During the ITBN conference in Budapest, I had the chance of meeting numerous interesting people, experts in their domain, including ESET’s Senior Virus Researcher Peter Kosinar, whom I discussed many topics with, including ransomware.
Squeezing in an interview before he had to rush off for his presentation on “Ransomware or Randomware,” Kosinar discusses numerous hot topics about today’s cybersecurity, the world’s most popular malware type, and Artificial Intelligence and its role in securing our online lives, shedding some light on them all.
TCSF: Why do you believe ransomware is “suddenly” on the rise and where do you think things will go in the years to come regarding its popularity?
PK: Because it works. It has very nice property compared to many other things because once you get hit by it, once you encrypt the files, it is game over if you have done it correctly as the bag guy. Because then there is no force in the Universe that can actually decrypt them. In some cases, yes, they made a mistake and it is possible to decrypt them without paying the ransom, but it has the advantage of the immediate effect. This means that you cannot do anything immediately after it happens. Yes, because there are prevention tools, you can do something in advance to be cautious, like making sure your data is backed up and so on. Fortunately, we are seeing this more often with cloud services, but there is still a lot of data that people only realize they would be missing once it got encrypted. My expectation for the future is actually even more dire in this sense. At this point the ransomware is very often of the kind that encrypts right now, and that’s about it, but it can also be done in a much slower way – corrupting the data and doing things that are not that visible, but later someone can try to get the ransom from you in order for you to be able to return the data to the original state.
Think of it – accounting people have to keep records for some time. If these records get damaged and then someone anonymously tips off the tax office “check their records, they might not be really what they claim to be” and then all of a sudden you can discover that something that you have actually not done is something that can cost you money. Of course, if you happen to pay the ransom, the tax office will not be getting this anonymous tip. And it’s not just the data; there are a lot of things that can be ransomed. The idea of ransom is old and you can find it as long as humans have been around because you could kidnap a person and demand money for it. But you can do it with data, you can do it with services, you can do it with denial of service attacks against some online casino, shop or other places which are actually operating online so if their website is not working it means that they would not be getting customers. The more business they move there, the more ransom can be obtained in making it work again.
In my point of view, ransomware is going to be staying, but it doesn’t have to be the encrypting kind, it can be something that prevents you from accessing a service but demanding money in exchange.
TCSF: What does the latest data show? Is ransomware more prevalent on smart devices because they are easier to get or computers?
PK: At this moment it is more prevalent on PCs from what I can see. But of course, the more data will be in the smart devices, the more we’ll see it there too. The question about mobile phones is: do they fall under “smart devices” or under “computers,” because there are other smarter devices like network storages where people keep their photos on or so, so these are all things that are somewhere between a “computer” and “not a computer.” From my point of view, things that are seen as computers are more prevalent for now because it is easier to get to them. It doesn’t matter that other devices are more secure, but there isn’t that much data that you can take to ransom.
There was something called Brickerbot which was breaking your home browser or devices of this kind and had it stop working. Nobody was demanding ransom for it, but they could if they wanted. “If you pay us, we will make it work again.” It is less efficient than what you can do with the files. With a bricked device you can just buy a new one. With encrypted pictures from your wedding a year ago, you can’t really take them again.
TCSF: So do you see a high rate of pay-ups in ransomware? I know there are general policies like “we don’t negotiate with terrorists, ” but there are many cases where people choose to pay the ransom.
PK: That’s what we hope for – if nobody was paying, it would be great. Except, sometimes, you are in a position where you think that if you don’t pay you might end up without business at all. Your loss would be greater, than what you pay the bad guys.
TCSF: What about home users?
PK: Well, again, there might be things that they really, really want, like students before handing in their papers or something. They can be more vulnerable to pay than someone who doesn’t really care about stuff that was there. I have talked to people who were basically like “ok, so what? I never looked at it anyway.” But there are people who are paying precisely because there are things that are really important, people like small entrepreneurs who keep their accounting information, or their contacts for clients, and seem to be operating in an environment where they do not have a backup.
TCSF: Do you think there is any newer type of malware that might become more popular than ransomware, or equal?
PK: What we are seeing as being slightly on the rise is various types of scams related to almost anything. It is not malware, it’s just tricking people using computers. You are told that you can earn money easily and so on. They will say you will gain something by using technologically sounding boards. We have seen a case where someone was claiming they are going to get on the bandwagon with the cryptocurrencies and you can invest in this growing thing and it’s great and you can earn whatever 10% within a month and so on. People fall for this.
The social engineering is easy, but then you can build a proper pyramid scheme off of it, which means people will be earning, and it is so easy these days to cover your tracks in the sense that this is done anonymously and we pay directly in convertible money, which means any of the cryptocurrencies work very well, but it doesn’t have to be that. They can just send you the money. It’s something that can be done so easily on the Internet, so why not? I’m expecting this to be on the rise, even if we secure the computers we can’t secure the users.
TCSF: What’s the best advice who’d like to keep their privacies online?
PK: Privacy or security? Privacy is something that’s difficult. First of all, you need to think about the things that you post online about yourself – pictures, comments – anything can be scraped and put together to get insight into how you live, when you work, when you’re not working, whether you are working while you are at work, and so on. Then, there are things that we can’t affect like cameras monitoring the streets and so on, which you can’t control. Then you can do financial things, buying things. The question is, who do you trust more? Your payment provider like PayPal, or do you trust more some shops? Do you trust cryptocurrencies or government-issued currencies? All this depends because someone will likely get information on you. While some cryptocurrencies provide some sort of anonymity, there’s still someone at the other end giving you some physical goods. And this is where your privacy might get broken. But it always depends on who’s your enemy. Are you worried about your privacy from a neighbor or someone else?
TCSF: One of the points in your presentation is about who’s behind ransomware.
PK: It was more of “who are the smart ones who are doing the cryptography right?” Becuase ransomware is necessary with cryptography, with encrypted files, but we know that crypto is difficult to do right. The question is who are the smart ones doing the cryptography right or whether it can be almost anybody. And, unfortunately, it can be almost anybody because even if you do the cryptography very poorly and other cryptographers will be laughing at you, it doesn’t mean it is not sufficient for this purpose.
Everyone knows MD5, the hash function is bad, SHA is bad, RC4 is bad, this is bad, that is bad. Everyone knows what is bad. You should not implement things like you’ve learned in high school because that’s the wrong way. And that’s true; irrelevant to the problems, but true. What is not understood by people because there is no direct analogy is if you have your things destroyed, like your home is set on fire, and all things are destroyed – that you’ll understand. Your files getting deleted is the same. If your files are stolen, in the sense of copied, like a spy broke into the company and copied all the files, we understand. But with encryption it’s difficult to understand. You still have possession to them, but you can’t access their useful content and there’s no physical world analogy to this – that you have something, yet you are unable to do anything with it. This is something that’s missing from human understanding – how does it actually work.
TCSF: Do you believe Artificial Intelligence will have a role in cybersecurity without human input?
PK: It will certainly, but not without human input, because it needs to be started by someone. But, a lot of things can be done, although unfortunately they can be done badly. So, the human touch is still needed to sometimes find out the interesting bits among all that AI will find interesting. It will be useful, but it’s not something that will be needed and that would ever replace humans. After all, the bad guys can use it too, so the question is “whose AI is better?”