Ransomware is a real threat, no bullshit!


If ransomware is rubbish, as one vendor insisted recently, then why is it so successful?

IT Security Thing found itself in Dublin recently, living the rock and roll lifestyle. Well, I stayed in a hotel owned by Bono and The Edge from U2 if that counts.

It’s certainly a close call, as one of my afternoons was spent at IRISSCON 2016 in the company of security researchers, pen testers and lock pickers. That’s pretty rock and roll let’s face it; only spoilt by a morning listening to various vendors claiming they had the cure to the IT security disease.

Not everyone on this expert panel was a sales clown in very thin disguise, and some were actually pretty interesting speakers. However, overall it did remind me of my visit to the RSA conference in San Francisco earlier in the year when every other vendor in the vast exhibitor hall was claiming that IT security is easy with their product or service.

The answer, as always, is if it’s so easy then why are these vendors also forever telling us that malware infections are on the up, breaches are on the up and cyber-criminals are such a threat? Just like at the RSA conference, in Dublin I found myself getting the most useful information in the coffee breaks, at breakfast and during dinner. It’s often the way that, when sales-mode is switched off then technical and common sense is turned back on.

But I digress. I won’t name names, not least as I cannot recall the name of the chap or the company he represented. I can remember that he made one of the most outrageous claims we have ever heard at a cyber-security event.

The ransomware threat is, on the whole, the best managed and most professionally executed that I have seen in more than 20 years in the security business

I also remember that one colleague, another veteran of the technology journalist and analyst community, was so angered that he f-bombed the panel with an explosive accusation of vendor apathy.

So why am I so miffed with Mr Bullshit, as I will call the panel member? Well, mainly as he had the sheer audacity to claim that “nine out of ten ransomware infections cannot be decrypted.” Erm, really old chap?

Ransomware, as any fool knows, can only work as a threat if two things are taken for granted: firstly that your data is encrypted in such a way that it cannot be decrypted without the correct key, and secondly that this key is both available and works as expected. Sure, there have been a small number of cases where ransomware coding has been so poor that the decryption key either didn’t exist or was corrupted and so didn’t work. However, if these accounted for 10 per cent of all infections, let alone the claimed 90 per cent, I would be very surprised.

I would also be surprised if it accounted for one per cent, to be honest. What I know is that the ransomware threat is, on the whole, the best managed and most professionally executed that I have seen in more than 20 years in the security business.

I know of criminals that have put tech support systems in place that would shame many a professional software house, with live chat, email and telephone support to walk ‘customers’ through payment of ransom and use of decryption keys. I have seen the threat itself, or at least the code at the core of the threat, evolve in very quick time indeed. As more people become aware of ransomware, and the ‘backup, backup, backup’ advice spreads further afield, so the criminals have reacted.

I know that we now have code that is clever enough not to announce itself immediately that data has been encrypted, but instead sits in the background and wait. Wait for what? Simple, wait for the user to make enough incremental backup sets (offsite, in the cloud, it matters not) so that once the ransomware does announce itself it cannot be undone by simply dropping back to previous backup, or the one before for that matter.

Then there’s CrPy, which as we reported recently did come with some flaws, but also had features such as the ability to unlock files one at a time to show good faith to the victim and allow for different ransoms to be charged for different file sets. Does that sound like a shoddy threat to you? Does that sound like the kind of thing that would fail nine out of ten times? Of course it doesn’t. Ransomware is a very real threat and one that should be taken very seriously. Unlike the chap giving that talk in Dublin.