The best-known example of ransomware to date is 2017’s Wannacry, which disrupted numerous organisations including at least a third of NHS trusts. Even before that incident, Eerke Boiten (De Montfort) was starting work on EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS), a project to study ransomware and devise interventions. EMPHASIS includes researchers from the fields of computer science, criminology, psychology, economics, and law across five universities (Kent, Leeds, De Montfort, Newcastle, and City), and has several partners from industry, law enforcement, and universities abroad.
As Wannacry showed, ransomware can extend to critical national infrastructure. Yet to date most ransomware has been relatively crude. There is, says Eerke Boiten, the project’s leader, the potential for far more technological sophistication: Wannacry was relatively simple, yet still caused some havoc. In addition, victims play an essential role in the stories of these attacks. Wannacry relied on victims who had failed to update Windows XP, yet was asking them to pay the ransom in bitcoin – an apparent contradiction that becomes less counterintuitive once you consider the required interactiom between criminal and victim after infection. “It’s an interesting technical problem, because cybercrime is a big thing but organised cybercrime is an even bigger threat,” Boiten says, adding that when you look for the sort of cybercrime that might result in large gains for organised gangs, ransomware is a good candidate.
The project asks the following research questions:
Why is ransomware so effective, and why are there so many victims?
Who is carrying out ransomware attacks?
How can police agencies be helped?
What interventions are required to mitigate the impact?
The overall goal is to strengthen society’s resistance to ransomware to make it less effective, protect and prepare potential victims, whether organisations or citizens, and pursue the criminals.
Since this is an investigation of a known, existing problem rather than a quest for a use case for a proposed solution, gathering data from law enforcement, SMEs, technical support services, and CERTs, as well as public surveys, interviews with stakeholders is crucial. Besides these sources, the group also proposes to use script analysis, behavioural analysis, and profiling to understand narratives for both criminals and victims and build typical ransomware scenarios that can be used to model these attacks at a better scale and understand them from an economic point of view.
From the economic point of view, the researchers want to understand how ransomware works as a business in order to find the weak points where adaptive interventions can be made. From the technological point of view, they want to pinpoint the strengths and weaknesses that can be disrupted and how it might evolve in future. Finally, from the psychological and criminological side, the project will study who the victims and criminals are, and what that means for the future.
The world has already changed a bit since the project began, as WannaCry was followed by NoPetya; the goals of such attacks are widening from pure financial gain to include disruption. In a recent attack, ransomware may have been merely a decoy to deflect attention from a more malicious attack trying to siphon off money from a bank. At the moment, we don’t really know who the perpetrators are, since these attacks are easy enough to assemble that they could be as technically limited as “script kiddies” or sophisticated as a nation-state. The researchers expect ransom amounts to rise to just above the amount people are willing to pay as these attacks begin to incorporate price discrimination, perhaps based on personal information obtained by the malware from the computer it has infected.
“A recurring theme in our project is the possibly false confidence that criminals don’t read academic papers,” Boiten says. This notion is based on the fact that some potential schemes that were reported 20 years ago still haven’t been seen in the wild.
In all this, data is crucial. Unfortunately, the actors who have it are organised crime, who will clearly profit from analysing it.
In the discussion that followed Boiten’s presentation of this project at the October 2017 RISCS meeting, it emerged that some aspects are emerging that weren’t in the original research design. These include, for example, conflicts between varying legal requirements for systems such as competition and safety, or personally identifiable information versus the need to generate value. Boiten noted that in the WannaCry case there at least six actors you could call responsible: the NHS, which didn’t update its systems; the government which didn’t finance those updates; the Shadow Brokers; the NSA; Microsoft for discontinuing free provision of security updates for XP; and then the criminals.
Angela Sasse noted the added burden placed on those under attack in that the aftermath tends to see so much bad advice, citing WannaCry as an example. The most important advice – making sure you have clean backups – appeared only on the NCSC’s site. Improving the dissemination of good advice is also a goal of EMPHASIS.
Other commenters noted that insurers who pay ransoms do have some information, though they may not deem it in their interest to share it. One who had seen the transcript from a ransomware group’s technical support line noticed the length of time spent haggling and advising how to get hold of bitcoin. It might be feasible to set up a group of deliberately infected machines and gather data by communicating with the criminals. Boiten noted there are ethical issues with doing that, though it seemed a promising possibility. Finally, businesses try to assess their threats, opportunities, strengths, and weaknesses. One could reverse this: what threats become opportunities? Doing that would ensure that the results, when published, would be relevant to businesses and presented in the language they use and understand.