Thirty-decade-old Turmoil: The Rancorous Root of Ransomware
Australian businesses are now required to disclose any payments made following ransomware attacks.
You might say that the roots of today's cyber threats go back a long way, with ransomware striking the scene approximately 30 years ago, in the twilight of 1989.
At the time, malicious software, or malware, was already wreaking havoc, mainly by infecting systems as self-spreading programs, better known as computer worms and viruses. But staying true to its sinister nature, malware was yet to scratch the surface of its full potential.
The infamous Dr. Joseph V. Popp, a US-based cybercriminal, recognized an opportunity to squeeze profit out of the chaos. He came up with an innovative, yet twisted idea of plundering people's precious data by creating a menacing software, the precursor to modern-day ransomware.
Before Popp's invention, the damage caused by malware was mostly an unwelcome byproduct of the cyber-anarchists showing off their prowess. But here was a smart villain distinguishing himself from the rest by cunningly navigating what we now casually call the "dark web." He designed a software that would kidnap your cherished data, while demanding ransom for its "safe return."
Sounds eerily familiar? Over the years, cybercriminals have thoroughly embraced this method, resulting in a staggering drain of millions of dollars from the global economy annually.
Popp's malware was delivered on floppy disks, requiring no modern-day modems or networks for distribution. The infectious software didn't even need internet networks to steal data or exfiltrate it, as military metaphors saturate modern cybersecurity jargon today.
Once activated, the malware conspired to extort a Wall Street sum ($378 in today's currency) via money orders to a shelter in Panama. The software displayed a bright red warning message, declaring a ransom "due," and even printed the "bill" to your attached printer if you were unfortunate enough to possess one.
Although Popp did his best to avoid targeting Americans to dodge law enforcement, he met his match in the United Kingdom. Many of his victims were subscribers to a British computing magazine, landing Popp in hot water in the UK. Despite being declared unfit to stand trial, Popp was eventually deported back to the US, where he unfortunately met an untimely demise in 2007.
Fast forward to the present day, and modern ransomware crooks leave their predecessors in the dust. They're highly organized and ruthless, prevailing over unsuspecting businesses with surprising ease. They don't hesitate to attack entire networks simultaneously, enforcing hefty sums in the millions of dollars. They also focus on pulling additional strings, luring victims with stolen data, which they can sell or leak if ransom demands aren't met.
Cybersecurity professionals, CISOs, users, and lawmakers have debated about regulations for ransomware for decades. Of course, even Popp found himself on the wrong side of the law in several countries, which led to numerous arrests and criminal investigations.
The debate then turns to the victim: What if a company, having collected vast amounts of personal data, fails to protect that information adequately? Consequences remain to be faced if that data falls into the hands of cybercriminals due to a failure to implement solid security measures.
In light of the complexities of ransomware, some experts recommend making payment a less attractive option. Proposed measures to this end include:
- Insurance Companies Restrictions: Some nations are considering preventing insurance companies from providing funds to cover ransom payments.
- Bans on Ransom Payments: Officially prohibiting ransom payments as a practice.
- Disclosure Requirements: Enforcing ransom payment disclosure if one has occurred, eliminating the secrecy that typically surrounds these transactions.
Australia recent leap has set a bold precedent. The country has imposed disclosure requirements for ransomware payoffs on all types of businesses, sans small companies with annual revenues under AU$3,000,000 (around US$2M, GB£1.5M). Regardless of whether the actual "ware" is involved or whether the data is explicitly scrambled, any negative passive outcome securing payment is covered.
It's a convenient guess that other countries will follow suit, implementing similar regulations or boosting the hidden ones already in place. The mantra remains: prevention is always better than the cure, especially when the cure forces a firm to pay an unknown entity for returning data that has lost its sanctity once stolen.
For those yearning for more insights, we urge you to check out the enlightening “Tales From The SOC” podcast episode which dives into the ethics, legalities, and business aspects of ransomware payments. Another bonus for the curious: Duck, one of the most respected names in cybersecurity, spills the beans on the intricacies of ransomware and related rules in various regions.
- As the methods of ransomware attacks have evolved over the years, it's clear that cybercriminals are now relying heavily on technology, utilizing modern networks and the internet to spread their malicious software more efficiently.
- In an attempt to combat the escalating threats of cyberattacks, Cybersecurity professionals and lawmakers are advocating for stricter regulations, such as insurance companies restrictions, prohibiting ransom payments, and disclosure requirements, to make these illegal acts less profitable and more transparent.
