How to Fight Ransomware
Abstract
This article is written for policy makers and advisors seeking answers to the question what should government do to address ransomware.
Ransomware is a national security concern and thus a government concern. While there are some steps that individual actors can take by themselves, the private sector has understood the importance of the ransomware threat for more than six years and has done little to nothing to change behavior to address it. If change is to happen, action by the private sector must be led by appropriate government interventions.
Ransomware is not a completely new phenomenon, the genre is generally held to have been invented by Joseph L. Popp in 1989. His PC Cyborg malware encrypted files on the victim’s computer and demanded $189 be paid to a bank account in Panama for their release.
Until BitCoin arrived on the scene, Ransomware remained a real but rare attack. Ransomware trojans were easy to write but collecting payment was hard and it was the rare computer crime that presented an unambiguously serious threat that was easily understood. While a Panamanian bank account no doubt seemed unimaginably remote to Popp, it certainly did not to the Panama police. Ransomware attacks therefore presented a high risk of being caught with a low probability of collecting a reward.
The arrival of anonymous digital cash transformed the profitability of ransomware but this transformation was not widely recognized until the Ashley Maddison breach set a large number of computer criminals thinking about how to continue to make extortion pay by finding new targets. The Ashley Maddison breach was very much one of a kind. The site presents itself as a dating service for ‘cheaters’ and its customers are almost exclusively males seeking an affair. In August 2015, a group calling itself ‘The Impact Team’ published 60 GB of customer data including the names and addresses of many of the customers. Within a few days of the database being dumped, extortion letters demanding payment of a ransom payable in BitCoin began appearing in the inboxes of former customers.
Extorting Ashley Maddison customers seeking extra-marital affairs was a very profitable business for many until the spam filters caught up and the targets caught on to the fact that their adultery was already public knowledge and that is how they were being targeted. As profits from extorting Ashley Maddison customers dwindled, Ransomware was the obvious means of establishing a new market.
In 2016 ransomware moved from being a theoretical but rare threat to the main concern for anti-malware products focused on the consumer. Enterprise security professionals knew that their systems would now be far behind. In 2017, the Wanacry worm crippled the UK NHS disabling tens of thousands of machines providing patient care.
One of the factors that made Wanacry so damaging to the NHS was that it affected the embedded operating systems built into most modern diagnostic equipment. And here a culture clash is seen: While IT specialists consider a machine running a 10 year old operating system is hopelessly obsolete, hospital administrators are likely to expect a diagnostic device costing several million dollars new to be good for a twenty or even a thirty year service life.
While presenting itself as ransomware, there is good reason to believe that Wanacry was actually a Russian cyberattack intended to target Ukranian assets. Whether this particular attribution was correct or not, the extent of the damage caused by Wanacry proved that ransomware was a national security concern. Instead of rallying the administration to take action, the usual platitudes about keeping software systems up to date was trotted out. The fact that this advice was actually impossible to follow in the case of the diagnostic equipment was conveniently ignored.
Instead of taking the issue seriously in 2017 when the Wanacry attack demonstrated that ransomware is a national security concern, the problem was ignored until the Colonial Pipeline attack proved that ignoring the problem was not going to make it go away.
Today’s news that the Department of Justice was able to recover the BitCoin ransom paid to the attackers applies an important lesson learned in the fight against the use of phishing to perpetrate bank fraud: Denying the perpetrators the profits of their attacks goes a long way to reducing the incentive to repeat them. But much more has to be done if we are to consider the threat to national security has been sufficiently mitigated.
What Governments should do
First note that the title of this article is how to fight ransomware, not how to eliminate, not how to identify and prosecute the perpetrators. All of these would be worthwhile objectives if we knew how to achieve them. But at this point we do not. Russian officials are not going to prosecute criminals who are paying them protection money.
There are four main approaches that can be taken to mitigate ransomware attacks.
- Mitigate malware distribution
- Mitigate malware installation
- Enable rapid recovery
- Disrupt payments
These should not be considered alternatives, all four should be pursued by the authorities. But only the first three are approaches that can be applied by potential targets for self-protection so we will look at those first.
Mitigate malware infections
With rare exceptions, almost all enterprise malware infections begin with malware being installed as a result of an employee clicking on a link in an email message.
The first step on the path to sanity is to recognize that this is not the fault of the employee, it is the fault of the enterprise that provides a defective email messaging system.
If a user error can result in the delivery of petroleum products being halted for over a week, that is not the fault of the user, it is the fault of the enterprise whose incompetent IT infrastructure put disaster only a click away. Do not go on witch hunts to find the user responsible, do not persecute them. View those blaming the user as attempting to absolve themselves of blame.
When Edward Murphy proposed his eponymous law that if anything can go wrong it will, he intended it to be used as a general cautionary principle in the design of complex systems. Applying Murphy’s law to email tells us that if clicking on an email message can cause disaster, someone, somewhere is going to make the mistake sometime. The solution therefore is to replace the current email system whose design began in the 1970s with a new system that does not suffer from the same critical flaws.
While the idea of changing the email protocols might seem absurdly far fetched, there is no reason that requires the email system that is used to exchange email between organizations be the same as that used inside the organization. Had an appropriately secure enterprise messaging system existed at the time, Colonial Pipeline could have deployed it for use with their enterprise for considerably less than the $4 million paid in ransom. Had there been enterprise demand for appropriately secure email systems, the industry would have been more than willing to provide them.
All it actually takes to change the email system within the enterprise is for enough people to say with enough force that change is required and change will happen. Establishing a sufficiently secure email infrastructure as the replacement messaging system requires an open, non proprietary standard and commitment from a much wider community. But that only presents an insuperable challenge if we are willing to consider it so.
All it would take to force the Internet world to fix the festering sore that is the legacy SMTP email infrastructure is for President Biden to state on the record that the US federal government will be transitioning to a new open infrastructure for email that is secure by default and has cryptographic security built in as standard.
The term ‘secure by default’ is key here. Development of what became SMTP email began before the security technologies required to make it secure existed. As a result, all of the security schemes developed for SMTP are optional extras and the design of those schemes is greatly constrained by the need to work within the SMTP framework. S/MIME and OpenPGP both offer end-to-end security but implementations of both are designed with the assumption that the community they serve is highly motivated to configure and use them.
If an acceptably secure email system is to be actually used, it must be zero-effort. That means that no additional effort is required on the part of the user to make the communication secure. Today, fewer than 0.03% of email users have registered credentials for an email security protocol and the proportion of email messages sent using S/MIME or OpenPGP is too small to be measured reliably. If people are going to use an acceptably secure email system, the experience must demand absolutely nothing of end users. Even asking the user to click to encrypt or sign their message is to ask an unrealistic degree of user effort.
The dirty secret of SMTP email is that anyone can impersonate anyone they like and it takes a considerable degree of expertise (and significant effort) to identify a forgery. Nor does the DKIM protocol that applies a digital signature to every email change the situation as much as some people imagine. DKIM is a lightweight security scheme designed to authenticate the email host sending an email for the purpose of mitigating mail abuse. DKIM does not authenticate either the user or the organization sending the message.
If we had an acceptably secure email system, there would be absolutely no way that Mallet could send a message to Alice that appeared to have been sent by Bob. The technology needed to make that happen has existed for over twenty years. Deploying that technology is merely a matter of political will. That alone is not going to stop all ransomware but it will considerably reduce the attack surface that is vulnerable.
Mitigate Malware Installation
Code signing has been an integral part of the Windows and Ubuntu Linux platforms for decades. Code signing is a proven approach to mitigating all types of malware but existing infrastructure have been basically unchanged since their original deployment and as with SMTP security protocols, they are optional.
The first step towards sanity therefore is to require that all software running on the platform be signed including development code. If this requirement is to be achieved on desktop platforms such as Windows, MacOs and Linux, an inevitable corollary of this requirement is that signing software must be zero effort. Instead of throwing up hurdles in the way of developers seeking code signing certificates, the use of Certificate Authority (CA) issued certificates must be considered an additional step performed prior to publishing software to be widely used. The role of a CA should always be as the optional provider of additional trust, never as gatekeeper.
The chief limitation in existing code signing techniques is that they are designed to mitigate the risk of a user installing a software package containing malicious code. Accordingly, it is (with rare exceptions) the distribution package that is signed rather than the running code. Thus the role of code signing begins and ends with the initial installation of the software. Existing code signing schemes are not designed to protect the integrity of the software after installation.
Ransomware is typically installed through a multi-step process which bypasses the platform installer code entirely. The ransomware itself is typically embedded in one or more programs legitimately installed on the host.
A minor change to the traditional code signing approach would allow it to be used to authenticate the actual code and data installed on the machine. Verifying that a machine is free of malware is thus a matter of checking that every file on the machine that contains executable code is signed. If the machine is capable of secure boot, it is possible to verify the integrity of every executable every time it is run. While this mode of operation might well be unacceptable to many consumers and to software developers, it is unlikely that it would have unduly inconvenienced the employees of Colonial Pipeline or the NHS.
Enable rapid recovery
The reason ransomware is so effective against consumer devices is that it is impossible to replace pictures of the children when they were five unless the target was prepared in advance and kept copies. The same is true of the accounts receivables database in the enterprise environment.
The best protection therefore is to keep copies of all important data and to have a means of instant recovery in case of compromise. And this is the point at which traditional enterprise data recovery systems often fail: An IT infrastructure that is designed to support recovery after failure of a single machine is hopelessly overwhelmed when every machine in the enterprise has been compromised.
When considering the ability to rapidly recover from compromise, it is useful to consider recovery of the platform and software separately from recovery of data. Recovery of the platform and software is only necessary to the extent that it is necessary to determine that the machines in question are free from compromise. In most cases, we may regard it as sufficient to boot the machine into a secure mode that forces a complete check of all firmware, system files and software installation against the expected digest values authenticated by a trustworthy digital signature. Though to be effective, such strategy must cover all firmware on the system including that embedded in GPUs, attached peripherals.
Recovery of data is necessary because it is the data itself that is the valuable commodity and this is doubly challenging because while it is practical to run the same system software on every machine, the data is by its nature always different.
Concentrating data storage on special purpose ‘Network Attached Storage’ (NAS) devices with redundant storage media simplifies but contrary to widespread belief, does not eliminate the need for backup. RAID controllers mitigate the consequences of drive failure but introduce another potential point of failure. And even if the RAID controller never fails, no onsite backup scheme can mitigate the risk of the site itself being destroyed.
The 3–2–1 strategy of three separate copies kept on two different media with one copy offsite remains the gold standard for data backup. Unfortunately, this strategy is not likely to be sufficient for rapid recovery from a ransomware attack.
The dirty secret of special purpose NAS devices is that they are no longer special purpose devices limited to storage. Most NAS devices sold today are designed and marketed as general purpose Linux servers that just happen to also provide file server capabilities. The problem being that while having the department file server also function as the mail server can make good sense, it certainly isn’t appropriate for a backup storage server to provide that degree of flexibility.
For purposes of rapid recovery from ransomware attack we need an Onsite Backup Storage(OSB) device that is immune from compromise itself. A device that will faithfully maintain copies of every piece of data created and not erase anything that might be important.
Devices of this type don’t really exist today but they could be made to exist with only a little effort on the part of the NAS providers. All they need to do to turn a NAS into an OSB is to strip out all the existing server functionality and replace it with an OSB service that accepts chunks of data and appends them to a specified append only log. This device would then sit isolated from the main enterprise network by a specialized firewall called a data diode which allows the OSB service traffic to pass through and nothing else.
Disrupt payments
The fourth step in the fight against ransomware is for governments throughout the world to establish a hostile environment for crypto-currencies.
At the current time it is hard to think of a less satisfactory payment mechanism than a crypto-currency for any legitimate transaction. Sending money by Bitcoin incurs a higher transaction fee than any alternative, higher commissions than any alternative (and charged on both ends to boot) and higher exchange risk than any alternative. There is absolutely no incentive for anyone to use BitCoin to make payment for any service unless it is criminal.
The two specific features of BitCoin that make it particularly attractive for criminal use are the perceived anonymity of the payments and the fact that payments cannot be reversed on account of fraud.
To be clear, US dollar specie (i.e. bills) are on occasion used to obtain criminal services but this is only one of a wide range of uses and a very small percentage of total trade in US dollars. The overwhelming majority of crypto-currency transactions that are not merely transfers into or out of other crypto-currencies are criminal.
BitCoin is the currency of child rape. BitCoin is the currency of drug trafficking. BitCoin is the currency of ransomware. The closest thing BitCoin has found to a legitimate application is to allow the citizens of certain countries to evade exchange controls.
Stating these facts is not popular of course as this is not a story that the establishment media wants to tell. It is far more fun presenting crypto-currencies as the means by which a small number of exceptionally clever young men are becoming instant millionaires than to mention the traffic in human misery these fortunes are built on. To report on BitCoin without mentioning the drug dealing and child abuse involved is like a history book describing the booming economies of the ante-bellum cotton states without mentioning that it was all built on slavery.
The IT security field faced a similar narrative challenge in media reports of ‘hackers’ in the mid 1990s. According to the pervading establishment media narrative at the time, hackers were all fluffy bunnies whose motives were invariably pure and who invariably acted out of mischievous, never malign motives. Those of us who suggested Kevin Mitnick deserved considerably more than the 44 months he received for 14 counts of fraud, 8 of unauthorized access in what was his second conviction on computer offenses were held to be traitors to the Internet cause.
The establishment media narrative suddenly changed in 2003 when the first wave of emails attempting to trick users into revealing their bank usernames and passwords started flooding into reporter’s inboxes. A similar change in reporting with respect to crypto-currencies is required. Policy makers should begin the process of effecting such change by challenging positive reporting on crypto-currencies with reports of the far more extensive criminal downside.
While BitCoin is deliberately designed to evade government regulation, the ecosystem that has grown up around crypto-currencies is not. BitCoin itself is limited to a mere 16,568 transactions an hour, a limit that was recognized as insufficient in the first year of operation and has proved impossible to change since. What was designed as a decentralized system immune from government action has become a highly centralized one in which the functions of banks in the fiat financial system are performed by exchanges in the crypto-currency system. All that is required for governments to regulate BitCoin is to regulate the exchanges.
The current booms and busts in crypto-currency prices are predicated on the ideological belief that they are destined to replace government ‘fiat’ and that nothing can stop the omnipotent power of the acolytes of Ayn Rand who are the very masters of the universe. It would not take very much effort on the part of the US government to demolish this assumption in the minds of the establishment media.
The first step in establishing a hostile environment for crypto-currencies would be for government to simply state that they are a problem. Enumerate the criminal activities facilitated by crypto-currencies once and the media will be obliged to repeat the enumeration every time they are mentioned in a story. Use the term ‘criminal currencies’ to drive the point home. Rather than allowing crypto-currency promoters to demand that governments propose effective means by which crypto-currencies should be regulated, the burden of proof must be reversed. Governments should instead demand that crypto-currency platforms allow payments resulting from extortion to be reversed with criminal sanctions for use of or speculation in any payment mechanism that fails to meet this requirement.
It should be noted that the government ability to regulate crypto-currencies is distinct from the government ability to regulate the ability to perform lawful intercept of end-to-end encrypted communications. Public Key cryptography technology allows Alice to establish an end-to-end encrypted communication with Bob without the involvement of Apple, Google, Microsoft or any other large or small scale technology provider. Provision of payment services is different because a payment service is more than a transfer of information, it is a transfer of the right to acquire a valuable asset in the government regulated world. The exchanges that convert USD into BitCoin and BitCoin into USD are an essential part of the crypto-currency infrastructure which must by their very nature be connected to the fiat banking infrastructure in some way.
To date, regulators have merely expressed modest disapproval as crypto-currency EFTs have appeared on exchanges. Colonial Pipeline is the event that shows it is time for the gloves to come off and for criminal sanctions to be applied to provision of trading instruments designed to facilitate speculation in crypto-currencies.
For all the ballyhoo about how secure they are, BitCoin and its ilk present a potentially devastating weakness. All it takes to unwind the BitCoin transaction log is for someone to capture 51% of the active mining capacity. At current BitCoin work factors, this represents an almost unimaginable quantity of computing resources. But the work factor is a consequence of the number of active miners which is in turn a function of the price. If the price declines to the point where mining is no longer profitable, the number of miners will quickly diminish. If government action or threats of action against crypto-currencies were to cause the price of a BitCoin to drop to a sufficiently low level, this self-destruct mechanism would be triggered. This mechanism has already resulted in the collapse of many ‘alt-coin’ currencies. Just raising the fact that this is even a possibility would likely blunt the current media hype surrounding the field.
Conclusion
Ransomware presents a significant threat to national security but one that can be managed with modest government action that would have significant benefits in other areas. The longstanding weaknesses in Internet security that are exploited by perpetrators of ransomware attacks are easily addressed by applying proven technical approaches. It is the collective action problem presented by deployment of these technologies that presents the challenge. This is a problem that bodies that exist to encourage collective action are well suited to address or play a part in addressing.
Finally, the viability of Internet extortion schemes depends in large part on the ability of the perpetrators to collect the ransoms. Crypto currencies enabled the rise of ransomware and condign punishments for perpetrators of crypto currency schemes would go a long way to cause its fall.
