February 11, 2020
A Dangerous New Form of Ransomware
by Paul Carroll
One of the most daring bits of technological espionage occurred in the summer of 2009, when the Stuxnet virus—clearly designed by Israel and the U.S., though neither has ever ‘fessed up—silently attacked centrifuges in Iran that were being used to enrich uranium for use in nuclear power plants and potentially weapons. The virus infiltrated the centrifuges’ controllers and occasionally sped them up or slowed down the motors for short stretches over the course of months, gradually burning out about a fifth of the machines and making a big dent in Iran’s nuclear program.
This was James Bond-level work. Not only were the centrifuges deep inside Iran, but they were separated by what’s known as an air gap—there was no physical connection to the outside world. Over several years, spies had determined what sort of equipment the Iranians likely used and had written a virus using “zero day” vulnerabilities that had been saved for just such an occasion—they had never been exploited by anyone, so the victim would have zero days’ notice that an attack could use them. The spies then infected computers at a handful of companies identified as likely doing illicit business with Iran, trusting that the virus would find its way to the centrifuges and quietly start putting them out of commission.
The good news: The Stuxnet attack worked. The bad news: Hackers have recently devised malware that, like Stuxnet, can take over the controllers of your industrial machinery, shut down processes and encrypt your data until you pay a hefty ransom. And your security isn’t nearly as good as the Iranian nuclear program’s.
The malware is known as Snake or EKANS (as in, “snake” spelled backward). It was only identified by cybersecurity experts in the past month-plus. As this article in Wired explains in detail, the malware targets “industrial control systems, the software and hardware used in everything from oil refineries to power grids to manufacturing facilities.” Hackers appear to have claimed at least one major victim: the Bahrain national oil company. (The choice of target raised the prospect that Iran might be behind the attack, but the cybersecurity community currently believes that mercenaries, not state sponsors, are to blame.)
While Snake isn’t nearly as sophisticated as the “zero day” attack on Iran’s centrifuges was, there are so many points of vulnerability for businesses that there’s really no good response, at least for now.
Insurers will need to raise rates, as many have already been doing because attacks and payment demands have soared. This New York Times article says ransomware increased more than 40% last year, and the amount demanded more than doubled just in the fourth quarter. The article adds that “even these numbers underestimate the true cost of ransomware attacks, which have disrupted factories and basic infrastructure and forced businesses to shut down.”
Some insurers may start to provide a separate policy for ransomware or may cover just a portion of the cost of ransom, especially for companies that seem to be frequent targets.
The potential targets should already be identifying and closing as many vulnerabilities as they can, because the threats to customer and key corporate data have been known for years. (We first published on the topic in 2016.) Those efforts should include frequent training to harden a company’s exterior, among other things educating employees on how to avoid “spear phishing” and other forms of “social engineering” that can trick people into downloading an infected file. Those efforts should go beyond the exterior, too, to suppliers and others with whom you share a digital connection, because they can pass along a virus—the major Target breach in 2013 came through a vulnerability in its HVAC system. IT departments must also continue their efforts to use AI and every other technology at their disposal to identify and control data breaches as quickly as possible—at the moment, the average time to discover a breach is almost 200 days, and the time to control one is nearly 70 days.
While the good guys should eventually gain the upper hand, I really just have one concrete suggestion for now. Though the notion seems cynical to me, I think you might want to invest in some Bitcoin. If you have an operation that may be vulnerable to ransomware, and you’d pay off an attacker, you’ll want to figure out Bitcoin now. Bitcoin is how hackers will demand to be paid, because it’s anonymous, and, if you have enough on hand or at least have experience buying some, you can respond faster than you would otherwise and get your business running again.
I wish I could be more optimistic and helpful.