The Channel logo


By | Darren Pauli 30th April 2015 04:58

Ransomware scum find the sweet spot to coin it without copping it

$10k demands are paid, and plod stays away

RSA 2015 RSA chief information security officer David Martin says ransomware scum may have reached the sweet spot between extorting users and avoiding law enforcement heat.

Martin says ransomware extortionists' demands top out at about US$10,000, a sum sufficiently low to get reluctant companies to pay and to prevent time-poor police from intervening.

"I think there is a sweet spot where you (criminals) only want to target organisations in local jurisdictions but if you move into a large enterprise with enough customers, you'll get federal law enforcement involved and make some serious enemies," Martin told El Reg at the RSA Conference in San Francisco last week.

"If you get too big, too greedy, you'll make enemies with the people who have the might and muscle to come and get you.

"There is a lot of innovation and I think we will continue to see things evolve."

Martin recommends says ransomware scum should stick to targeting smaller businesses and try to make big bucks out of multiple attacks, rather than "one big play".

Smaller demands of cash for keys tends to convince smaller businesses to pay rather than attempt to find cryptographic implementation faults to decrypt the their data without paying.

Security companies have published free tools to help decrypt shoddy ransomware that typically asks for a few hundred dollars, but the proper high-end product can be next to impossible to feasibly crack.

The latter ransomware is typically accompanied with emails sent by attackers to victims informing them that their data is encrypted and to pay up or face a rising ransom for each day lapsed.

Crooks will often hand over the key on payment to preserve the integrity of their business model. It is so effective that multiple police agencies have paid the ransoms.

Detailed data on the value of ransomware are hard to come by but some crooks have made millions of dollars in mere months. Symantec reckons (pdf) in the early days of ransomware that 2.9 percent of compromised users paid.

To reduce risk from ransomware raids businesses should change weak and default passwords used on services like remote desktop protocol -- a favourite vector for some scammers -- and back up critical data to air-gapped media.

Exploit kits that target unpatched software like Flash and Java will often foist ransomware, placing a user emphasis on patching.

One recent ransomware iteration demonstrated that even air-gap backups may not be enough by silently encrypting and decrypting web databases for months before pulling the key. ®

Darren Pauli travelled to San Francisco as a guest of RSA.

comment icon Read 8 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe