In recent years, ransomware, or viruses that are used to extort money to victims after encrypting their data and blocking computers, have become a growing concern for companies operating in any industry.
Their destructive potential is enormous: in the first half of the 2017, there have been two major attacks of the world, through the WannaCry and NotPetya ramsomware, which have caused great damage to a large number of users and a large number of organizations anywhere on the planet.
But despite both these epidemics have caused enormous problems for those who have suffered the infection, they have surprisingly brought very little revenue to their creators.
In fact, the Bitcoin payment address of WannaCry, in which it was asked to pay the "ransom", only reached $ 149.545, while the NotPetya address got much less: $ 11.181.
The problem that criminals face, says Marcin Kleczynski, general manager of the information security company Malwarebytes, is that "people have become insensitive to the common ransomware that encrypt files". The criminals who spread these viruses hope that people will suffer from the loss of their digital memories or the loss of critical business documents, and consequently pay a few hundred dollars to get the key to decrypt them. In practice, however, says Kleczynski, an increasing number of victims simply shrug and restore data from a backup.
Kleczynski and his colleague Adam Kujawa, who runs the search at Malwarebytes, therefore expect criminals to explore new ways to spur victims to pay rather than simply restore backups and ignore the payment request.
And in fact, a ransomware form known as "doxware" appears on the scene. "Basically," says Kujawa, "a doxware puts you this aut-aut: pay, or we'll take all the things we've encrypted and put them online with your name".
The name derives from "doxing", the term used to describe the publication of private information on the internet to deceive, threaten or intimidate someone; and the idea of automating this publication is certainly not just a theoretical hypothesis. And with these conditions and threats, it is hard not to pay the ransom.
We have already presented examples of "targeted" doxware, and some of them have obtained the honors of the news.
In 2014, Sony Pictures suffered a combined attack of phishing e-mails and malware, following which the criminals came into possession of recorded files that referred to private conversations among the company's top executives. In the recordings, the executives expressed their opinions on the employees, the actors, the competitors and, above all, they talked about their plans for future film productions. It is not known if the criminals got a ransom, but the fact is that the conversations in question have become public domain, creating many problems for the entertainment giant.
In May, hackers stole files from a Lithuanian plastic surgery clinic containing personal information about former 25.000 customers: names, addresses, and procedures, passports, national insurance numbers, and nude photos of patients. They have put the database online through the Tor encrypted network and have requested payments to individual patients to remove their personal information from the site. Prices ranged from € 50 to those patients who had only names and addresses on the site, up to € 2.000 for the most invasive information.
And a few days ago, HBO faced a similar situation, with 1,5 TB of videos stolen by hackers - including episodes of Game of Thrones - and held to ransom, with the threat of publication.
As long as the doxware is "pointed by hand" on some precise and well identified victims, the risk remains somewhat limited. But a doxware that was able to hit with the same dangerousness as WannaCry would be one of the biggest breaches of privacy in history, as well as one of the biggest money-making opportunities ever achieved through cybercrime.
But the risk is not just that. In fact, doxware is just one of several possible future developments in ransomware.
"Imagine being able to infect, for example, the national railway ticketing system," explains Kleczynski. "A so-called denial of service attack would completely block the service and, as long as it went ahead, would be worth millions of dollars a day. You're not holding hostage files, you're holding a nationwide public service hostage. There is no possibility of recovery from backup. "
And what would happen if cars were infected? "A ransomware on our cars is definitely possible," said Craig Smith, director of transportation research for Rapid7, a cybersecurity company. "Who would take the risk of driving a compromised vehicle?"
Perhaps these scenarios are not so sci-fi, and they are not even the worst. In December, a survey of 10 implantable cardiac defibrillators found "serious protocol and implementation weaknesses" that would allow an attacker to trick the device to keep its communication channels open and allow intrusions. Will it be possible to hold a heart hostage? It has never happened yet, but when in doubt we do not believe that anyone wants to try to restore it from a backup ...
By Giovanni Calcerano