Ransomware once again posed a major threat in 2017, as cyber criminals continued to demonstrate just how effective a tool it is to make money. But 2017 also saw ransomware evolve, as malicious actors combined ransomware with self-propagating worms with the intent to damage data and systems instead of just seeking ransom demands. This new combination resulted in alarming new malware, like WannaCry and NotPetya, which caused widespread collateral damage across multiple countries. In just a few months, ransomware entered the public consciousness like never before.
These changes require us to rethink how we protect our systems against ransomware. Many ransomware attacks will remain fairly low-level, targeting small businesses and individuals for relatively small amounts of money. We also expect criminals to continue to target larger organizations, such as regional or national hospital chains, using an attack pattern that has remained fairly similar: send a phishing email, get someone to click on the embedded link, drop the malware, encrypt a chunk of data across the organization’s network, and demand a ransom.
But WannaCry and NotPetya hint at a future where ransomware techniques will be used not just for low-level extortion, but as a technique for broader operational disruption. Instead of focusing almost exclusively on data, criminals may begin holding our devices, processes, and IT resources hostage, and the consequences could be far more severe. In short, the ransomware threat is poised to grow much worse before it gets better. In order to combat it, cybersecurity leaders, companies, and private citizens alike must shift their view of what ransomware can do and who will be targeted.
IoT Will Breed New Targets for Ransomware
Imagine receiving a cryptic message on your computer screen alerting you that your insulin pump has been hacked. It informs you that some anonymous entity who you will never meet has shut off this life-saving medical device and will not turn it back on until you pay them $8,000 in cryptocurrency. Or, consider a building management company receiving a note that none of the elevators will function again until a ransom is paid. The rapid deployment of the “Internet of Things” (IoT) will expand ransomware targets from individuals, small businesses, and organizations storing lots of data to manufacturers, public utilities, and government agencies that operate internet-dependent processes. Instead of threatening to encrypt company data, they’ll threaten to turn off electricity, water, machinery, or other critical processes unless a ransom is paid. We have already seen this type of attack. In 2017, the electronic key system of an Austrian hotel was the target of ransomware, and hotel guests were locked out of their rooms until the hotel paid the ransom. Ransomware has already evolved from a nuisance to an organizational threat; now it can evolve into a systemic problem with the potential for wide-scale impact and for collateral damage.
Preparing for the Evolution of Ransomware
What will happen if this situation becomes the new normal? First and foremost, system owners should always ask themselves whether an IoT device really needs to be connected to the internet. After answering that question, the best defense against ransomware is for individuals and organizations to ensure that they are quickly and routinely patching known vulnerabilities, ensure networks are segregated appropriately to protect critical systems and data, and create regular, robust backup copies of their data. Many ransomware attacks, and even those such as WannaCry and NotPetya, can be stopped by patching known vulnerabilities. Segregating networks and leveraging backups can help organizations limit damage and be resilient in the event of a ransomware attack. Organizations should also have a plan in place to respond to all types of ransomware and routinely exercise that plan. However, it’s virtually impossible to prevent all ransomware from showing up in your system — there’s always at least one person who will click on a phishing link. If ransomware starts locking up processes, then a strategy predicated on “accepting” the malicious action and re-starting from backup data may not be acceptable. Organizations want to prevent the process or activity from being stopped in the first place. Given this requirement, how can we improve our defenses against this threat?
As a community, we can take three key steps beyond the basic actions discussed above. First, manufacturers need to improve the security of those devices, starting from the way they are designed. In particular, new principles will be needed to guide the design process, so that manufacturers incorporate security in the design phase, ensure that vulnerability management procedures are in place, and that security updates are automatically pushed to devices. Manufacturers will need to reduce the number of extraneous features — the fewer features you have, the harder it is to exploit a technology. Manufacturers should also develop ways to make “smart” IoT devices “smarter.” For example, they should recognize when they are operating outside of normal parameters and notify their owners and the manufacturers of a potential problem. Second, the cybersecurity industry will need to find ways to help a company rapidly reset major functions, like utilities and processes, when they are subject to a ransomware attack, which will have the added benefit of making them more resilient to cyber attacks in general. Third, companies will need to segregate their back-up IT systems for critical processes or functions (or ensure that they have back-up systems) so that a ransomware attack cannot lock those up too.
The Time is Now for an International Discussion
Beyond these steps, there is a broader need for international discussion about preventing, detecting, and responding to ransomware as it evolves past the traditional threat of locking up data. We need to figure out how to best incentivize manufacturers to improve the security of IoT devices globally, since those markets are global. The cybersecurity community needs to prioritize sharing information about these kinds of threats and ensure that defenses are propagated rapidly; business sectors need to share information about these threats, why they are important to address, and the best practices for dealing with them. We should also consider whether to treat malicious activity that disrupts a critical process or function as a more serious crime than the encryption of data. These potential threats need to be taken seriously, which necessitates expanding our view of what ransomware can do and who it will threaten.