Want to curb the ransomware tsunami? Build better software
Software can make you or break you.
It’s made the creators of Microsoft, Google, Amazon, Apple, Facebook Twitter, and many others into billionaire tech titans.
But when software has exploitable defects, it can make cyber criminals rich while devastating victims ranging from individuals to public and private organizations to the critical infrastructure that modern societies need to function.
Exhibit A this month in the “break-you” category is the July 2 ransomware attack by the Russian hacker group REvil against Kaseya Ltd., a Miami-based company that supplies software to other businesses to help manage their networks.
Part of managing networks is supplying updates to software, which are meant to improve security. But if attackers can corrupt those updates with malicious code, the result is the exact opposite.
That’s what happened to Kaseya. REvil hackers were able to exploit several previously unknown (“zero-day”) vulnerabilities in the company’s virtual systems/server administrator (VSA) software, one of which the company was working to fix. But the hackers got to them first, which meant when Kaseya sent out updates, it was distributing ransomware to its customers.
Many of those customers are managed services providers (MSPs), which then distributed the corrupted update to their customers. Hence the term “supply chain attack.” Or you could call it “trickle down” ransomware, except it was way more than a trickle. Instead of attacking hundreds or thousands of targets, the hackers just had to compromise one, and then let that victim distribute it to thousands of others.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” the company said in an incident overview. “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.”
Or as Paul Ducklin of the Sophos Naked Security blog put it, “Instead of attacking thousands or millions computers individually, you attack the company that supplies software to all of those computers, or worse still — as in this case — you attack the company that supplies software to the companies that supply software to all of those computers.”
Not just damage, but implications
The extent of the damage probably won’t be known for a while. Kaseya, which posted a rolling series of updates last week, said Tuesday that 60 of its customers had been “directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”
But as of last week, REvil was claiming that about a million computers were affected. It offered a “bulk discount” of $70 million for a universal decryption key to unlock all affected systems in a single payment, and then a few days later reportedly cut that to $50 million.
A possible sliver of better news came late last week when Bleeping Computer reported that few of the victims of the attack were agreeing to pay the ransom because “the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures.”
While the attack was massive, affecting at least 1,500 businesses, “backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims,” the online magazine said.
But Matt Tait, chief operating officer of Corellium, wrote in a post on Lawfare that the implications of the attack were much more ominous than the immediate damage.
Generally, he wrote, “automatic software deployment, especially in the context of software updates, are a good thing. But here this feature was turned on its head [… ] subverting software delivery mechanisms as a means to install ransomware.”
This made the attack “likely the most important cybersecurity event of the year. Bigger than the Exchange hacks by China in January. Bigger than the Colonial Pipeline ransomware incident. And, yes, more important than the SolarWinds intrusions last year,” he added.
Plenty of warnings
But whatever the damage and its implications, nobody in the software industry can say they weren’t warned.
Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security, testified in early May before a House Homeland Security subcommittee that “ransomware has exploded into a multi-billion-dollar global racket that threatens the delivery of the very services so critical to helping us collectively get through the COVID pandemic. To put it simply, we are on the cusp of a global pandemic of a different variety, driven by greed, an avoidably vulnerable digital ecosystem, and an ever-widening criminal enterprise.”
Krebs isn’t alone, of course. Even I warned, more than two years ago, of a coming “ransomware tsunami” after cities like Atlanta, Baltimore, and several others in Florida were hit by crippling ransomware attacks.
But the key word in Krebs’s testimony is “avoidably.” As in, attacks like this shouldn’t be succeeding so easily. It doesn’t have to be this good for the criminals and this bad for the rest of us. Because there are ways to make it much more difficult for online attackers: Build better, more-secure software, and keep it up-to-date.
Yes, there are various other recommendations to protect your organization against ransomware attacks: maintain backups of your data and keep them disconnected from your network, keep your programs and operating systems up-to-date, train employees not to fall for phishing emails or to click on links from unknown senders, use a VPN — virtual private network.
But it begins with software security. And some unnamed former employees of Kaseya told Bloomberg that from 2017 to 2020 they had warned company executives of “critical” security flaws in products including the use of old code, poor encryption, and routine failure to patch software.
Jonathan Knudsen, senior security strategist with the Synopsys Software Integrity Group, said the only question that matters is, “How can a problem like this be prevented? The reason ransomware is so successful is that so few organizations are properly prepared. They often focus solely on functionality when selecting, deploying, and operating software. They work hard to make software do what they want it to do, but security is often neglected or ignored.”
“Software is a powerful tool for organizations of all kinds, but it must be selected, deployed, operated, and maintained inside a framework of security and resilience,” he said.
Tools are available
Next, automated tools for static, dynamic and interactive application security testing will check the code for defects while it is being written, while it is running, and while users are interacting with it.
Since the majority of modern software components are open source, software composition analysis helps developers find and fix known vulnerabilities and potential licensing conflicts in those components.
And at the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organization doesn’t have the expertise or capacity to do all that on its own, MSPs can help.
But of course, as the Kaseya attack demonstrates, MSPs have an even greater obligation to build and keep their software secure. If they don’t, they can become a vector for malware infections, including ransomware.
Finally, it’s too late in this case to prevent the REvil attack. Which means the focus is now on whether to pay the ransom and, if so, how to do it.
The official advice of the FBI is: Don’t pay. For good reason. Paying simply fuels more attacks. And as some victims learn from bitter experience, paying doesn’t guarantee anything. They’re dealing with criminals after all, who in an increasing number of cases don’t just encrypt data — they steal it as well. Which means they could threaten to make it public if the victim doesn’t make another payment.
But in many cases, the data loss can threaten the existence of an enterprise. The only way to survive is to pay.
Some experts argue that the only way to curb the rampant expansion and damage of ransomware is to disrupt the cryptocurrency system that protects the anonymity of the attackers. Nicholas Weaver, a researcher and lecturer at the University of California, Berkeley, wrote in a post on Lawfare that, “we don’t have a ransomware problem, we have a Bitcoin problem.”
“If governments take meaningful action against Bitcoin and other cryptocurrencies, they should be able to disrupt this new ransomware plague and then eradicate it,” he wrote.
Indeed, that would seem at least possible, since after Colonial Pipeline paid a reported US$4.4 million, the Department of Justice announced that it had been able to recover about US$2.3 million of that by tracing and seizing the bitcoin wallet used by the hackers.
But Sammy Migues, principal scientist at the Synopsys Software Integrity Group, said endlessly adaptable cyber criminals will easily adjust. “All the attackers will move their wallets,” he said. “And if interdiction routinely gets back 50% of the money, then attackers will just double their asking price. And if all the digital wallets, digital currencies, and/or blockchains have security defects that allow for random interdiction, then it’ll just become an arms race to all fix those bugs.”
Knudsen is also not convinced that interdiction is a solution. “I can confidently say that payment interdiction is a red herring,” he said.
“By the time we’re talking about payments, it is way too late. Criminals will always find a way to get paid with a low risk of getting caught. Instead, we should be talking about having good security hygiene.”
Migues agrees. “It would be far better to incent organizations to demonstrably, continuously do the security basics of host, network, cloud, etc. to demonstrate that you have a very small chance of being a target of opportunity,” he said.
“Just raising your security bar to where you must be a target of intent to get breached will immediately stop most ransomware attacks — and lots of other data breaches — from succeeding.”