12 May 2024: The one simple trick behind all ransomware

Yes, it was probably a bit naive to start a weekly newsletter during one of the busiest times in my life. And yes, some people did reach out to ask if I’m doing okay (I am!), which was kind. Anyway, I’m back. And I have a lot of ideas of things to write about. And it looks like life won’t be as busy anymore.

If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox. Feedback and suggestions are always welcome!

Martijn
martijn@lapsedordinary.net
martijngrooten.37

The one simple trick behind all ransomware

A few weeks ago, I gave the keynote address at Sunetdagana, a small conference in Uppsala, Sweden. In my talk I discussed the history of malware, from early computer viruses via email worms and Stuxnet to nation state threat groups and financially motivated cybercrime.

I want to highlight one point I made in my talk, which is a deviously simple idea that is behind all modern ransomware.

To understand this, let’s look at a fictional supermarket chain of 25 stores somewhere in a reasonably rich country. And imagine that you are a financially motivated cybercriminal who, through whatever means, has obtained access to the chain’s internal network.

Before ransomware, how would you turn this access into money?

You could try and steal money from their online banking system, but such systems are pretty secure these days and just having access to the machine from which transactions are made rarely lets you make transfers yourself.

You could use all the computers on the network to send spam (the oldest cybercrime), but even with hundreds or thousands of computers, that won’t make you more than small change. If you are able to send the spam in the first place, as outbound spam filtering is pretty common these days.

You could also steal their customer database and sell it to other criminals who can then send more targeted spam and phishing emails. But this too won’t make you more than a tiny bit of money.

Like most companies in the world, the supermarket chain isn’t exactly of national security interest so you can’t sell internal documents to a foreign actor for espionage purposes.

The reality is that before ransomware, hacking a company usually wasn’t all that profitable.

Enter ransomware.

The simple idea behind modern ransomware is that there is exactly one entity interested in the supermarket chain’s data: the company itself. Of course they wouldn’t just pay someone for having hacked their network, so encrypting this data is a way for a cybercriminal to force this payment.

It’s as simple as that.

For sure, the wide availability of cryptocurrencies was important too as it provided criminals with a more or less anonymous method of being paid (payment is often the weakest link in a cybercrime scheme). But before that, when cybersecurity experts were warning about the risks of companies getting hacked, they used the monetisation examples I mentioned above, not ransomware.

People sometimes ask me what I think the next big thing in cybersecurity will be. Will it be AI? Maybe. It would make sense. But five years ago, it seemed to make sense that the Internet of Things would be that next big thing and that hasn’t made a noticeable difference.

The reality is that we don’t really know. Cybersecurity is actually pretty hard to predict. And sometimes it's simple ideas that make a huge differenece.

What else?

Late in March, a younger friend asked me for advice on whether to focus his studies on DevOps or cybersecurity. I told him that DevOps is more strictly technical while cybersecurity is a much broader field that actually has a big social science component and he should make his decision with that in mind.
That same week, I learned of the sad passing of Cambridge University professor Ross Anderson. I have always considered Ross to be an embodiment of this holistic approach to security and one of the few people I met who really, really 'got' security. I always enjoyed listening to his talks or him being interviews on podcacsts and, while I am ashamed to say I didn’t read every chapter of it, I also really enjoyed his book Security Engineering. It is a cliche that Ross will be missed. Here is a video of him keynoting the VB2015 conference in Prague, with me introducing him. I think it's still worth warning. Bruce Schneier wrote a touching in memoriam

The Access Now Helpline is an extremely valuable digital security resource for at-risk people and organizations around the world. Many of these don't have a security team or even a person to give security advice or help with security incidents and the Helpline helps fill that gap. They recently published a report with some statistics on the work they did in 2023, which for example shows that more than 80 per cent of the calls were in response to an incident and that the Middle East and North Africa (‘MENA’) is the most covered region.

Speaking of MENA, Bread and Net is an annual conference in Beirut, Lebanon that focuses on digital rights in the region. I attended the conference in November 2022 and it was refreshing to be at a digital rights event that wasn’t run by a Western organization. The 2023 edition of the conference got canceled but instead there will be a three day online event with the theme “Digital Rights in Times of War”. It starts tomorrow (Monday, May 13th) but you can still register for free. 

Website security company Sucuri published two useful resources on protecting and defending websites. The first one is about .htaccess malware, notorious for being used in website compromises. The second one is a long and detailed guide on maintaining a WordPress site.

Last month, Apple sent out a large number of threat notifications to users whom the tech giant believed were targeted by mercenary spyware, something which disproportionately affects civil society. Amnesty International’s Security Lab published a post with guidance on what people receiving such notifications should do.

The Safety Net blog by the US-based National Network to End Domestic Violence (NNEDV) looked at the new anti-stalking features in iOS 17.5, which should improve the ability for people to detect if they are being tracked by an unauthorized device.

Non-security things

A book I read: I love reading about history and one thing I particularly enjoy is trying to understand how people’s perceptions have changed over time. I noticed this in France on Trial: The Case of Marshal Pétain by British historian Julian Jackson. The book is about the 1945 trial of Philippe Pétain: France’s national hero turned national disgrace due to some pretty bad choices he made following the German invasion in 1940. The trial and the book center around the question of how unreasonable those choices were given the situation in 1940 and how much hindsight matters.
Now, in 2024, we don’t necessarily know a lot more, but our focus has changed a lot. The deportation of 75,000 Jews (many of whom perished in the Nazi concentration camps) as overseen by Pétain was rarely touched upon in the trial. The fact that France was a colonial aggressor and not just a country that found itself on the right side of the fight against nazism was discussed even less. The book helped me understand France and its history a bit better (every European country has its own unique war trauma), even if at times the detailed description of what all the participants in the trial did get a little tedious.

A song I liked: I must have first discovered Ginette Garcin’s Cresoxipropanediol En Capsule through a friend’s music blog about girls singing in French. Then for many years I couldn’t find the song anymore. And it turns out, it’s pretty impossible to search the Internet for “a French song about a made-up medicine with a very long name”. But then a few weeks ago, I stumbled upon it on a hard drive and I’ve been playing it a lot since. Like said blog, I have a weak spot for female voices singing in French (that R!) and using such a voice to sing about fictional chemical compounds makes it even better. And I’m certainly not the first one to make a link with the Rolling Stones’ Mother’s Little Helper.