Matthias Gruber

Ransomware: Fixing the mess

Against the apparent surge in successful ransomware campaigns, companies and individuals often have little choice but to backup or pay up. Advice from national cybersecurity teams is typically to:

  1. exercise extreme caution with opening email attachments and clicking on links; and
  2. store and frequently backup an offline copy of all business-critical data((MELANI. Ransomware. Swiss Reporting and Analysis Centre for information Assurance (MELANI) (2016). Available at: https://www.melani.admin.ch/melani/en/home/themen/Ransomware.html.))((US Computer Emergency Readiness Team. Ransomware. US-CERT (2018). Available at: https://www.us-cert.gov/security-publications/Ransomware.)).

Beyond the practical ‘what to do’ questions is the larger agenda: ‘what should be done’. 

Predictions for 2018 suggest:


Organisations everywhere should therefore audit their systems and data holdings to identify the vulnerabilities that are most attractive to organised crime networks and cryptocurrency miners.

Duty of care

A well-known convention in determining negligence, i.e. if duty of care has been breached, is known as ‘Hand’s Formula’, dating from 1947((Mattei, T. A. Privacy, Confidentiality, and Security of Health Care Information: Lessons from the Recent WannaCry Cyberattack. World Neurosurg. 104, 972–974 (2017). )). It has three variables:

  1. Probability (P) that the accident or harmful event will occur;
  2. Gravity (L) of the resulting injury if it occurs;
  3. Associated burden or cost (B) of precautionary measures (B).

A duty of due care for the defendant exists if PL > B. Applying Hand’s Formula to the problem of ransomware we note that:

  1. the probability of ransom is today recognised as ‘likely’;
  2. resulting injury in the case of e.g. a hospital, emergency service or transport network can be very serious;
  3. the cost of precautionary measures is in the time and investment required to (a) set up effective cybersecurity defences for all devices and networks, (b) backup all business-critical data at very regular intervals and store it offline, (c) train people to understand the risks associated with handling email, portable storage devices and online business communications.

This places (B) firmly among the risk appetite and business risk decisions of most companies, whether they are required by law to explicitly consider cybersecurity in their corporate ‘duty of care’, or impelled to reduce risk through the fear of ‘losing it all’ in the event of a successful ransomware attack.

Organisations unwilling or unable to properly estimate (B) are likely instead to ask, ‘what’s considered an ‘acceptable’ ransom for us before we have to invest in (B)?’. Put another way, how bad does it have to get before enough organisations take action to minimise the threat?

Enforceable laws and ‘real-world’ arrests

The law and economics of bribery and extortion is an under-researched field in the context of cyberspace. Part of the problem is that existing laws (which apply variously to private individuals and corporations) do not work well across borders. Where enforced, penalties are (currently) poorly tied to the marginal benefits of cyber crime((Rose-Ackerman, S. The Law and Economics of Bribery and Extortion. Annu. Rev. Law Soc. Sci. 6, 217–238 (2010).)). Further, attribution of ransomware crimes may take many months after the incident has occurred, plenty of time to convert Bitcoins to cash and/or sell seized data.

Nonetheless, reports of arrests have started to appear in the media – although the numbers are pitifully few if we consider the victims and revenues involved. In December 2017, five were arrested in Romania and two in Bucharest for spreading the CTB-Locker malware (a file-encrypting ransomware). The raid was done by law enforcement officers following a joint investigation by the Romanian Police, Romanian and Dutch public prosecutor’s Office, Dutch National Police, UK National Crime Agency, US FBI and Europol((Europol. Five arrested for spreading ransomware throughout Europe and US. Europol (2017). Available at: https://www.europol.europa.eu/newsroom/news/five- arrested-for-spreading-ransomware-throughout-europe-and-us.))

Notable among four arrests and seven indictments in 2017 by the US was Peter Levashov (a.k.a. Petr Levashov, Peter Severa, Petr Severa, Sergey Astakhov), of St. Petersburg, arrested in Barcelona on April, 7th and held in Spain awaiting extradition to the US to serve a 52 year jail sentence. Levashov is accused of running the Kelihos botnet use by cyber criminals to distribute ransomware and other attacks((Reuters. Factbox: U.S. arrests of Russian cyber criminals hit record high. Reuters (2017).)).

Standardisation of the way in which digital forensics gets reported to a court of law may also help in expediting prosecutions. The Dutch are currently leading in this initiative and are amending the Netherlands Register of Court Experts (NRGD) accordingly((Henseler, H. & van Loenhout, S. Educating judges, prosecutors and lawyers in the use of digital forensic experts. Digit. Investig. 24, S76–S82 (2018).)). The NGRD is open to Dutch and non-Dutch digital forensics specialists.

Shared responsibility

Medical doctors writing in the wake of WannaCry argued for shared responsibility across hospitals and their supply chains, legislators and regulators, akin to the largely successful pan-industry collaboration in assuring airline safety((Sittig, D. F., Belmont, E. & Singh, H. Improving the safety of health information technology requires shared responsibility: It is time we all step up. Healthcare (2017). doi:10.1016/j.hjdsi.2017.06.004)). This type of collaboration requires a little compromise on all sides to achieve the greater objective of passenger safety.

The maritime industry is a cohesive community and has begun to leverage its very long and established trust relationships, protocols and conventions to address the burden of collective responsibility in cyberspace. For example, the International Maritime Organisation (IMO) released interim guidance on maritime cyber risk and many nations are reviewing maritime security as part of their national security strategy. BIMCO guidelines released in January explain broadly how a shipping company can mitigate cyber risks in every segment of its networks and operations.

The role for partnership between industry and law enforcement across every sector of the economy is very clear: companies that collect threat intelligence through their distributed software and operating systems are a vital source of information in defeating the platforms and malpractice that enable ransomware. For example, in November 2017 Microsoft in partnership with law enforcement agencies including the US FBI, Europol and Germany’s Luneburg Central Criminal Investigation Inspectorate, disrupted the Gamarue botnet (aka Andromeda) – one of the world’s largest – which since 2011 has distributed at least 80 malware families to devices worldwide, including Petya and Cerber ransomware. The disruption reduced the number of infected devices but did not eliminate the botnet.

Within organisations, ransomware must be added to the catalogue of techniques available to the malicious insider threat.

White collar crime traditionally requires time and effort to establish trust, trust dependence relationships and advanced skills to spot an opportunity when it arises – as illustrated in the cases of Enron (2001), Madoff (. Virtual currencies and RaaS reduce the barrier to entry, creating the conditions for a new form of ‘virtual collar crime’, a “perfect storm of increased virtuality and democratisation of online crime”((Reid, A. S. Financial Crime in the Twenty-First Century: The Rise of the Virtual Collar Criminal. in White Collar Crime and Risk (ed. Ryder, N.) 231–251 (Palgrave Macmillan UK, 2018). doi:10.1057/978-1-137-47384-4_9)) which creates complex and urgent challenges for companies and law enforcement agencies, everywhere.

Are you protected?

Me and my team protect you, your business and your data against cyber threats by analysing risks and developing early detection and protection concepts.