Why the security industry is teaming up in the fight against ransomware
Fri 11 Aug 2017 | Raj Samani | Hatem Naguib
The Stack speaks with Raj Samani, chief scientist and fellow at McAfee, and Hatem Naguib, SVP of security at Barracuda, to find out more on the No More Ransom initiative
What is the No More Ransom initiative and what trends does it respond to?
Raj: The No More Ransom initiative aims to inform the public about the dangers of ransomware and help victims to recover their data without having to pay a ransom to cybercriminals.
Ransomware is a significant threat: almost two-thirds of EU Member States are conducting investigations into this form of malware attack. Major attacks, such as the recent WannaCry strain which infected more than 230,000 computers in over 150 countries and six continents, are bringing ransomware into the public eye but awareness needs to go beyond the threat itself, extending to an understanding of how to practice good cyber hygiene and avoid falling victim to the malware.
The number of victims is growing at an alarming rate so the No More Ransom online portal offers information on what ransomware is, how it works and, most importantly, how to protect files and data against it. It also contains tools that can help victims to recover their data once it has been locked by criminals.
In its initial stage, the portal contained seven decryption tools for different types of malware, but this has already leapt to 40 with more constantly being developed. We hope to empower users with our ability to restore access to their systems, enabling them to take action without having to make a payment and, in doing so, inadvertently supporting the cybercriminals and their business.
What variety of cyber threats does the site face?
Hatem: Security was always a number one concern for those involved with No More Ransom. The coalition’s leaders estimated on the day that the site was launched it would have around 12,000 daily visitors. This estimation was immediately surpassed when 2.6 million visitors came to the site on the very first day.
Over the last few months, there has been a nonstop barrage of attacks from all over the globe
It was safe to assume that, as a website attracting this many visitors and having been specifically designed to defend against cybercrime, No More Ransom would inevitably become an irresistible target for the perpetrators – whether they hoped to bring the site down altogether and whether they wanted to use it as a means to infect its visitors with malware.
This assumption was well founded; the No More Ransom site came under attack as soon as it went live. Over 51,000 attacks, ranging from standard DDoS attacks to more sophisticated attacks on portions of the infrastructure, were targeted at the site within days of its launch, all of which were blocked by the firewall.
Even less obvious attackers, for example, those that wear a mask and disguise their attacks through VPN systems, are not able to slip through the cracks. In fact, there have been more than 1 million VPN-based attack requests identified and blocked to date.
Over the last few months, there has been a nonstop barrage of attacks from all over the globe. But despite this, and the huge numbers of legitimate visitors, No More Ransom still operates smoothly and possesses a clean record, having never been brought down by an attack.
How are you working to prevent such attacks?
Hatem: The No More Ransom site is hosted on Amazon Web Services (AWS) and protected by Barracuda Web Application Firewall on AWS. One of the determining factors in the decision to combine these solutions is that Amazon’s native security can be easily and effectively integrated with application security.
As the number of site visitors increased, exceeding all expectations, AWS adjusted resources and the firewall automatically scaled to secure additional instances as they spun up, enabling the website to cope with the traffic, without affecting overall performance.
The firewall is also able to eliminate application vulnerabilities and protect web applications against application-layer DDoS, SQL injection, cross-site scripting, and other advanced attacks.
It also protects against previously unknown zero-day application-layer attacks. As new types of threats emerge, the firewall technology dynamically acquires new capabilities to block them. These definitions are automatically updated and applications are virtually patched, greatly reducing the time between vulnerability disclosure and vulnerability patching.
How does the project encourage participation among industry partners?
During the initial stages of the WannaCry attack, over 8 million requests came to No More Ransom
Raj: Launched in July 2016, the initiative initially began as a collaborative effort between the Dutch National Police, Europol, McAfee and Kaspersky Lab. Since then, we’ve been steadily gaining partners from a variety of countries at numerous levels – from associate partners, who contribute to the development of new unique decryption tools and keys through to supporting partners across law enforcement agencies and the private sector, who promote the initiative.
We often hear talk of public-private partnerships and whilst this rhetoric is often lauded, the No More Ransom initiative demonstrates a practical example of this approach, and what can be achieved when it is put into practice.
Collaboration around the No More Ransom initiative goes beyond intelligence sharing, consumer education, and takedowns to help repair the damage inflicted upon victims. The more parties that support this project, the better the results can be. The initiative is always open to new partners’ cooperation so any businesses considering it should get in touch.
How do you expect the initiative to evolve over the next few years?
Raj: Since July 2016, we’ve gone from 7 to 40 decryption tools while more partners are coming on board all the time. Furthermore, awareness around the site itself is constantly growing. On its first day, the site received 2.6 million requests. It now averages around 300,000 per day, attracting new visitors each time a new resource or decryption tool is uploaded. More recently during the initial stages of the WannaCry attack, over 8 million requests came to No More Ransom.
As more decryption tools are uploaded and more partners come on board over the next few years, I expect to see more visitors coming to the site to try to regain access to their encrypted data rather than resorting to paying a ransom. Hopefully, this will make ransomware less and less lucrative for cybercriminals – and lead to a subsequent decline in the malware.
McAfee Fellow & Chief Scientist
SVP of Security