At least one of the major reasons for the ongoing exponential increase in ransomware as a criminal business model could be summed up with the iconic line from the prison boss in 1967’s “Cool Hand Luke”: “What we got here is a failure to communicate.”
That was a recurring theme from those on a “Ransomware Panel” Thursday at SOURCE Boston 2017, moderated by Paul Roberts, founder and editor in chief of The Security Ledger.
The communication breakdown occurs at all levels, the panelists said, starting with victims.
Frank McLaughlin, a Boston Police detective, said when a business gets hit with ransomware, “the police are the last people they want to call, for obvious reasons. It becomes a public record.”
But even individual victims generally don’t report it because they believe – correctly in most cases – that law enforcement can’t help them, and they are desperate to get their files back.
Indeed, Ryan Naraine, head of the Global Research & Analysis Team at Kaspersky Lab, along with other panelists, said while the official stance of law enforcement and federal agencies like the FBI is never to pay a ransom demand, they tell victims privately that if there is no other way to get their files back, to pay it.
That, they agreed, is why ransomware is so popular among criminals – it is low-risk and high reward.
There was also agreement that there needs to be more information sharing among those who investigate ransomware crimes. McLaughlin said it is improving. He said there is more communication among the various police districts in greater Boston, and also between his office and the local FBI, which has the potential to find connections among attacks that could point to many of them being controlled by a small number of criminal enterprises.
But he acknowledged that the FBI generally doesn’t get involved in cybercrime investigations unless they involve large amounts of money – in the hundreds of thousands or millions.
And as the panelists agreed and has been widely reported, most ransom demands don’t come close to that amount. While it has been increasing – Roberts noted that Symantec reported the average had jumped from $294 in 2015 to more than $1,000 in 2016 – it still doesn’t come close to the kind of “serious money” that would interest the FBI.
Then there is media communication. McLaughlin noted that the media tend to cover violent crime, “but nobody cares if somebody steals a million dollars.”
That is also changing to some extent, said Sumit Sehgal, CTO of healthcare at McAfee. He noted that the major news networks have stories on cybercrime much more frequently than five years ago.
He said there is also more education at the K-12 level in public schools about bullying and cyber hygiene. “And there is evangelism from companies like ours,” he said. “The resources are there – platforms are getting better every day.”
But finally, there was also a plea from those in the audience for more security awareness training for the general public.
To Naraine’s comment that average users bear some responsibility for falling victim to phishing or other social engineering, or failure to use two-factor authentication, one audience member called it, “victim shaming,” arguing that the average user, like her grandmother, cannot be expected to be savvy to the multiple kinds of attacks that can lead to ransomware.
Panelists agreed in part, but said there are multiple initiatives to improve awareness. “It’s better than it was five years ago,” Sehgal said. “You get reminders from Facebook to change your password, or a notice that you signed in from China.”
McLaughlin said communities that focus on physical safety in their public service announcements should probably add messages regarding online security.
But Naraine said people still need to take some responsibility for their own safety. “It’s like leaving your keys in your car – don’t do it,” he said.