I've been making ransomware predictions since 2014, when I first was asked to give a keynote on the subject. At the time, I made a dozen or so predictions that have all since come true. More recently, I was asked to contribute to ITSP's magazine, highlighting additional, more specialized future predictions that I thought would 'push the edge' of what was likely to happen… and all of them were scary.
What we learned in our Incident Containment Practice last spring during the bout of SamSam ransomware hitting hospitals, was that criminals were: a) indiscriminate and entirely uncaring about human life, b) realizing now that they can extract more money when human life/safety is at stake and, c) were focusing on a campaign centered on human life and safety as the pretext.
That's when this particular prediction occurred to me: critical infrastructure will be next, because the stakes are higher and there is already a significant attacker foothold in our critical infrastructure; both opportunistic and targeted attackers have been lurking for many years persistently. With higher stakes comes bigger payoff for attackers – ransomware in the healthcare industry is the perfect example of this.
I learned in my Department of Defense Information Assurance (DoD IA) career to define a threat as any actor that has a significant amount of at least two of these three enablers: Means, Opportunity, and Motive (what I call the MOM Principle):
The Means is a massive commodity market for the creation of fully undetectable ransomware (AKA, ransomware as a service or RaaS). This is a marked development in contrast to the legacy means of requiring a criminal to buy an exploit kit and configure/compile the binary locally verses in the cloud, and makes it that much easier for anyone to obtain the malware.
The Opportunity is a pervasive foothold already within the critical infrastructure in the form of both targeted and adware/browser opportunistic footholds (another of my ransomware predictions covers this vector, also in the ITSP mag article), as well as the obvious still-challenging phishing/watering-hole vectors.
The Motive is plain: risk-free money, and lots of it.
At RSA 2017, Formby made the same observation:
“(The hacker) can threaten to permanently damage this really sensitive equipment. For example, a power grid transformer can take months to repair.”
What really motivated me to write this was something that happened recently close to my home: 75,000 customers went without power after a transformer blew in Harris County near a middle school. While ransomware was not the cause of this particular explosion, it made me contemplate the leverage that Formby alludes to in the quote above: exactly how much is a downed transformer worth to the power company? How important is power to 75,000 people?
The fact that the answer is not an easy one to calculate, underlies the leverage a criminal attacker might have in this type of situation. They could extract exactly one dollar less than the total cost, and in the case of critical infrastructure, total risk to human life and safety, related to the assets being threatened.
So what’s the next target in this case? Emergency medical systems? Critical infrastructure controller systems? Water treatment plants? The unfortunate reality is that paying a ransom in these cases may be an infinitely safer bet than attempting an off-site restoration – especially when time is ticking, and human life and safety is thrown into the mix. By the time a cloud-backup strategy can restore an entire network, it may simply be too late. We are now at that crossroads where we must prepare ourselves for merciless ransomware timelines and extortion-level ransom amounts.
One final word: making predictions is easy. The hard part is doing what this researcher has done to get the word out, and helping to solve the problem... and doing so long before we have a "patient zero" in the wild.
Prevention is difficult, but it’s crucial as we look ahead to the emerging threats we can expect to see. When it comes to our critical infrastructure and the safety of our families, there is only one answer: all of us must work together to bring these types of threats to the public's attention, so that we as a society can allocate the right resources, policies and technology to address the threat.
Here at Cylance, we leverage a different type of prediction to help solve this problem: that of predictive artificial intelligence. We are predicting ransomware variants and campaigns weeks, months, or even years before there's even a patient zero or a sacrificial lamb, and we prevent those binaries from ever executing.
To put this into perspective: six months before the first ZCryptor patient zero, our endpoint protection solution successfully predicted, and would have prevented the execution of this malware, even before the authors ever compiled their first binary, and well before the rest of the antivirus industry did any malware analysis, extracted indicators of compromise, uncovered the command and control and crypto scheme, or had any other means to describe or identify this threat.
To address this kind of threat, there is no time to do endpoint detect and response or backup/ restoration... too much is at stake. It is 2017 and we are in the middle of the 4th Industrial Revolution known as artificial intelligence.... we have a duty to leverage every technological advantage we can to prevent cybercriminals from establishing an economy of extortion based on ransoming our critical infrastructure.
For perhaps the first time ever, the good guys are ahead of the threat landscape, and have reclaimed time itself to the defender’s advantage instead of the attacker’s. This is something I never would have predicted even a few short years ago… and yet, here we are.
Our consulting practice is equally adept at addressing the broader industrial control systems (ICS) security challenge that extends well beyond malware/ransomware. A broad and deep set of ICS consulting services is outlined here.
And once again, hats off to David Formby for his efforts and his message. While much research has already been done on malware and PLC’s, I believe the timeliness and context of his demonstration is the imperative we needed to see to get this extortion dialogue started in the context of critical infrastructure.