The ransomware paper (part 3): New trends and future concerns
Welcome to the last part of this ransomware series (see Part one: What is ransomware?, and Part two: Real-life scenarios). As we wrap up, I want to focus on a few attacks that haven’t been discussed much in the media as well as some trends we may see in the future.
When those in the industry talk about ransomware protection and prevention, most of it is geared towards businesses. However, we’re seeing several trends involving attack scenarios directed at end-users, specifically in personal digital environments.
Instagram, Twitter and TikTok, oh my!
Lately, I’ve seen a trend of people's social media accounts — like Twitter, TikTok and Instagram — being taken over and ransomed the same way a corporation’s data is being ransomed.
It is worth noting that social media accounts and emails have been a target for takeover for a while, and it’s mostly been a flat rate cost to get access back. The traditional scenario is based on a scheme of convincing the victim they are paying money to Microsoft or Facebook support. Typically, the attackers would only charge the victim’s card the designated rate to “restore” access, but sometimes they would max out the victim’s credit or debit card. That was pretty much it.
Now they are asking for a ransom. They also appear to be doing some basic recon on the victims so they can match the ransom amount with what they think the victim might pay.
Download Keatron's free paper, "The ransomware paper: Real-life insights and predictions from the trenches."
I have a cousin who was a victim of this very attack. Her ransom demand was only $150, however, she is 17 years old and has about 1,800 followers. If you are an influencer with four million followers, that ransom will be considerably higher.
Take another person who contacted me: a pastor of a church with about 3,500 active members and about 15,000 followers on Instagram and Facebook. His Instagram and Facebook were both compromised. Getting the Facebook account back was relatively easy, but the Instagram account proved more difficult. The attacker wanted $5,000. They also added a threat along the lines of: “You’re a popular pastor. How would you like your Instagram account to start posting inappropriate adult content?”
It left him and his small IT team terrified and flustered.
Yet another history lesson, kind of
This trend is akin to what happened with computers. They were initially reserved for large organizations as they were too expensive for most to personally operate. Then the cost of production went down and mass production and distribution became possible. Thanks to Microsoft, Apple and others, personal computers were feasible seemingly overnight — and the rest is history.
One mistake we continue to make in this industry is failing to look at ransomware as an economic vehicle for cybercriminals. There is now enough profitability in these individual ransomware attacks to justify upward-trending projections.
Paying ransoms has gotten much easier
As I pointed out in the first part of this article, ransomware — and even ransomware against individuals — is not something new. When personal computers first began to get hit with ransomware, most individuals were given a choice: pay $200 to $500 to get their computer unlocked or have a local computer repair shop reinstall Windows from scratch.
When these personal ransomware attacks were trending upward eight or so years ago, it was not easy to set up a bitcoin account and make a payment. Now, it’s much easier. Heck, ransomware operators appear to have hired technical writers as the quality of their modern payment tutorials is quite impressive.
Huge growth of micro-businesses
Additionally, social media and the whole influencer movement have created millions of micro-businesses generating billions of dollars — all the while blending more of people’s personal lives with their business. In fact, for many influencers, their personal lives are their business.
This is how ransomware actors justify asking an individual for a large payment — assuming they have a large following. It’s just one example of where the changing times has taken a market once considered low profit by ransomware operators and created millions of high-profit opportunities within it.
I personally know five people who have been hit with this kind of attack in the last year.
More ransomware opportunities
A few months ago, I contributed to a Breaking Defense article related to hacking smart cars. While researching, I discovered some military bases are considering banning these vehicles. Why would entire countries consider such drastic actions against smart cars? It’s mostly due to the susceptibility of those cars being compromised to digitally spy on intelligence and defense organizations.
Imagine you are in Chicago parked downtown near Lake Michigan. It’s minus 10 degrees with a minus 20 windchill. You try to unlock your smart car as you always do and find that the door is not unlocking. At that instant, you get a text message from an unknown number saying, “We’ve taken over the app that controls your car. Send us $500 in bitcoin within the next five minutes or we will start your car and rev the engine until it’s destroyed.”
That might sound like a stretch, but we are not that far away. I regularly use an app to start my SUV, lock and unlock the doors, turn on one of its many cameras and more.
Importance of mobile phones
We also have to consider how important phones have become to the average consumer. Most of us care more about our phone data than we do our computer data. If the ransomware enterprise shifts some of its energy to this “emerging” consumer market, mobile phones may replace computers and networks as the focus of attacks.
For context, I dropped my phone from the metro train platform at Reagan Airport as I was about to depart on a flight. The phone was destroyed. I could not access anything on it. The amount of stress that put me through for the following eight or so hours is embarrassing. I had my electronic boarding pass on there. I couldn’t get a Uber when I landed in Chicago. I couldn’t even call someone to pick me up. I had to resort to that thing we call a taxi. Yes, they still exist. And to be fair, I’m not as addicted to my phone as I believe most Americans are.
Ransomware that can instantly lock and encrypt a person’s phone will likely be very profitable for these groups. Especially if they’re able to harvest zero-click exploits similar to the ones disclosed in 2021 related to the NSO group.
Rise of remote work
Also, with more people working from home, successful phishing and ransomware against an employee may not have a direct impact on an employer’s network. These trends in our new work-from-home economy make it more likely that the ransomware focus will shift.
End-users and regular consumers will not have access to the budget, knowledge base or resources to recover from these types of ransomware attacks. As a result, they will be more likely to pay the ransom.
In addition, many employees have moved from behind the veil of protection provided by corporate firewalls, SOCs, security engineers and other impressive security gear and knowledge. This is one area of concern that has not yet been fully addressed.
Phishing simulations & training
Importance of education
It helps to look at the ransomware market the same way we would look at legitimate non-criminal markets and economic systems. The consumer ransomware market is largely untapped, but I don’t suspect it will stay that way for long. It would be great if I could look back in three years and say I was wrong. But right now, I’m not convinced that will be the case.
It is our responsibility as leaders to start educating end-users more frequently on these types of threats and their impact. Everyone will have to become more diligent about protecting their devices and their data — and that starts with cybersecurity leaders making education accessible, practical and memorable.
I don’t want to live in a future where my refrigerator, Wi-Fi, thermostat and work devices are hijacked and used to collect ransom from me to get control back. So let’s educate ourselves and others!
In this Series
- The ransomware paper (part 3): New trends and future concerns
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization