Apr 20, 2017 New Ransomware Highlights Darkside Economics
Another day, another ransomware: Security researchers at threat intelligence provider Recorded Future have uncovered Karmen, a ransomware app that is so easy-to-use that novices can set up and run it. Getting started with Karmen costs just $175 to get up and running (in case you’re considering a career change) and would-be criminals can set their own prices for releasing users from the ransomware.
Analysts expect that SMBs will be the primary targets, on the theory that smaller companies hit the sweet spot of not having effective mitigation strategies, while having critical data and applications that they need in order to function. So if you’re reading this and you work at an SMB, please make sure you’re backing up data and apps early and often, using providers such as Crashplan from Code42, which has reliable offerings just for small businesses. (Code42 also offers secure-endpoint-as-a-service solutions for SMBs).
But the impact of Karmen is bigger than its potential impact on SMBs. Karmen illustrates the concept of darkside economics, the emerging economic system in which hackers sell user information, malware tools, and platforms to would-be criminals, who can piece together their own attacks. What’s interesting about darkside economics is that it decouples the difficulty of a cyberattack from the criminality–it no longer takes an evil genius to launch an attack that brings a company to its knees.
Darkside economics, in other words, brings cyberattacks to the masses. And security professionals need to recognize that not only are attacks getting more sophisticated, the sheer volume of them is going to grow dramatically, as novices enter the game.
Protecting against Karmen and other relatively unsophisticated attacks isn’t the same as protecting against more sophisticated attacks: the primary tools are user training and basic information hygiene (eg encrypting and backing up vulnerable data). Preliminary findings from our 2017/2018 Security and Risk Management benchmark and maturity model show that most companies aren’t training effectively. Typically security training isn’t happening frequently enough, it isn’t validated properly, or it isn’t updated often enough (or all three). And fewer-than-expected companies back up both servers and desktop machines on a regular basis.
More broadly, it pays to be aware of darkside economics. Infosec pros need to protect their companies not just from sophisticated nation-state assaults, but from teenage hackers trying to turn a buck.