There are many forms of treachery available to the industrious, usually smart hacker these days. Old favorites, such as distributed denial of service attacks are still in vogue. A “DDoS” means that someone has transmitted to a computer system endless, continuous messages that bog down the system to failure. Another common tactic begins with phishing, which is an act whereby the bad guys send email messages that look like they’re bona fide, but then the victim clicks a link that injects malicious computer codes into the computer, and various and sundry bad stuff ensues. The range of hacks and attacks run the gamut.
A recent ploy, which I’ve brought to your attention occasionally, is known as ransomware. This strategy builds on others.
First, a criminal finds the target that usually maintains or has custody of valuable information. The information differs in ransomware from other attacks, however, because in many other scenarios the hacker aspires to sell the stolen information: medical records, bank information, credit card numbers, and the like.
With ransomware, it’s merely the value of the information, whether valuable to the owner or on the market, that makes it an attractive target.
After identifying a target of merit, then the hacker might send a phony email. The email looks legit. It can appear to come from someone trusted, such as a supervisor, or family member, or even a lawyer. They go to great lengths to dummy up an email that looks unsuspicious, and sometimes go to pains to use the right font, or include imagery that looks official.
They “spoof” an email address to further the ruse. You might get something that appears to be from the Commonwealth, say some agency, and the seal will be there and the address will look like it comes from a “___@.gov” email address. Trust me when I say they’re pretty crafty these fraudsters.
So, there you are poring over your inbox, watching TV out of the corner of your eye, and listening to the kids blabbering away. You’re half-invested in the email box, at best. And, you scroll through this official looking message that ends with “Click here to begin the process of your refund.” Click. They’ve got you.
Now, in the background their malicious software that was buried in ones and zeroes inside that link starts to do its thing. Meanwhile, if they’re really good, your clicking opens up a new browser window that makes it seem as though all’s well. In non-ransomware attacks, this phishing expedition may result in a “backdoor” being installed on your computer. This is just a way to say that the software they deployed circumvented your login credentials, or otherwise gives them a way, for all of the future, to get into your machine and take whatever, pretend to be whomever, or to sell the access to the black market whenever, later in time.
In ransomware, however, that malicious software coding does something else. It takes the entirety of your hard drive, all of your emails, your history of web browsing, your load of passwords, and, simply, everything, and encrypts it.
The software they load activates and, in a sense, re-writes every one and zero into a new string of ones and zeroes that no one can understand. It’s pretty high math that does this, and I’m not a mathematician.
Let’s just agree that we’re not in the old heyday of radio when “encryption” was an engaging marketing trick to get you to buy more Ovaltine. Nope, this is the stuff of CIA and NSA caliber spy tools.
Seriously, there are free encryption programs out there that could make it impossible for even Watson, IBM’s storied, Jeopardy!-beating computer to crack. The only one who can beat it? The one who used it and has the decryption key. That’s power. That’s a ransom.
Honor among thieves being what it is, half of the time that victims pay, no decoder. Throw it out. It’s happened time and again. Think of it, one of the dumbest things that a ransomware criminal might do after getting their booty is to keep working the scheme prolonging the time that law enforcement has to catch up with them.
Ransomware, some say, is already fading. It’s only been part of the discussion for a few years, yet, according to some, has become “a commodity.” The ransoms themselves, the amount of payoff, have shrunk in the past couple years. Hackers, the real ones, the bona fides in the criminal community, see ransomware as, well, hack but in a different sense than their namesake. That’s because it’s all off-the-shelf thievery. There’s no respect amongst the black hats for ransom attacks because there’s no ingenuity in it. “Commodity” is not something you utilize to gain street cred in the underground, dark web places. Still, it’s an important threat to understand.
I still keep it in sight because it’s still happening all around us. Last week, a small-ish community, not much unlike Corbin in size and governance, was crippled when ransomware hit their government systems. They brought in well reputed cybersecurity vendors. Nada. Before the end of the week they paid over $130,000 to get access back, which they did get incidentally. How long before they’re victimized again though? At the same time, though on a grander scale, City Power, Johannesburg, South Africa’s electric company sustained such an attack. Outages, data loss, countless wasted hours of labor were all the results. Earlier this year, Baltimore’s civic offices were targeted. Georgia’s state courthouses ate it also. Lace City, Florida, got hit, and then fired the worker who paid the ransom.
Maybe the industry smarties are right that it’s going out of style, or becoming a commodity. For me, it’s still in the stable of threats, active threats, and threats that are some of the most arduous to recover from.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.