Online extortion (bahh) and a new buzzword – “Ransomware”

i really like it when people invent new terms.

it can be spit and spim for spam coming from sources other than email. it can be pharming for phishing that is done by “misusing” dns. it’s always “new” and always invented by a commercial company.

annoying, but it’s how things are. one has to find ways to get media attention.

the latest invented term is “ransomware”:

http://www.networkworld.com/buzz/2005/092605-ransom.html

basically, a trojan horse will get on your machine and without warning will at some point encrypt your files. then the attacking party will demand some cash for the files to be restores/opened.

it’s a pretty cute idea, but it is nothing new. the whole idea behind trojan horses is to be able to do stuff such as this, covertly, whether for quiet spying or for overt annoying and destroying.

true, this way of employing the said trojan horse is fascinating, but no more than that.

leaving the trojan horse itself behind, let us discuss the concept of online extortion for a bit.

online extortion is one of the silliest ideas i ever heard. not because it doesn’t work out for the bad guys, but because it simply makes no sense to the good guys.

say you are in meat-space and you run a convenient store in down-town [bad city here]. a gang comes by and threatens that if you don’t pay them protection money they will burn down your store.
it is pretty clear that in fact:
1. they will burn down your store if you don’t pay up.
2. it is likely that they will not burn down your store if you do.
3. they will come back for more if you pay them.
4. it is also likely that if another gang comes by and demands some money, the original gang will protect you from the new one.

online, you have no face. you never really know who you are talking to. you have no guarantee that they are real, what they mean toward you and if they are trust-worthy.

say somebody emails your ceo and says: “pay up 10k bucks or we will ddos you out of business”.
that can be rough on any company and especially on companies whose business models are based on being online, still -
say you pay up:
1. what prevents the bad guys from attacking you anyway?
2. what prevents that bad guys from not attacking you regardless, wasting their resources on someone who won’t pay?
3. the bad guys cannot protect you from other bad guys.
4. there are so many bad guys out there, who is to say others won’t attack you?

and besides, meat-space basics apply here – if you give them money, they will come back and they will also bring friends. unlike real life they cannot burn down your store. whatever they do you can most likely come back from it and you can most likely also prepare for it.

the solution is simple. if your business model demands internet access and you make money off the internet, you should invest in protecting yourself accordingly.

ddos is a problem, but one that you can cope with, especially if you plan ahead and consult with the right people, beginning with your uplink isp and ending up with people who actually understand ddos and security.

trojan horses? “ransomware”? it all comes down to planning security for your organization – in-depth.

besides, as part of your business continuity plan (plan security, it’s not a bad idea) you could.. *shock* backup your files regularly?

i can’t teach anyone how to do security in one blog entry, but the points i am trying to make are:
1. security is something you need to invest in, over time and as part of a through plan.
2. online extortion is a scam,

any of these threats can hurt you but you can either respond to them as a micro-issue and make sure that because somebody smuggled something on an airplane using their shoes no one will ever again smuggle anything on an air plain using their shoes, or you can make sure airline security is better all-together. there is always a new threat out there, dealing with each on-the-spot doesn’t really work and will end up draining more funds.

as to online extortion, i do not belittle the issue in any way. i do believe though that most who are forced to deal with it do not really understand the problem.

the times come where meat-space organized crime is getting involved with a lot of what’s going on online, and if we don’t get ready now, we will simply fall behind.

i’d like to thank paul schmehl for a conversation we had on the subject a couple of years back, he gave me some very good ideas to consider.

also, i am waiting to hear from dan hubbard from websense to find out what really happened in the story discussed (see url to article above).
[ having just heard from dan this issue is dated back to may 2005:
http://www.websensesecuritylabs.com/alerts/alert.php?alertid=194 ]

gadi evron,
ge@beyondsecurity.com.

Share