The ransomware consumer market might be lucrative, but why charge the masses pitifully small sums of money to get their data back when you could be gaining a major cash cow from hitting a business or private hospital?
Rather than spend huge amounts of time stalking and hacking large corporations to steal data and then trying to sell it on underground markets on the Dark Web, for the discerning hacker looking to make a quick profit fast, the concept of ransomware is a godsend and much more lucrative than other cybercriminal enterprises, Cisco's Talos has warned at the Infosecurity Europe 2016 conference in London.
"Ransomware is a far more efficient way of stealing data. It's taking kidnap and moving it into the 21st century, by taking something incredibly valuable to a user that has zero resale value on the Dark Web like my PowerPoint presentation for Infosec. If you encrypted it on the morning that I'm about to present it and said I wouldn't get it back unless I paid you money, I'd be likely to as it is something incredibly useful to me," Martin Lee, technical lead of Cisco's Talos Security Intelligence and Research Group, tells IBTimes UK.
"Of course, you shouldn't pay, but as a victim, that temptation is always there. It's that temptation and that change to the cybercrime model which is leading to this evolution in ransomware."
Surprisingly, Lee says that ransomware isn't even a new trick, it's just one that wasn't often used until its revival in 2012 in hacker exploit kits. In fact, the very first ransomware was the AIDS Trojan that was spread in December 1989 via diskette, hiding directories and encrypting the names of all files on the computer's hard drive to render the PC unusable.
The victim could only get their computer to work again by posting a bank draft for $189 – which today would be equivalent to $370 (£254) – to a PO box in Panama to pay for the "software lease".
Why ask for one bitcoin when you can ask for much, much more?
What is ransomware?
Ransomware is a type of malware that holds a large collection of data hostage on a victim's computer, including important documents, photos and videos. Once installed, the victim is shown a user interface explaining that the files will be destroyed unless the victim pays a bitcoin ransom to the hackers.
The latest incarnations of ransomware come so meticulously coded with strong cryptography that it is difficult to find a way around it, so many companies and victims prefer to pay up rather than lose valuable files, although the international cybersecurity community is constantly developing ways to decrypt malware and generally advises victims not to pay.
Prior to 2016, ransomware solely targeted individual consumers and the ransom amount would rarely ever go over one bitcoin (£400, $588), as it had to be affordable for victims to pay up, rather than cutting their losses, sacrificing their data and doing a factory reset on their PC.
But now, the consumer business model has worked out so well that cybercriminals are dreaming even bigger. Forget about infecting one computer – why not hijack multiple machines and then offer a bulk discount price?
In fact, a recent report by security firm Flashpoint found that in Russia, hackers that organise campaigns as well as hire affiliates to distribute ransomware samples make an average "salary" of about $90,000 per year.
"Previously, almost all ransomware was going against end point devices like laptops, and then in February we saw Locky, which had a version that attacks websites, and then since April now we have Samsam, which is currently going against servers at hospitals in the US," says Lee.
"For the bad guys, what that means is that if they identify and encrypt the key servers within an organisation, it brings the organisation to a halt. You cannot run a hospital if all the patients' data is encrypted. We're seeing that organisations are more at risk as they have deeper pockets than end users."
No computer is safe — you've been warned
Most amount of ransom so far paid to hackers:
- 45 bitcoins ($26,000, £18,000)
To decrypt systems on web application servers at Union Memorial Hospital, Baltimore that were hijacked by Samsam
- 40 bitcoins ($17,000, £12,000)
To decrypt files at Hollywood Presbyterian Medical Center, after a five-day stand-off where the hospital refused to pay the hackers' initial demands for $3.4m
Samsam exploits a Jboss security vulnerability from 2010 and uses it to attack unpatched servers to encrypt entire networks, and Talos found 3.2 million machines connected to the internet in the world that are currently at risk, including 2,100 computers that had already been compromised and had a backdoor installed in them, just lying in wait until the attackers one day decide to use it.
Talos says that Samsam's creators have raised the price for each infected machine from 1.0 to 1.5 to 1.7 bitcoins today, which can work out to a huge amount of money even if fewer than 100 PCs are encrypted.
"What we've seen is quite significant and is showing us the way ransomware is going to develop over the next couple of years. But the key thing is that this is an attack that can be very easily mitigated against – simply by backing up data. It's a fundamental part of keeping data safe," Lee advises.
"Ransomware is the same as any other network-based attack, it's important to filter as much information around the perimeter about incoming connections in order to keep malware out. Make sure your computers are up to date and patched.
"Have anti-virus running on your servers, keep them fully patched so you can make life as difficult as possible for the bad guys. And have a plan in place and an idea of who you would call on if the worst did happen to your organisation."