Ransomware: Open Source to the Rescue

Automobile, Energy, Media, Ransomware?

When thinking about verticals, one may not instantly think of
cyber-criminality. Yet, every move made by governments, clients,
and private contractors screams toward normalizing those
menaces as a new vertical.

Ransomware has every trait of the classical economical vertical.
A thriving ecosystem of insurers, negotiators, software providers,
and managed service experts.

This cybercrime branch looks at a loot stash that counts for
trillions of dollars. The cybersecurity industry is too happy to
provide services, software, and insurance to accommodate this new
normal.

Intense insurer lobbying in France led the finance ministry to
give a positive opinion about reimbursing ransoms, against the very
advice of its government’s cybersecurity branch. The market is so
big and juicy that no one can get in the way of “the development of
the cyber insurance market.”

In the US, Colonial pipeline is seeking tax reductions from the
loss incurred by the 2021 ransomware campaign they were victims of.
But wait… to what extent is the government (and, by extension,
every taxpayer) is then indirectly sponsoring cybercrime?

All governments and insurance corporations forget a simple fact
in this equation: impunity. A nation-state can afford to cover risk
and refund losses if it can enforce law & order. It is the very
definition of a nation: a monopoly on armed forces to ensure
everyone’s property is protected. This system meets a limit in
cyberspace since the vast majority of cybercriminals are never
found and, even less, tried.

The possibility of air-gapping attacks against any target makes
it extremely difficult to have an international subpoena to analyze
every trail.

As long as the cybersecurity industry (and by extension the
economy) gets a fair share of this terrible amazing nightmare
opportunity, you can expect ransomware to become the new
normal.

And by the way, stop calling it a new attack vector, it’s
anything but this. The ways cybercriminals break-in are the same as
ten years ago: exploits, social engineering, Web shenanigans, and
password bruteforce, to name a few.

A short-sighted industry will cry

On paper, this fantastic cyber insurance market is a
generational wealth maker. Sure, but did you know most of the
latest prominent breaches were made possible using an incredible
technic named “Credential reuse”?

No? Well, let me tell you why you’ll cry very soon and why most
companies should get those kinds of insurances before their cost is
multiplied by tenfold.

Simply put, credential reuse consists in buying legitimate
credentials from real users and… reusing them. Yet still, you might
not understand the true impact of this. Let me explain it to you
better.

Introducing Robert, 50 y/o, an accountant working in the CFO’s
team of “Big Juicy corp I sold a contract to”. Robert has to pay
rent, health insurance, and a pension, let aside the fact that he
hates the guts of Big Juicy. Now Robert is contacted by an
anonymous source, telling him he’ll get 2 bitcoins if he gives his
real VPN login and password… Or if he clicks on a link he received
via email… Robert just has to wait 24 hours and tell the IT
services someone stole his laptop on the subway.

How do you defend against the insider threat? Big Juicy
insurance policy is a percentage of its turnover, cybercriminals
know it. They can adjust the price tag of Robert’s loyalty to say…
10% of what they expect the insurance coverage to be? Those 2
bitcoins can also be 10 or 20 if Robert works for SpaceX or
Apple.

Still sure about this insurance thing or that normalizing
Ransomware is an angle to more significant profit? Well, I’m short
insurance & long bitcoin then.

One more rich vs. poor asymmetry

The problem here is not fundamentally Big Juicy Corp. They will
smartly put the insurance and costs of defending themselves on the
proper account in the balance sheet. Their profit will be a bit
diminished, but in the end, it’s somehow the taxpayer that will be
covering the losses of a smaller tax collection.

But hospitals? I don’t mean the private clinics that cost
millions per year, not unlike Cyberpunk Traumateam depicts it. No,
the real, free-for-all hospitals that serve one role: everybody’s
health. In France, where I live, those are jewels that successive
governments are trying to break apart, with a certain success. They
are badly underfunded and cannot already cope with their debts and
maintain their outdated IT infrastructure. Once they get breached,
though, they are the talk of the town. How much is your health data
worth? Probably not much. Otherwise why would Apple & Samsung
invest so much into collecting them, really?

And what about NGO, NPO, small companies, Media, eCommerce
sites, etc.

You’d think they are below the radar. Absolutely not. They are
less defended, require less investment, and provide fewer profits,
but hey, cybercriminals need to climb the ladder too.

From external perimeter to unknown boundaries

Beyond credential reuse, the external IT perimeter also became
more complex than ever. The little ones’ Android device is riddled
with malware but connected to the same home Wi-Fi you’re working
from.

The VPN everywhere became the norm, and suddenly unreleased
exploits are popping all over the darknet to breach them.
Two-factor authentication is so complex to use that hey… let’s just
disable it, at least for the boss.

Sysadmin already had a hard time migrating to the next-gen
virtualization system. Still, they all become part-time SecOPS and
need to know about containers, VMs, new protocols, and who has been
using an external SaaS without notifying the IT department because
it’s “so super useful, we don’t care if it hasn’t been audited”.
What space is left to train the team, and explain to them that
“password” isn’t actually a password and that anyone can send an
email from neil@moon.com?

And… by the way… A behavior detection on your external perimeter
can tell you that Robert should be connecting from Detroit and not
DubaÏ, Delhi, or Moscow.

Crowdsourcing the effort

Welcome to the age of Digital Darwinism, where the most adapted
will survive.

Did we, as humankind, ever have a major victory like dealing
with a pandemic, sending people to the moon, or inventing complex
IT devices, without teamwork? Without the division of labor?

Then why would cyber security be the best field to adopt the
loner attitude and win?

Well, spoiler alert, it’s not.

There is a way out: a collective et participative effort.

If you want to defeat an army of cybercriminals, let’s adopt a
good old classic tactic and have a bigger and better-equipped army
(recent history showed us the latter is equally important).

Not unlike the neighborhood watch, open source makes it possible
to crowdsource the effort, to team together, and detect all
malevolent IP addresses around the world. To deter any bad
behavior, as a digital herd. Anyone can partake in the effort and
help those without budgets to better defend what’s precious to us:
free media, safe hospitals, and secure NGOs.

Open source and participative networks can break this death loop
cybercriminals and cybersecurity industries are partaking in.

Note — This article is written and contributed by
Philippe Humeau, CEO & co-founder of CrowdSec.