Ransomware is becoming a global epidemic. Despite legal victories against organized criminals who encrypt and hold computers for ransom, new malicious campaigns continue to appear. A new one was reported earlier this month by Heimdal Security that uses drive-by infections from compromised Web pages and steals log-in credentials before encrypting the victim’s files.
In response to the continuing threat, a Senate committee is preparing to look into ransomware. The chairman and ranking Democrat of the Homeland Security and Governmental Affairs Committee have asked the Homeland Security and Justice Departments for information on the number of instances and different viruses they are tracking, and what they are doing about it.
(We might not find out just exactly what DHS and DOJ are doing about it, or what the committee expects them to do. At least one question in the letters to the two secretaries is redacted.)
Ransomware might not be the most serious type of cybercrime we face—the financial loss to individual victims is at the low end of the spectrum, usually a few hundred dollars per. But it might be one of the most infuriating of crimes. After infecting a target computer, malware encrypts the files, making them unavailable to the owner unless a ransom—usually in some type of hard-to-trace digital currency—is paid to the criminals. Having your files encrypted is humiliating and frustrating. Having to pay to recover them is bad enough, and having to pay the criminals adds insult to injury. But if you decide not to deal with the criminals, the difficulty of breaking really strong encryption could mean that the files essentially are gone forever.
The criminals walk a fine line in setting a price on their extortion. On one hand, they want to make as much money as possible. On the other hand, they have to make the ransom low enough that a reasonable number of victims can and will pay it. If the ransom exceeds the value of the files, the owner will decide it’s time to upgrade to a new computer and just swallow the loss of the files, especially if at least some of them have been backed up. The sweet spot appears to be about $300 per computer. According to DOJ, distributors of the CryptoLocker ransomware cleared an estimated $27 million in the first two months after CryptoLocker appeared in 2014 with a response rate of only about 1.3 percent.
After officials took down the command-and-control network for this ransomware campaign, decryption tools were developed to allow CryptoLocker victims to unlock infected machines. But new malware was quickly developed and new campaigns appeared.
Stopping ransomware will require a multi-pronged effort. Law enforcement action by government can raise the cost of these schemes and make them less attractive to criminals. Networks, service providers and security companies can develop better ways to spot and block the malware. And users can practice good cyber-hygiene—keep your security updated and be careful where you browse, what you click on and what you open. But like most other threats, it is unlikely to go away completely.