Ransomware: Open Source to the Rescue

Cyber Security

Automobile, Energy, Media, Ransomware?

When thinking about verticals, one may not instantly think of cyber-criminality. Yet, every move made by governments, clients, and private contractors screams toward normalizing those menaces as a new vertical.

Ransomware has every trait of the classical economical vertical. A thriving ecosystem of insurers, negotiators, software providers, and managed service experts.

This cybercrime branch looks at a loot stash that counts for trillions of dollars. The cybersecurity industry is too happy to provide services, software, and insurance to accommodate this new normal.

Intense insurer lobbying in France led the finance ministry to give a positive opinion about reimbursing ransoms, against the very advice of its government’s cybersecurity branch. The market is so big and juicy that no one can get in the way of “the development of the cyber insurance market.”

In the US, Colonial pipeline is seeking tax reductions from the loss incurred by the 2021 ransomware campaign they were victims of. But wait… to what extent is the government (and, by extension, every taxpayer) is then indirectly sponsoring cybercrime?

All governments and insurance corporations forget a simple fact in this equation: impunity. A nation-state can afford to cover risk and refund losses if it can enforce law & order. It is the very definition of a nation: a monopoly on armed forces to ensure everyone’s property is protected. This system meets a limit in cyberspace since the vast majority of cybercriminals are never found and, even less, tried.

The possibility of air-gapping attacks against any target makes it extremely difficult to have an international subpoena to analyze every trail.

As long as the cybersecurity industry (and by extension the economy) gets a fair share of this terrible amazing nightmare opportunity, you can expect ransomware to become the new normal.

And by the way, stop calling it a new attack vector, it’s anything but this. The ways cybercriminals break-in are the same as ten years ago: exploits, social engineering, Web shenanigans, and password bruteforce, to name a few.

A short-sighted industry will cry

On paper, this fantastic cyber insurance market is a generational wealth maker. Sure, but did you know most of the latest prominent breaches were made possible using an incredible technic named “Credential reuse”?

No? Well, let me tell you why you’ll cry very soon and why most companies should get those kinds of insurances before their cost is multiplied by tenfold.

Simply put, credential reuse consists in buying legitimate credentials from real users and… reusing them. Yet still, you might not understand the true impact of this. Let me explain it to you better.

Introducing Robert, 50 y/o, an accountant working in the CFO’s team of “Big Juicy corp I sold a contract to”. Robert has to pay rent, health insurance, and a pension, let aside the fact that he hates the guts of Big Juicy. Now Robert is contacted by an anonymous source, telling him he’ll get 2 bitcoins if he gives his real VPN login and password… Or if he clicks on a link he received via email… Robert just has to wait 24 hours and tell the IT services someone stole his laptop on the subway.

How do you defend against the insider threat? Big Juicy insurance policy is a percentage of its turnover, cybercriminals know it. They can adjust the price tag of Robert’s loyalty to say… 10% of what they expect the insurance coverage to be? Those 2 bitcoins can also be 10 or 20 if Robert works for SpaceX or Apple.

Still sure about this insurance thing or that normalizing Ransomware is an angle to more significant profit? Well, I’m short insurance & long bitcoin then.

One more rich vs. poor asymmetry

The problem here is not fundamentally Big Juicy Corp. They will smartly put the insurance and costs of defending themselves on the proper account in the balance sheet. Their profit will be a bit diminished, but in the end, it’s somehow the taxpayer that will be covering the losses of a smaller tax collection.

But hospitals? I don’t mean the private clinics that cost millions per year, not unlike Cyberpunk Traumateam depicts it. No, the real, free-for-all hospitals that serve one role: everybody’s health. In France, where I live, those are jewels that successive governments are trying to break apart, with a certain success. They are badly underfunded and cannot already cope with their debts and maintain their outdated IT infrastructure. Once they get breached, though, they are the talk of the town. How much is your health data worth? Probably not much. Otherwise why would Apple & Samsung invest so much into collecting them, really?

And what about NGO, NPO, small companies, Media, eCommerce sites, etc.

You’d think they are below the radar. Absolutely not. They are less defended, require less investment, and provide fewer profits, but hey, cybercriminals need to climb the ladder too.

From external perimeter to unknown boundaries

Beyond credential reuse, the external IT perimeter also became more complex than ever. The little ones’ Android device is riddled with malware but connected to the same home Wi-Fi you’re working from.

The VPN everywhere became the norm, and suddenly unreleased exploits are popping all over the darknet to breach them. Two-factor authentication is so complex to use that hey… let’s just disable it, at least for the boss.

Sysadmin already had a hard time migrating to the next-gen virtualization system. Still, they all become part-time SecOPS and need to know about containers, VMs, new protocols, and who has been using an external SaaS without notifying the IT department because it’s “so super useful, we don’t care if it hasn’t been audited”. What space is left to train the team, and explain to them that “password” isn’t actually a password and that anyone can send an email from neil@moon.com?

And… by the way… A behavior detection on your external perimeter can tell you that Robert should be connecting from Detroit and not DubaÏ, Delhi, or Moscow.

Crowdsourcing the effort

Welcome to the age of Digital Darwinism, where the most adapted will survive.

Did we, as humankind, ever have a major victory like dealing with a pandemic, sending people to the moon, or inventing complex IT devices, without teamwork? Without the division of labor?

Then why would cyber security be the best field to adopt the loner attitude and win?

Well, spoiler alert, it’s not.

There is a way out: a collective et participative effort.

If you want to defeat an army of cybercriminals, let’s adopt a good old classic tactic and have a bigger and better-equipped army (recent history showed us the latter is equally important).

Not unlike the neighborhood watch, open source makes it possible to crowdsource the effort, to team together, and detect all malevolent IP addresses around the world. To deter any bad behavior, as a digital herd. Anyone can partake in the effort and help those without budgets to better defend what’s precious to us: free media, safe hospitals, and secure NGOs.

Open source and participative networks can break this death loop cybercriminals and cybersecurity industries are partaking in.

Note — This article is written and contributed by Philippe Humeau, CEO & co-founder of CrowdSec.