actually they weren’t able to get the updates out quick enough to identify these bad, bad pieces of malware. So I think with the shift towards some of the next generational signatureless, or at least, not just based on signatures, really we’ve seen an increase in the effectiveness of those defensive layers against ransomware, but as always, even if you had a sort of 7 9’s effectiveness so 99 and 5 9’s after it which is massively highly effective, the scale of the problem is so large that actually there will still be thousands, if not tens of thousands of incidents, that will get through. So given that really you’ve got to make sure that you’re able to identify how quickly can you get your stuff back. And that’s where your business continuity plan has got to come in and I think if a lot of businesses can take that approach, what really matters to your organisation what really is the thing that matters the most about what you do, so work out what that is in your organisation and work out how you’re going to be able to keep that thing up even if everything else goes down.
Matthew Helling: Absolutely, and from an end user perspective, just pay it?
Adam Louca: This is the harder, the F.B.I question isn’t it, “we don’t negotiate with terrorists”, I guess the moral view is always a little bit like oh well you know we don’t negotiate with terrorists because it only perpetuates the problem…
Matthew Helling: It’s a tough one isn’t it.
Adam Louca: I mean I don’t know if I was sitting there, and I’d lost everything, and someone was asking for 1000 dollars and you’re a FTSE 250.
Michael Bird: I mean there have been stories of businesses that have just paid it, and they’ve paid a lot more than that haven’t they?
Adam Louca: Absolutely, and I mean a lot of people I think when they think about ransomware they think of the lock screen, pay us a Bitcoin automated thing, that’s not really the ransomware that really matters, the Ransomware is the active attacks that’s where you don’t ever hear about it. I’ve worked with a number of instant response companies and they have stockpiles of Bitcoins, they hold Bitcoins to pay and they don’t hold Bitcoins for fun, they hold Bitcoins because sometimes that is the only way out of a situation.
Michael Bird: Ok to wrap up and kind of summarise.
Adam Louca: The way I would look at this is number 1, educate your users. Number 2, keep good security hygiene, patch your stuff, have good endpoint protection. Number 3, have a plan for when it goes wrong you know don’t let the first time that you’ve thought about of what will be my security incident plan be when you have a security incident.
Matthew Helling: A plan is so important.
Adam Louca: 100 percent. And the final one is accept that if it does happen how will you get the services back, and ask that question we asked earlier, go and speak to your CEO go and speak to your CFO go speak to the people who run the business and ask what is the most important asset.
Matthew Helling: Wha’ts the impact on us as an organisation if this gets taken down.
Michael Bird: Brilliant, well Matt and Adam its been super, super interesting talking to both of you, thank you so much for your time and listeners if there is anything on this show that has piqued your interest if you would like to talk to someone at Softcat about Ransomware we will put some links in the show notes and we will also put some contact details on the show notes so you can get in touch. So you have been listening to Explain IT from Softcat thanks for listening and goodbye.