Ransomware for everyone?

We all know that Software as a Service (SaaS) makes managing software easier, but there’s a dark side to every technology, and the dispiriting truth about SaaS is that it makes the deployment of ransomware easier too.

Ransomware, for those who aren’t familiar with the term, allows hackers to illegally access – and encrypt – a third party’s sensitive data. The ransom-requester then notifies the victim of the attack, demanding funds – usually in the form of hard-to-trace bitcoin – if they want the data decrypted. If the attacker’s initial “request” does not yield the desired revenue, the next step is for the ransom-requestors to threaten to make the compromised information public.

Here’s where SaaS often comes in: Ransom as a service (RaaS) providers offer a malware kit that’s free to any cyber-criminal who wants to use it to inflict malware on a third party. A percentage of the ransom (between 20 and 30 per cent) goes to the RaaS malware provider and the rest to the cyber-criminal. The RaaS malware kit is usually designed for ease of use: no programming skills are required for the cyber-criminal to use it, s/he just has to register on the RaaS site, specify the recipient of the ransomware, and enter the ransom amount. That’s it! The RaaS provider does the rest.

The question is, what can be done about it? Can there be RaaS legislation similar to gun control legislation? Even if such legislation can be designed, who could enforce it? The legislation could only apply within the country where it was passed. It is pointless to pass legislation in one country to control what erstwhile RaaS providers are doing from far-flung nations like Nigeria, China, or Russia, to say nothing of an ISIS sympathizer holed up in his mother’s basement.

One way to protect against RaaS is to aggressively focus on implementing strategies to protect critical data against ubiquitous cyber-criminals and their ransomware demands. Having the usual security features such as firewalls and up-to-date software are musts, but not enough to protect an organization from being hit by malware. Additional security controls such as host intrusion prevention are needed, as are frequent backups using different media (e.g. the cloud, stand-alone hard drive, etc.), one of which should be offsite.

As noted on this site, the ransomware industry is still in its infancy, and guaranteed to get worse. Sonicwall’s annual report, for example, shows that the number of attacks grew from 4 million in 2015 to 638 million in 2016. We must get ready for this new type of criminal endeavour, which might as well be called cyber mafia; only instead of using guns to threaten, practitioners use RaaS.

Yes, this is a depressing and scary blog, meant to be a wake-up call not just for businesses, but across the country, not to mention the world.

There is a need for an initiative to counteract RaaS at an international IT level, sort of a cyber security Interpol. If it is not done, RaaS will increase, a 21st century crime akin to robbery on the high seas, but instead of waving flags, the pirates will just pop a notice on your computer system and you’ll know you’ve been had.

Catherine Aczel Boivie
Catherine Aczel Boivie
Dr. Catherine Aczel Boivie is a widely respected executive with over 30 years of experience in the leadership of advancing the value of information technology as a business and education enabler. Prior executive roles includes: CEO Inventure Solutions and Senior Vice President of Information Technology/Facility Management for Vancity Credit Union; SVP of IT and Chief Information Officer at Pacific Blue Cross and Canadian Automobile Association of British Columbia. Catherine is also an experienced board member serving on several boards, including those of Commissioner for Complaints for Telecom-television Services, Canada Foundation for Innovation and MedicAlert Canada. Dr. Boivie is the founding Chair and President of the Chief Information Officers (CIO) Association of Canada that has over 400 Chief Information Officers as members across Canada. She has been publicly recognized for her contributions, including being named as one of Canada's top 100 most powerful women by the Women's Executive Network in the "Trailblazers and Trendsetters" category and the recipient of the Queen Elizabeth Diamond Jubilee medal for being a "catalyst for technology transformation".

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.