Time was when websites were a tacky mishmash of flashing text, animated GIFs, the requisite visit counter and a horrifying background that made text virtually unreadable (or made you see funny colors when you looked away). Long gone are the days of basic HTML, at least among the websites most people regularly visit. Their increasing complexity thanks to scripts, plugins, content-management systems (e.g., WordPress) and so on have made them much more dynamic and appealing—as well as bigger targets for hackers. Having found substantial success in the PC market, ransomware has expanded to some websites, according to Brian Krebs at Krebs on Security.
Ransomware is essentially just an encryption tool that safely packs away your files into an unreadable format. Unfortunately, only the hacker knows the encryption key. As some observers have noted, however, these particular hackers tend to be fairly honorable about giving you the key—provided you pay some “fee” for their time and trouble, often in Bitcoin. Colin Neagle said at Network World that “many of the people behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom payments and leaving victims alone once the exchange has been made.” This business model, as immoral as it may be, has a certain logic to it: keep the payments small enough to be worth avoiding the hassles of losing files or trying to resolve the matter through other means, and keep victims reassured that paying up will get them their data back. Unfortunately in this case, successful business models attract participants and innovators.
The next step up from a PC is a website. For, say, a small online retailer, a website is the link to customers: no website means no income. What the business owner is willing to pay to regain lost data (which may represent many long hours of labor as well as sensitive information) in this case could be much higher than in the case of just a PC. Instead of a few hundred dollars’ worth of Bitcoin, a few thousand dollars’ worth might be an amount the business owner is perfectly able and willing to pay. And according to even the FBI, paying up may be the only option for victims who have failed to back up their data.
Complexity and Security
Krebs noted that this recent incarnation of ransomware targets Linux-based websites. “Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software—such as shopping cart programs,” he said. “Once on a host machine, the malware will encrypt all of the files in the ‘home’ directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.” No longer will a strong password to your hosting provider be sufficient to protect your website. Locking the door is of little value when supporting software leaves all the windows open.
Unfortunately, such vulnerabilities are a seemingly necessary consequence of increasing software complexity. The more complicated a system, the less able the programmers will be to identify all the possible avenues of attack. The question becomes one of economics: are the helpful features of these tools worth the vulnerabilities they carry? Thieves using ransomware need only sneak under that threshold: as long as their hacks don’t push users to reverse course on their use of WordPress (even if it’s just because of insecure plugins and themes rather than WordPress proper) or some other software, their “business model” will hold up.
The bad news for victims who pay, however, is that even malicious coders sometimes produce faulty programming. Krebs cited one victim of the Linux website ransomware who paid the ransom but found some garbage characters in his restored files. “According to [the victim], the [ransom-payment] instructions worked as described, and about three hours later his server was fully decrypted. However, not everything worked the way it should have. ‘There’s a decryption script that puts the data back, but somehow it ate some characters in a few files, adding like a comma or an extra space or something to the files,’ he said.” Even thieves make mistakes, and those mistakes can make the costly experience of victims even more expensive.
Upping the Ransomware Ante
How much would you quickly pay to get back your files from ransomware encryption? Would you pay a premium to avoid having your files published online? That’s what some thieves are betting on. Krebs added that some ransomware goes above and beyond the usual modus operandi: “Here’s the kicker: In the ransom note that pops up on the victim’s screen, the attackers claim that if they are not paid, they will publish the files on the Internet. Well, that’s one way of getting your files back.” Unfortunately, even a good backup plan isn’t enough in this case if your files contain anything sensitive or, well, embarrassing. Such a strategy expands the pool of potentially paying victims, however, because they have little recourse once infected with this malware. And naturally, for all forms of ransomware, prices are rising—even thieves need to keep up with inflation (as well as discover the actual market “value” of their “services”).
Good security practices can go a long way to protecting against ransomware and other attacks, but thieves can be just as innovative as anyone. The scope, demands and damage of ransomware are apparently increasing, with the latest target apparently being certain websites. The logistics of ransomware may (or may not) keep this method of extortion at a low level—for instance, we probably won’t hear of entire data centers succumbing to some souped-up version of CryptoLocker—but it will nevertheless remain part of an overall security landscape that is disturbing, to say the least.
Security is a sharply growing concern for companies—and for good reason. Ransomware may be mostly just an annoyance for large organizations (you probably won’t see Amazon’s website showing a ransomware notification anytime soon), but it’s a symptom of a larger problem. Total security is a myth, but at some point either the cost of security will outweigh the benefits of certain digital services or security will evolve to make those services viable. As with ransomware, it’s a matter of economics, and the tipping point is anyone’s guess.