Industry insights

The ransomware paper (part 3): New trends and future concerns

Keatron Evans
January 28, 2022 by
Keatron Evans

Welcome to the last part of this ransomware series (see Part one: What is ransomware?, and Part two: Real-life scenarios). As we wrap up, I want to focus on a few attacks that haven’t been discussed much in the media as well as some trends we may see in the future.

When those in the industry talk about ransomware protection and prevention, most of it is geared towards businesses. However, we’re seeing several trends involving attack scenarios directed at end-users, specifically in personal digital environments. 

 

Instagram, Twitter and TikTok, oh my!

 

Lately, I’ve seen a trend of people's social media accounts — like Twitter, TikTok and Instagram — being taken over and ransomed the same way a corporation’s data is being ransomed. 

It is worth noting that social media accounts and emails have been a target for takeover for a while, and it’s mostly been a flat rate cost to get access back. The traditional scenario is based on a scheme of convincing the victim they are paying money to Microsoft or Facebook support. Typically, the attackers would only charge the victim’s card the designated rate to “restore” access, but sometimes they would max out the victim’s credit or debit card. That was pretty much it.  

Now they are asking for a ransom. They also appear to be doing some basic recon on the victims so they can match the ransom amount with what they think the victim might pay.

 

Download Keatron's free paper, "The ransomware paper: Real-life insights and predictions from the trenches."

 

 

Get Your Copy

 

I have a cousin who was a victim of this very attack. Her ransom demand was only $150, however, she is 17 years old and has about 1,800 followers. If you are an influencer with four million followers, that ransom will be considerably higher. 

Take another person who contacted me: a pastor of a church with about 3,500 active members and about 15,000 followers on Instagram and Facebook. His Instagram and Facebook were both compromised. Getting the Facebook account back was relatively easy, but the Instagram account proved more difficult. The attacker wanted $5,000. They also added a threat along the lines of: “You’re a popular pastor. How would you like your Instagram account to start posting inappropriate adult content?”  

It left him and his small IT team terrified and flustered. 

 

Yet another history lesson, kind of

 

This trend is akin to what happened with computers. They were initially reserved for large organizations as they were too expensive for most to personally operate. Then the cost of production went down and mass production and distribution became possible. Thanks to Microsoft, Apple and others, personal computers were feasible seemingly overnight — and the rest is history.

One mistake we continue to make in this industry is failing to look at ransomware as an economic vehicle for cybercriminals. There is now enough profitability in these individual ransomware attacks to justify upward-trending projections.

 

Paying ransoms has gotten much easier

 

As I pointed out in the first part of this article, ransomware — and even ransomware against individuals — is not something new. When personal computers first began to get hit with ransomware, most individuals were given a choice: pay $200 to $500 to get their computer unlocked or have a local computer repair shop reinstall Windows from scratch. 

When these personal ransomware attacks were trending upward eight or so years ago, it was not easy to set up a bitcoin account and make a payment. Now, it’s much easier. Heck, ransomware operators appear to have hired technical writers as the quality of their modern payment tutorials is quite impressive. 

 

Huge growth of micro-businesses

 

Additionally, social media and the whole influencer movement have created millions of micro-businesses generating billions of dollars — all the while blending more of people’s personal lives with their business. In fact, for many influencers, their personal lives are their business. 

This is how ransomware actors justify asking an individual for a large payment — assuming they have a large following. It’s just one example of where the changing times has taken a market once considered low profit by ransomware operators and created millions of high-profit opportunities within it. 

I personally know five people who have been hit with this kind of attack in the last year.

 

More ransomware opportunities

 

A few months ago, I contributed to a Breaking Defense article related to hacking smart cars. While researching, I discovered some military bases are considering banning these vehicles. Why would entire countries consider such drastic actions against smart cars? It’s mostly due to the susceptibility of those cars being compromised to digitally spy on intelligence and defense organizations.

Imagine you are in Chicago parked downtown near Lake Michigan. It’s minus 10 degrees with a minus 20 windchill.  You try to unlock your smart car as you always do and find that the door is not unlocking. At that instant, you get a text message from an unknown number saying, “We’ve taken over the app that controls your car. Send us $500 in bitcoin within the next five minutes or we will start your car and rev the engine until it’s destroyed.”  

That might sound like a stretch, but we are not that far away. I regularly use an app to start my SUV, lock and unlock the doors, turn on one of its many cameras and more. 

 

Importance of mobile phones

 

We also have to consider how important phones have become to the average consumer. Most of us care more about our phone data than we do our computer data. If the ransomware enterprise shifts some of its energy to this “emerging” consumer market, mobile phones may replace computers and networks as the focus of attacks.

For context, I dropped my phone from the metro train platform at Reagan Airport as I was about to depart on a flight. The phone was destroyed. I could not access anything on it. The amount of stress that put me through for the following eight or so hours is embarrassing. I had my electronic boarding pass on there. I couldn’t get a Uber when I landed in Chicago. I couldn’t even call someone to pick me up. I had to resort to that thing we call a taxi. Yes, they still exist. And to be fair, I’m not as addicted to my phone as I believe most Americans are. 

Ransomware that can instantly lock and encrypt a person’s phone will likely be very profitable for these groups. Especially if they’re able to harvest zero-click exploits similar to the ones disclosed in 2021 related to the NSO group. 

 

Rise of remote work

 

Also, with more people working from home, successful phishing and ransomware against an employee may not have a direct impact on an employer’s network.  These trends in our new work-from-home economy make it more likely that the ransomware focus will shift.

End-users and regular consumers will not have access to the budget, knowledge base or resources to recover from these types of ransomware attacks. As a result, they will be more likely to pay the ransom. 

In addition, many employees have moved from behind the veil of protection provided by corporate firewalls, SOCs, security engineers and other impressive security gear and knowledge. This is one area of concern that has not yet been fully addressed. 

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

 

Importance of education

 

It helps to look at the ransomware market the same way we would look at legitimate non-criminal markets and economic systems.  The consumer ransomware market is largely untapped, but I don’t suspect it will stay that way for long. It would be great if I could look back in three years and say I was wrong. But right now, I’m not convinced that will be the case. 

It is our responsibility as leaders to start educating end-users more frequently on these types of threats and their impact. Everyone will have to become more diligent about protecting their devices and their data  — and that starts with cybersecurity leaders making education accessible, practical and memorable.

I don’t want to live in a future where my refrigerator, Wi-Fi, thermostat and work devices are hijacked and used to collect ransom from me to get control back. So let’s educate ourselves and others!

Keatron Evans
Keatron Evans

Keatron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is VP of Portfolio and Product Strategy at Infosec, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker — and lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at major industry events like RSA and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more.

Keatron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP) and Licensed Penetration Tester (LTP). When not teaching, speaking or managing his incident response business, KM Cyber Security LLC, Keatron enjoys practicing various martial arts styles, playing piano and bass guitar, and spending time with his family.