Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.
Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.
So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.
Without analyzing the key generation or key storage components, Talos believes that the actors behind Nyetya did not intended for the boot sector or the ten sectors that are wiped to be restorable. Thus, Nyetya is intended to be destructive rather than as a tool for financial gain.
If the industry sees widespread occurrences of failed recovery, ransomware IS dead. It doesn’t mean that we should quit protecting against the attack vectors that are used by ransomware. Those attack vectors are, and will remain, relevant for gaining an attack foothold in environments of all sizes. It is the attack payload that will change to support a different monetization strategy.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.