Bitcoin Is Fueling the Ransomware Epidemic

In the past, getting paid was a major obstacle to the growth of ransomware. Checks can be stopped, wire transfers can be reversed and credit-card purchases can be charged back to the seller. Not to mention that each of these payment methods could potentially be traced back to the criminal. That is not to say that it was impossible for criminals to get paid, but significant overhead and risks were associated with the various payment methods. Bitcoin solved that problem.

In 2008, Satoshi Nakamoto published a white paper outlining the foundation of what would eventually become bitcoin. Utilizing cryptography to control the creation and management of the currency, bitcoin is a type of digital cash. More important, bitcoin operates without a central governing body. In other words, there isn't a central bank or regulator available to reverse or stop fraudulent payments. Once made, bitcoin payments are typically irreversible, the digital equivalent of handing someone cash, only transferred electronically instead of in person.

Digital currencies are nice in theory, but unless they can be exchanged for something valuable in the real world, they are not very useful. Bitcoin solved this problem as well. Bitcoin is the first cryptocurrency to gain widespread acceptance. While it did get a significant boost when it was selected as the currency of choice by the now-defunct Silk Road drug marketplace, bitcoin can be used at thousands of legitimate businesses and currently has a market capitalization in the billions of dollars.

The Payment of Choice for Hackers

With the development of bitcoin, ransomware developers now had a reliable method of benefiting from their activities and an avenue for laundering the profits. Bitcoin was the missing piece and the catalyst for the rise of ransomware. Consider the gradual decline in other ways hackers could monetize their activities in this same time frame.

Before ransomware, the theft and sale of payment-card information was the primary revenue stream for criminal hackers. Only a small number of companies process or store credit-card information, and those that do allocate significant resources to the protection of that information. With the adoption of the Payment Card Industry Data Security Standard, a successful theft of credit-card information required skills and resources typically reserved for the most skilled hackers or criminal organizations. Contrast this situation with the typical ransomware situation. Anyone with data (or a computer), not just those with credit-card information, is potentially a target. This exponentially increases the number of targets, many of have not allocated resources to information security.

In many cases, this oversight is understandable. After all, your wedding or vacation photos are extremely valuable to you, but because they are not valuable to others, you are unlikely to dedicate significant resources to protecting them. Those running ransomware exploit that mentality because it makes easy targets. Compounded by the fact that ransomware requires very little technical skill to deploy, the reasoning behind the rise of ransomware has become clear.

Best Practices

Ransomware is here to stay. Just as we have seen with other computer viruses and spam email, ransomware is an unfortunate byproduct of using the Internet. The best defense against ransomware is a combination of security awareness training, technical safeguards and proactive security measures:

• Ensure all systems have anti-virus software installed that is configured to automatically update and perform regular scans. But do not rely on anti-virus software alone. New variants are constantly being developed and specifically designed to avoid detection.
• Most ransomware requires some interaction by the user. Therefore, consider security awareness training on ransomware and the types of phishing email used to propagate it.
• Back up data on a regular basis, and verify the integrity of those backups. Given the strength of the encryption used in ransomware, backups will likely be your only recourse for restoring data if you do not pay the ransom. Remember to segregate your backups from the primary network to prevent the ransomware from encrypting that data as well.
• Utilize group policy or other access controls to limit write-access to files, directories and network shares that are not specifically required for the user's job function. Ransomware inherits the user permissions for the individual who activated it. By limiting a user's access, you limit the ransomware's ability to spread should an infection occur.
• Consider using application whitelisting and limiting user ability to run applications and/or install programs.
• Conduct a mock exercise involving ransomware to test your incident response plan and gauge the speed and effectiveness of your ability to restore data.

Conclusion

Remember, ransomware is a threat not only to your network but also to those you may connect to or rely upon. Consider how a ransomware infection involving a critical vendor or service provider could impact your operations. As long as there is a financial incentive, criminal elements will continue to develop, improve and distribute ransomware. But with proper planning and preparation, you can reduce the likelihood of a ransomware infection and minimize the impact on your business operations.

*****
M. Scott Koller is a member of BakerHostetler's Privacy and Data Protection Team in Los Angeles. He advises clients regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. Koller holds a number of technical certifications, including Certified Information Systems Security Professional, Certified Computer Forensic Examiner, and Certified Information and Privacy Professional through the International Association of Privacy Professionals. The views expressed in this article are those of the author and not necessarily those of BakerHostetler or its clients.