Present and future ransomware tactics model the past

Ransomware expert Andrew Hay has some advice: If you want to know how to avoid it now and in the future, it helps to study the past.

In that spirit, Hay, cofounder and CTO at LEO Cyber Security, provided a detailed historical landscape of K&R (kidnap and ransom) in his talk titled "The Not-so-Probable Future of Ransomware" at SOURCE Boston 2017 on Wednesday.

While ransomware holds information rather than people hostage, Hay said the evolution of tactics in the online world, "parallel traditional extortion rackets."

He noted that it dates at least back to biblical times - one version of it was the "kidnapping" of Hebrews to Babylon so they could be enslaved.

But, as is the case today, those who engaged in K&R balanced risk with reward. There was more risk, but much greater reward in kidnapping someone rich or famous, since their families would have plenty of money to pay ransoms.

It was done in some cases to finance wars and conquests. In others, it was done in the name of religion - if the victim converted, he or she would be set free. In others, an exchange of hostages was seen as a guarantee of treaties and agreements.

In more recent times, Hay said, it has been used by terrorists and criminal organizations to make political statements or to raise money for their causes.

And while, since the 1800s, governments have tried to discourage K&R by freezing the assets of victims and prescribing harsh punishments, including death, for those convicted of it, in many cases it had little effect.

In the 1980s there were as many as 4,000 kidnappings a year in Columbia. Hay said in 2004, Mexico was the "kidnap capital of the world - no one was immune and there was no trust in the authorities."

In Brazil, it became popular to kidnap family members of soccer stars, since the criminals knew they had very deep pockets. "It still has one of the highest rates in the world," he said.

And in Nigeria, Western oil executives were nicknamed "white gold," since kidnapping them could yield such massive ransoms.

When it comes to ransomware, the tactics are similar. The cases most people hear about involve a notice on a computer that files have been encrypted and will be destroyed if a ransom is not paid within a certain time.

But there are variations that parallel those in the real world. In some cases, the criminals offer to decrypt the files if the victim assists them in infecting two other people. Or, a victim will be given some advance warning - threatened with encryption if he doesn't pay.

"You can negotiate," Hay said, comparing it to cutting a deal with a collection company. "If you ask, 'What will it take to make this go away today?' you can end up paying less."

But, an outright refusal (which is recommended by many in law enforcement) increases the likelihood that your data won't "survive."

"It's very hard to figure out decryption keys," he said.

So, as is the case in the physical world, preparation is key.

"You need preventative tools, detection tools, restorative tools, crypto currency stockpile, a business risk assessment, cyber insurance, education and table-top exercises," he said.

He added that he knows maintaining a supply of crypto currency is controversial, but said it is simply dealing with reality. "If you don't have a Bitcoin supply, then you should at least know a broker," he said.