Blog / Decryption as a Service?
Ransomwares’ latest decryption trick is just one reason to stay up-to-date about cybersecurity.
When it comes to security it’s vitally important to ensure your defenses, and the procedures to support them, are actually useful. Any security system that isn’t properly supported and maintained—from physical security like keycard readers on locked doors to cybersecurity tools like web filtering on firewalls—increases your organization’s risk exposure. Software tools on their own just aren’t enough to properly defend your data these days; you also need strong supporting policies designed to help ensure staff are taking adequate precautions with how they use equipment and access the internet, lest you potentially wind up needing data decryption services yourself.
Part of that includes paying attention to how cyberattacks and other threats continue to adapt to modern security solutions. Although evolving tactics aren’t limited to ransomware, the infamously-effective type of malware is a particularly good example of how attackers’ tactics change over time.
Decryption in the days before backups
Back in the so-called “day,” ransomware attacks were as straightforward as they could be; once inside a computer, the malware would encrypt the machine’s data, then issue a ransom to the owner for its safe return/decryption. This may seem pretty simple by today’s standards since such an attack can easily be defeated just by restoring from a recent backup, except that we have the benefit of 20/20 hindsight. Back then, even if a given online threat was a dangerous as they can be today, on the whole cyberthreats weren’t nearly as common or persistent as their modern counterparts. As a result not many organizations kept robust backups, and the ones that did didn’t update them as regularly as they would today. Regardless of the reasons, restoration backups were rare enough that ransomware proved to be an effective means for hackers to make some serious money.
Of course, it didn’t take long for people and businesses to recognize there was an effective and simple solution, which was the humble backup. If keeping a separate copy of important data on a secure, offline drive wasn’t already a cybersecurity practice at this point, this was likely when the idea started gaining traction.
It’s also when the “evolution” of ransomware began by kicking off a ransomware “arms race”. Once businesses began recognizing the importance of backups and using them properly, particularly as an effective solution to the then-newest cyberthreat, ransomware gangs needed to find new and better ways to hold organizations’ data hostage. First, they developed attack payloads smart enough to move around their victims’ networks and encrypt multiple machines, so that backing up just one machine with your most important or sensitive data wasn’t good enough anymore. This quickly evolved into ransomware that could detect and disable various popular backup solutions, then go dormant. After a set period of time, typically long enough for the last legitimate backup to age out of usefulness, the program would reactivate, encrypt the machine(s) it was on, and deliver the ransom threat and instructions for payment. Without current, useful backups to restore from, businesses became more likely to pay a ransom than spend the time, effort, and resources required to decrypt and recover data themselves.
Decryption in the days of data exfiltration
Unfortunately criminal enterprises are just as interested in being as efficient as possible as legitimate businesses, so it didn’t take long for them to hit on the idea of making their malware do something useful in the downtime between disabling targets’ backups and encrypting their machines. As a result, recent generations of ransomware don’t just encrypt targets’ data but also uploads it to a remote server in a process known as data exfiltration. Actually encrypting a computers’ data and locking it down remains the primary goal, but if the hackers can actually get a hold of your data (exfiltrate it from the organization), they can gain even more leverage by threatening to publish it. In the event a target refuses to pay, the gang can still potentially sell the data and get paid nevertheless (albeit not nearly as much).
So, what’s next for ransomware gangs and how are they adapting to the current cybersecurity climate? Well, they’ve started to offer decryption services to their victims, and no, I’m not kidding.
Despite the threats of releasing or selling privileged data, the biggest detractor to companies paying off ransoms is the speed of decryption. Ransomware only works because it encrypts data quickly and makes decrypting it difficult and, more importantly, time consuming. However, it’s a thin line to walk; if the stolen data is too easy to decrypt there’s no incentive for the business to pay the ransom, but if the decryption process is known to be painfully slow, restoring from even old backups becomes preferable to paying a ransom for a mostly-useless decryption key. As a result, cybercriminals have, intentionally or not, created a lucrative new market for themselves. Now they can not only get paid just to send victims an unlock key, but can also then offer to decrypt the data faster once it becomes clear how slow using their key really is. In many ways the structure of the ransomware scam now imitates the SaaS (Software as a Service) business model, because even though you may have paid the ransom for a key/for basic services, you still won’t get access to truly useful decryption/technical support until you fork out even more for a maintenance add-on/premium subscription.
To be clear, we’re not criticizing the SaaS model (which has plenty of legitimate benefits), but are instead just using it as a loose analogy. And although ransomware is a great example of how malware develops, it’s by no means the only cyberthreat that can adapt to and overcome even modern defenses. That’s why staying aware of the latest news and trends in cybersecurity is a good idea for everyone, not just the professionals. We don’t expect anyone to become an expert, but keeping tabs on the state of cybersecurity these days is important for anyone looking to avoid a nasty surprise.
For more information about the latest trends in cybersecurity and to discuss how they may impact your business, contact a TRINUS cybersecurity professional and we’ll be happy to provide expert advice on protecting yourself from malware and how to get some stress-free IT.
Today’s Shakespearean quote comes from Henry VI: Part II; “Could I come near your beauty with my nails, I’d set my ten commandments in your face.”
Be kind to one another, courtesy your friendly neighbourhood cyber-man.
