In the last few days, I have seen multiple articles on ransomware in my news feeds (including a shameless reference back to our own post on The State of Security). As I read these, it occurred to me that there is an ironic similarity between these schemes and legitimate companies.
The criminals running these malware and ransomware schemes have to be honest and deal in good faith with their “customers” (OK, I know they are victims, but they also qualify as customers for the sake of my point).
They have an interest in their own branding and name recognition, the quality of their malware, and other aspects of reputation management that legitimate businesses have.
As a long-time developer, I can picture the team of malware developers pulling all-nighters to put out a critical patch to their software the same way I once did. And in fact, it appears that as the malware market matures, we will get more and more separation of duties.
Teams of developers are already beginning to sell their products to a black market of criminals, the actors who in turn deploy the attacks. Within that marketplace, there will certainly be complete mirroring of legitimate business practices. The black markets, ironically, need to be built on the same kinds of trust models and mechanisms that legitimate markets must have in order to work.
At the other end of the attack, the criminals running the scam have to be “trustworthy.” If they don’t undo the damage (at least in the majority of cases – think Hawks and Doves), no one will ever pay the ransom.
If they deal honestly and decrypt the victim’s files, they can hope at some point people (like, say, the FBI) will say just pay it – it’s easier. What a win, in my opinion; by operating in good faith, they got some of us to decide to cave.
In fact, to many, the cost of preventative measures, like backing up and managing backups of your systems, is much more than the price the criminals are asking.
I find the irony of this situation mildly amusing, at least until it happens to me or a relative.
However, the big security takeaway may be that we know that criminal organizations have to at least mirror some legitimate business practices. Maybe the response should be less technical and we should be attacking the “legitimacy” and reputations of these groups.
As we know from Sun Tzu’s The Art of War, knowing the enemy is a vital element of success.
Title image courtesy of ShutterStock