Ransomware Is Coming; It’ll Make You Wannacry

magine that in a few days, or maybe a few years, the United States suffers an unprecedented ransomware attack.

Maybe it begins 30 days after tax day because millions of Americans unknowingly download malicious software hidden on a popular tax preparation website. Maybe the “TurboHax” ransomware uses the “forever red” vulnerability made public by a group of suspected Russian government hackers. The virus then automatically multiplies and spreads itself using victims’ compromised credentials and stored contacts. Within hours, it has spread across the globe. But that’s only the beginning.

Using a polymorphic attack algorithm, TurboHax not only infects and locks users out of files on their desktop or laptop computers, it spreads to their mobile phones and other connected devices. When infected users connect to their home wifi networks, their televisions, internet-enabled speakers, and online home security systems become compromised, too. When the virus’s delayed detonation finally goes off, people are simultaneously locked out of every device they own.

And then it gets worse.

TurboHax doesn’t just ransom your information, it executes hostages. When the attack begins, victims are shown a message saying, “We have your information. This program will begin deleting files in one hour and will continue to do so every hour without payment. You have 24 hours before everything is gone.” Below the message is a link to a popular bitcoin trading website where victims are required to pay the attackers the equivalent of $500 to receive a password that unlocks their data.

Most victims pay the ransom, but not everyone who does has their information restored. Those who do not pay lose everything that was not previously backed up. Information, intellectual property, and physical assets worth tens of billions of dollars are lost.

It’s the largest, most-costly cyberattack in history. And one of the most mysterious. The attackers never claim their paid ransoms, and they are never identified.

Cyber attack malware wannacry ransowmare virus encrypted files and lock computer. vector illustration concept.

This scenario might sound like science-fiction, but the truth is that all of the essential elements are already in place. Such an attack would be difficult, but not impossible, to execute and many cybersecurity experts fear something like it is more-or-less inevitable. Cybersecurity Ventures projects that cybercrime, including ransomware attacks, will cost the global economy more than $6 trillion a year by 2021. That’s more than 7.5 percent of the current total value of the global economy.

How did we get here? How could we be so exposed?

Ransomware is any malicious software that limits or prevents someone from using their computer or accessing their files. It’s not a particularly new phenomenon—the first serious case of ransomware was spread in 1989 using infected floppy disks—but these attacks are becoming more frequent and more destructive.

Beginning around 2005, new versions of these programs, called crypto or encryption ransomware, started using advanced algorithms to encrypt infected files, requiring victims to purchase a decryption key from the attackers. Later, in 2011, there was a rise in so-called “locker ransomware,” where a victim’s computer was locked on a startup screen until the ransom was paid. Sometimes these attacks took on an almost psychological element; they’d claim to be antivirus software that would need to be enacted to clear out “found” viruses, or would show a screen with an FBI or Department of Justice symbol declaring that the user needed to pay a fine as a result of illegal activity, all in an attempt to scare the victim into paying.

Between 2011 and 2016 the number of ransomware attacks grew steadily, with incremental evolutions in sophistication and scale. That all changed in 2017.

Last year the volume of ransomware exploded. There were 4.3 times more ransomware variants in 2017 than in 2016. Ransomware infected at least 15 percent of businesses in the top 10 industry sectors; 75 percent of those infected went at least two days without access to their systems; nearly a third went five days or more without access. Even the average ransom got bigger in 2017, growing to more than $1,000 from just $294 in 2015.

But it was three specific attacks that decisively changed the cybersecurity landscape.

In mid-2017, the WannaCry ransomware attack spread around the world in just four days, encrypting computers everywhere from the National Health Service in the United Kingdom to a Honda plant in Japan. The scale of the attack was enormous. Experts estimate that it caused upwards of $4 billion in damage, even though the actual ransom paid totaled only about $140,000 in Bitcoin.

Unlike previous ransomware attacks, which were thought to be perpetrated by criminals and thieves, the U.S. and U.K. attributed WannaCry to a state actor, North Korea. With that attribution, we know that new ransomware is being developed not just by entrepreneurial groups of hackers, but with the full scope of resources and talent available to a state.

Which brings us to the NotPetya attack. Like WannaCry, NotPetya was a state-sponsored malware attack, which the White House attributes to the Russian military. It was unique for several reasons.

First, it was more sophisticated than WannaCry. It was designed to gain administrator access to a system, which allowed the malware to move freely, encrypting systems as it went.

Second, while hackers demanded Bitcoin as a ransom, the program turned out to be a “wiper” virus masquerading as ransomware. The victims who ponied up didn’t get their files decrypted. Instead, all encrypted files were destroyed.

Finally, NotPetya’s scale was enormous. The White House called it “the most destructive and costly cyberattack in history.” NotPetya’s indiscriminate destructiveness was visited upon businesses and individuals, as well as governments.

Lastly, while it did not have the reach of the NotPetya attack, there was a SamSam attack in March 2018 on Atlanta which revealed the vulnerability of communities that may not see themselves as targets. The SamSam hackers are notorious for choosing targets that will pay large ransoms, in this case $51,000 in Bitcoin. Worst of all, the hackers relied on guessing weak passwords to get into a system.

The Atlanta attack also showed how insecure systems and poor cyber hygiene at the state and local level can create tension regarding national security objectives. The Atlanta government wanted it’s data back, but the federal government had a good reason for wanting Atlanta not to pay the ransom: paying would teach hackers that targeting local governments works.

Ultimately Atlanta did not pay, but that decision required a great deal of fortitude. For weeks, its citizens couldn’t access online services. Paying for decryption almost surely would have been less costly than the days of lost work and the effort required to restore the city’s systems. Yet choosing not to pay probably reduced potential future costs of ransomware for local, state, and federal governments.

When all is said and done, global ransomware attacks cost individuals and businesses $5 billion last year an increase of 400 percent from 2016. There is every reason to suspect this growth trend will continue.

Click here to review source content.