Future ransomware variants could adopt a time factor, whereby more money is charged the longer the victim does not pay up.
Laurence Pitt, security strategy director EMEA at Juniper Networks, said that while most ransomware gives a 72-hour window, and in the case of WannaCry, it was released on a Friday so as the 72-hour deadline is on Monday, the victim is more likely to pay.
Pitt said that if there were a 72-hour countdown, what if the ransomware developer put the price up every hour? “72 hours has been the defacto that ransomware has had, but with GDPR also having a 72 hour window [for breach notification] why would you not increase your ransom every hour that someone doesn’t pay that they get to the reporting window?”
He said that there is the challenge of time to react and knowing what has happened, and the challenge for the business is to get it to zero, and there will be a crossing point as the business wants to be back online so if the value of that is the data, and the ransom will go up $20 an hour – it will be cheaper to pay off.
Pitt pointed out to Infosecurity that he did not advocate this theory, but he could not see why this could be an example of how criminals could not use best practice to improve their efforts.
Looking at the history of ransomware variants, including Reveton from 2012, GameOver Zeus which was taken down in 2014 and the 2016 Mac-specific KeRanger, Pitt said that WannaCry was "a fairly basic attack", but one that had such significant capabilities that other variants could draw ideas from.
He specifically picked out the ‘demo’ capability which could unlock 50 files, but would alert the ransomware ‘controller’ to the fact that the account was live. “With WannaCry, we believe it is individuals waiting to notice you’ve paid and after a few days,” he said.
“I cannot find another ransomware [variant] where the demo version came up. I cannot remember who reported on the two keys in WannaCry, but I cannot find another one where they have done that, the only one that is a close comparison is HydraCrypt where they have an automated system which was offline most of the time and there was a warning in their code where it said that it may take up to three days to respond. Cryptolocker had a three day response, but with WannaCry it was believed to be a manual response.”
Asked by Infosecurity if he felt that this was a success of a very basic method, Pitt asked why an attacker would stop using the most basic attack methods "as that is what works", but until ransomware fails, it is a quick source of money as there will always be people who pay.
Lee Fisher, head of security business for EMEA at Juniper Networks, said that this is the first ransomware to target vulnerabilities, and it is trivial for code to be inserted there.
In terms of recovery, Pitt said that backup is good, but have you tested it? He also recommended avoiding payment wherever possible, and follow simple tactics like: backing up regularly; provide training like fake phishing emails; having a business network with a zero-trust model; and keep all software up to date. “At worst, do not pay ransom and disconnect devices from the internet,” he said.