How LoveBug changed the IT security landscape
On the 20th anniversary of The LoveBug malware, we caught up with Mark Nutt, EVP EMEA at Veritas to discuss how this computer virus not only attacked millions of computers in a single day but also changed the multi-billion dollar ransomware landscape forever
The first ransomware is widely believed to be AIDS Trojan, which was unleashed on a group of HIV researchers in 1989. However, the impact of the virus was fairly limited - victims needed to install the malware from a floppy disk and ransoms had to be paid by cheque. The lack of sophistication, the ease with which the perpetrator was caught and, critically, the lack of reach, meant that AIDS Trojan didn’t initially inspire many copycat attacks.
When LoveBug came on the scene though, 20 years ago this month, it proved that hackers could attack millions of devices in a single day, and that changed the landscape for ransomware forever. Viruses like Archievus followed, which built on the most effective aspects of AIDS Trojan and LoveBug. Over the next years, ransomware became increasingly sophisticated and prevalent, until WannCry was unleashed on the world, infecting over 230,000 devices, in over 150 countries, demanding ransoms in 20 different languages.
Since then we’ve since seen ransomware payments go through the roof. With the rise in sophistication of ransomware crime, data protection has also become more sophisticated.
What are some of the best ways to encrypt and defend valuable data?
It’s important to understand that encryption can’t stop a ransomware attack. During a ransomware attack, hackers compromise a company’s systems and use their own encryption to prevent the business from being able to read their data. If the company has encrypted the data themselves to protect against data theft, the ransomware simply adds another layer of encryption over the top. This is like putting a locked box in a safe. Even if you have the key for the box, you can’t open it unless you have the combination for the safe too.
This is why it’s critical for businesses to have backup copies of their data that they can use in the event that their primary data is attacked. We recommend businesses adopt the “3-2-1 rule”, where each organisation has three copies of its data, two of which are on different storage media and one is “air-gapped” in an offsite location. With an offsite data backup solution, businesses have the option of simply restoring their data if they are ever locked out of it by criminals exploiting weaknesses in systems.
However, we’re also seeing an evolution of ransomware where hackers are increasingly looking to exfiltrate (or steal) copies of the data as they encrypt it. They can then add the threat of revealing company data to the list of reasons why their victims should pay the ransom. In these cases, data encryption becomes a key tool in the IT manager’s arsenal.
How can businesses combat ransomware today?
There are four areas that should be part of every business’s ransomware strategy: protect, detect, respond and recover.
When it comes to protection, raising user awareness across the whole business is of paramount importance. Remember, a company’s protection against ransomware is only as strong as its weakest link. Therefore, arming employees with the knowledge they need to practice secure email and browsing habits can prevent many ransomware attacks from succeeding. Protection also involves backing up data securely, reliably and automatically. When hackers come to you demanding a ransom to get your data back, the strongest position to be in is one where you can just walk away because you have another clean and safe copy - backup and recovery solutions can give you this.
Effective detection is another important tool. The faster you can respond to a ransomware attack, the faster you can recover from it, so knowing when an attack is taking place is critical – in order to respond fast, you need ensure that your intrusion detection (network and host), anti-malware and file anomaly detection practices are all up to scratch. It’s not just external events that you should be monitoring, but your own data too.
Responding appropriately is also key. Once you know that you’re being hit, how and when a business responds is vital. The first and most immediate step taken should be to shut-down systems to prevent further infection. Then, the process of identifying when the infection occurred on each impacted system begins in earnest.
Finally, it’s not about getting hit, it’s about how fast a business can return to productivity. This is where recovery comes in. Planning for recovery is key – how quickly and efficiently a business recovers has a huge impact on how much ongoing damage the ransomware attack will have. Businesses need to be in a position where they can recover data from a large number of servers quickly, as well as being able to roll-back to a known safe point in time.
The rise of crypto currency: has it aided criminal networks in their gains?
The first ransomware attack took place some twenty years before the first bitcoin was mined, with ransoms being mailed by cheque to a PO box in Panama. But, of course, this flaw in the plan was one of reasons why authorities were able to apprehend the author of virus so quickly. It could be argued that, even without crypto currencies, hackers would have found ways to extort money without having to step out of the shadows. There was a long period before crypto payments where attackers harnessed ecommerce sites to backchannel payouts. The birth of crypto currencies, however, was the final puzzle piece for the hacking community to achieve complete anonymity in receiving and laundering their ransoms.
What does the future hold for Ransomware?
The first ransomware attack with the AIDS Trojan targeted the healthcare sector, and it is likely ransomware will continue to focus on these organisations, along with the public sector and manufacturing industries. These are heavily reliant on mission-critical information for their day-to-day activities so, regardless of whether they have a lot of money or not, they’re deemed more likely to pay up.
We’ll also see ever more diverse threats. Increasingly, hackers threaten data exfiltration as well as encryption if they feel that leaking data might be more ‘motivational’ for their targets. There’s also the threat of exposure as businesses become aware of associated brand damage following an attack–during Travelex’ own recent incident for example, it was the hackers who broke the story to the press to encourage them to pay up.
As prevention tools become more sophisticated, and bad actors increasingly target specific organisations, phishing and social engineering become even more central to the strategies for deploying ransomware. It’s also critical for businesses to have a clear understanding of what data they have and where it is stored so that in the event that they receive a threat, they know exactly what’s been taken and what the impact of revealing it might be.
This is why it’s critical to have a strategy that protects your data, as well as trying to prevent the malware. In the ever-evolving game to outwit the hackers, it’s never going to have been more important to have backup copies of your data that you can rely on.