I remember, as a child, despising the neighborhood kid who would always say, "I told you so." Well, let's move ahead some 30-odd years to the WannaCry ransomware attack—I now feel like that despised child. You see, on March 29 of this year, I emailed the following note to my colleagues in the Risk Forum:
Just a few high-level and interesting notes from the conference.… 2017 & 2018 will be the Year of Ransomware (I can elaborate on this when we are all together—pretty fascinating business models developed here).
Too bad I kept my thoughts to our little group here at the Atlanta Fed and didn't get the message out to the masses (or at least to our Take on Payments readers) prior to the WannaCry ransomware attack that began on May 12. So why did I (and still do) think 2017 and 2018 will both be the "Year of Ransomware"?
Those who know me know that I am not a very technical person. I see things more strategically than technically and usually sprint away from conversations that become technical. After viewing a demonstration on how to launch a ransomware attack, I was shocked to learn that hardly any technical expertise is required to pull off an attack. This is all made possible by the "pretty fascinating business models" that I referred to in my note, business models known as Ransomware as a Service (RaaS).
I'd always envisioned that serious technical code writing capabilities would be a requirement for developing the code to send the malicious files involved in ransomware. And while coding is needed, that is where the RaaS comes into play. You pay someone else to create the malicious code, which you then use to launch a ransomware attack. And to make the attack even more successful, there are simple tools available that allow you to not only test the code against the market-leading antivirus software detection programs but also to tweak the code embedded in the malicious file to ensure that none of the antivirus software programs will detect it. Antivirus software protects users only from known malicious code, which is the reason the software must be constantly updated.
With the undetectable code in hand, you can now launch a ransomware attack through either an embedded file or a link within a phishing email or social media post to a legitimate-appearing, but malicious, website. And this costs little or nothing up front! The cost for the RaaS is only realized once a successful attack occurs, with a portion of the collected ransom paid to the RaaS provider.
Which brings me back to why I think ransomware attacks will continue to escalate, leading to 2017 and 2018 becoming "The Year(s) of Ransomware." They are simple to execute, low cost, and proving to be highly lucrative. (According to the FBI, an estimated $209 million was paid in ransom in the first quarter of 2016.) Expect a future blog post on how to plan for and defend against attacks.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed