Hijacking Made Easy: Ransomware, Bitcoin, the Dark Web, and Intellectual Property Theft

Posted on by John Linkous

The FBI may have shut down CryptoLocker last year, but researchers report new variants of Cryptolocker have already started infecting users. Other ransomware families continue to make its way into corporate networks. Unlike other, stealthier malware focused on committing intellectual property theft without being seen, CryptoWall and its malware brethren flaunt their presence right in your face. Ransomware encrypts data using public-key cryptography with strong ciphers and huge key lengths, and it boldly announces the crime by demanding payment to unlock the user’s information. As far as attacks on the Internet go, ransomware is one of the most brazen, and the number of victims is growing.

Ransomware  is a different type of intellectual property theft. It may not operate in a traditional sense, where an attacker worms its way into the network to capture an organization's intellectual property (IP), but it still achieves the same effect of eliminating the IP's value for its owner. Victims are left with few options. They can pay the ransom (which typically ranges from around a few hundred dollars, with escalating ransom demands if the victim doesn't pay quickly enough), but there's no guarantee that the criminal will provide the private key needed to decrypt the data. Another option is to rely on restoring data from backups—assuming, of course, that timely backups are available and hadn’t been corrupted by the malware. The costs of dealing with ransomware—which includes removing the malware from the environment, conducting a root cause analysis to identify how it got in, and implementing measures to prevent it in the future—can be astronomical, especially when compared to other malware.

The new generation of Cryptolocker relies on the same tools digital advocates use to safeguard their privacy, including the Tor network, I2P, and Bitcoin. Earlier versions of Cryptolocker used Tor, and various ransomware families rely on the Bitcoin virtual currency and its associated payment network to anonymously collect money from victims.

Tor and I2P are not the only "dark web" anonymizing networks out there, nor is Bitcoin the only digital currency. Ransomware developers could have (and very likely would have) selected other technologies as vehicles to facilitate their crime, but like any good criminal, they selected the methods that would allow them to cast the widest net.

The fact that ransomware  takes advantage of technologies such as Tor, I2P, and Bitcoin does not mean we shouldn’t use these technologies, or that they are “bad.” The fact is, anonymity for both web access and digital payment has many legitimate uses. Blaming these technologies for the sins of ransomware is irrational, much like blaming a car manufacturer for people who speed in their vehicles. But that doesn't negate the fact that these technologies are used in tandem to make the lives of these criminals easier. In the past, criminal enterprises instructed to conduct wire transfers to foreign nations or fund prepaid debit cards to make payments—virtual currency has made payment collection much easier. Solving the growing ransomware problem is not easy, though there are some common-sense steps that both individuals and organizations can take to minimize the risk. A large part of security is doing the fundamentals correctly, and mitigating ransomware is no exception. Ensuring that malware detection exists at both the endpoints on the network—including network desktop and laptop clients, tablets, mobile devices, and even servers—and at the network perimeter through intrusion detection and prevention (IDS/IPS) technologies is the first place to start.

It's also important to remember that ransomware depends on an unsuspecting user launching the payload, and that payload will then run within the context of that user. It's critical to ensure that the principle of least privilege is implemented, especially in corporate network environments. Users should not have local administrative privileges on their workstations, and just like a good firewall rule, their access to network resources should be set to a default of "deny all" unless they absolutely need access to data. It is still important to evaluate the need to read data with the need to write it. Without the ability to modify data, ransomware would not be able to replace the data with an encrypted version.

We will never stamp out malware entirely. There will always be vulnerabilities—sometimes in the form of technology, other times in the form of people—that will let ransomware slip through the cracks. The goal of any organization or individual cannot be to make the problem go away, but rather to minimize the impact when they are eventually hit.

John Linkous

, Technology Advisor

hackers & threats law

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community