The saying “Prediction is very difficult, especially if it’s about the future” is an amusing Danish proverb. But predicting the future of the internet that uses sensitive and personal information as its fuel is less amusing. One dystopic prediction is an Internet of Ransomed Things full of hijacked smart devices. I previously wrote about how organizations are under siege by the explosion of ransomware. Ransomware has been retooled to not only attack individuals, but organizations and enterprises, as well. As we saw this year with WannaCry and NotPetya, both were designed to worm and spread throughout networks to encrypt and destroy data. I’m afraid that’s just the tip of the iceberg, unless we change the fundamental way we approach security.
Is it really that hard to predict the future? No, not if the past repeats itself. Edmund Burke stated that “those who don’t know history are doomed to repeat it.” Let’s look at history and predict Tomorrow’s Internet by looking at the parallels between the cyber world and the kinetic world. And there is a certain period in history that is repeating — The Viking Age.
The Viking Age
From the Ninth to the 12th century, Norsemen from Denmark, Sweden, and Norway went Viking — they left their homes to seek a fortune as pirates. Going on an expedition — “fara í Viking” was a way of life — every spring when the warming sun returned and melted away the snow, Vikings looted and pillaged their way around the European continent. Using their shallow-bottom longboats to move swiftly over rivers, tributaries, and open ocean, they excelled at exploring, raiding, trading, and settling in Europe and even North America. Cities in Ireland, Scotland, England, Wales, France, Iceland, Greenland, Vinland, Ukraine, Russia, and the Middle East — among others — have Viking heritage or were raided, sieged, and sacked.
Besides being pirates, mercenaries, and slavers — Vikings also employed the tactic of ransoming — demanding tribute from cities they sacked. The First Siege of Paris is a prime example. On March 29, 845, led by Ragnar Lodbrok, one hundred and twenty Viking ships carrying five thousand warriors occupied and plundered Paris. King Charles the Bald paid a ransom of seven thousand livres — the first of thirteen payments of Dane-geld to the Vikings by the Franks. The Vikings attacked Paris three more times in the 860s. In 864, fortifications and bridges were built to block the Vikings sailing up the Seine. While eventually reaching Paris, the siege was repulsed and scattered by the imperial army — the Vikings managed to only gain seven hundred livres for their effort. The appeasement of the Vikings served as inspiration for Rudyard Kipling’s poem Dane-Geld.
And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
The digital Viking Age
Raids and sieges that took months and years of preparation, are now executed in a matter of hours and days from virtual encampments within the safety of “bulletproof hosting providers” in countries where policies are lax, search warrants are not honored, or extradition agreements are not in place. Bulletproof providers, compromised IT servers, and more recently, cloud hosting providers house the command and control servers, exploit kits, data stashes, and dark net markets — the weapons and spoils of a cyber war. A war that is waged campaign by campaign, in large part by criminal organizations driven by financial gain. From their bases, digital Vikings build their siege engines and launch their attacks, which they adapt, as needed. For example, the plague of Pharma spam used the same botnets as ransomware is using today.
Ransomware is a weapon that has evolved over three decades, gaining more capabilities — it’s become easier to spread, better at encryption, and more creative at monetizing attacks. The dozens of variants use different encryption algorithms and exploits to deliver the payload. However, modern ransomware is mostly spread the same way — targeted or spam emails with malicious attachments or links to infected web sites.
It started off as Scareware —malware that threatened to contact the “Cyber Police” with the victim’s IP address, embarrassing browser history, or webcam photo unless payment was made. Others demanded purchase of fake antivirus software. This was followed by ransomware that locked PCs, encrypted the Master Boot Record, or specific file types. More recently “Ransomware as a Service” has lowered the bar — for a cut of the profits, the platform allows the buyer to customize the message, payload, and payment address. And as devices proliferate, the attack surface expands as well. Last year, White hat hackers made the first proof-of-concept for malware that locked a smart thermostat and demanded a ransom. Mobile ransomware is also seeing tremendous growth — mostly via fake mobile video apps that lock the device. Rooted and jailbroken devices are the most susceptible.
Ransoms aren’t limited to ransomware. A more traditional attack involves penetrating a victim’s network, capturing sensitive data, and holding it for ransom with threat of doxxing personal info or leaking intellectual property. These types of attacks usually forgo the middle man and demand direct payment. Ransoms also include distributed denial of service attacks — harnessing tens and hundreds of thousands of compromised Internet facing devices to overwhelm the target’s infrastructure — as we saw when the Mirai botnet attempted to take down the Internet. Another more recent method involves hijacking resources on an endpoint or network device for crypto mining — bitcoin, the preferred currency of ransomware and the dark web.
Bitcoin: The new Dane-geld
Alongside Ransomware as a Service, bitcoin has fueled ransomware’s explosive rise. As the equivalent of digital gold or as some call it the “Internet of Money,” it acts like an open but almost anonymous ledger for financial transactions. Bitcoin is the first peer-to-peer electronic cash system using the decentralized and distributed database known as a blockchain. There are traditional use cases that crypto currencies like bitcoin are disrupting — perfectly legitimate and legal such as retail, investing, banking, and remittances. But these are just scratching the surface of the blockchain. The potential lies with more digital applications. Consider:
- Machine-to-machine payments — SaaS- and Cloud-based systems can leverage API to purchase additional resources as required
- Payment system for IoT — Devices using sensors which, based on environmental conditions, will trigger a workflow
- Micro-payments — to replace advertisements for Web browsing. A fee model where you pay by the word
The current reality is that bitcoin facilitates the vast majority of ransomware payments replacing MoneyPak and WebMoney. In fact, Citrix conducted a survey that found that organizations are stockpiling bitcoins in anticipation of attacks. Earlier this year, an alleged administrator for the Russian cryptocurrency exchange BTC-E was arrested on charges of money laundering $4 Billion. The exchange was fined $110 Million for facilitating transactions involving ransomware. Researchers also presented a report at Black Hat 2017 that 95% of the traced ransoms were cashed out via BTC-E.
But as notorious as Bitcoin has become, its power lies in the blockchain. Proponents say that blockchain can secure the internet by providing an immutable and decentralized platform for tracking assets and contracts. Can the blockchain be the future of the internet? Using blockchain, IBM is transforming Inventory management. “Blockchain offers a shared ledger that is updated and validated in real time with each network participant. It enables equal visibility of activities and reveals where an asset is at any point in time, who owns it and what condition it’s in.” Another prime opportunity in the light of continuous breaches are Social Security Numbers.” As stated in the article, “The issue we have today is that a Social Security number is kept as a secret to authenticate access and identity. We need to be moving away from that and add biometrics on top of that or the equivalent of a private wallet with blockchain.” Blockchain also has promise in healthcare and artificial intelligence. The Centers for Disease Control and Prevention (CDC) is investigating how they might use the blockchain to share medical data between organizations across the United States.
Defense and Fortifications
To Pay or not to Pay? It may actually be an easy decision — and the only viable option if caught unprepared. But paying the ransom incurs a cost; it rewards criminal activity and strengthens the incentive for such attacks throughout the industry. Additionally, as with WannaCry and NotPetya, there is no guarantee of recovery — “boneidleware” and “leakerware” are malware disguised as ransomware but designed to destroy or steal data with no recourse.
How should individuals and organizations fortify themselves to avoid becoming part of the “Internet of Ransomed Things?”
Just like in traditional warfare, cyber warfare requires preparations to reduce the attack surface, protect against vulnerabilities, and contain the blast radius. It requires a new security architecture built from the ground up to protect the apps and data being targeted. But, the most important and likely easiest defense against ransomware is to negate the ransom by having up-to-date (and tested) backups. Even as new and creative methods of ransoming, hijacking, and extorting are being devised, there are a few additional steps that will help:
In the end, we depend on an Internet that is connected via smart devices that are susceptible to being hijacked and our data ransomed. We must prepare and fortify ourselves against the “digital Vikings” so that paying the ransom is not our only option.
Author: Florin Lazurca