It is not uncommon for a security reseller or managed service provider to be approached by a business after a ransomware attack, asking what it can do to help the firm out of a sticky situation.
The answer, more often than not, is nothing. While a number of solutions can be deployed and monitored in the hope that an attack can be prevented, once the cybercriminal has struck you are generally left with a dilemma - pay or bust. After all, you'll see countless vendors advertising a solution that claims to stop ransomware, but you'll be pushed to find one boasting that it can reverse ransomware.
Ransomware protection is now more important than ever, but there is a growing feeling among cybersecurity specialists that businesses do not truly appreciate the threat; believing it to be overhyped by the media.
To test this theory, Paul Risk, CTO at UK security distributor Ignition Technology, set out to create his own piece of ransomware and establish whether or not end users need to be as scared of the technology as some people say they should.
The result of his experiment was that he was able to locate a ransomware provider, create the ransomware and download it, all in less than an hour.
"It's pretty shocking," he said.
"I've been in security for quite a long time and we've been selling these tools to protect people. Sometimes when you do a proof of concept for a cybersecurity product you're sort of hoping that something happens, something is flagged up, to help close the deal - but a lot of the time it doesn't work like that.
"You do sometimes wonder if this is all just scaremongering, is it actually real? To know that I've created a piece of ransomware from start to finish in one evening is scary."
Risk chronicled the process, taking screenshots along the way.
■ 10:05pm: Locate a VPN service
Connecting to a virtual private network, from which you can navigate to anywhere on the internet without it being linked to your IP address, makes your actions untraceable. There is no point going through the process of creating ransomware, distributing it and collecting your earnings if a digital paper trail is going to lead right to your laptop.
By 10:44, all these steps had been completed and Risk now set about accessing the dark web.
■ 10:58pm: Find and connect to the Satan website on the dark web
Satan came to prominence at the start of this year when malware research firm Xylitol reported that the ransomware creator was now offering ransomware-as-a-service functionality on the dark web.
The dark web comprises content that sits on overlay networks built on the World Wide Web's infrastructure, but can only be accessed using specific software. Virtually all sites on the dark web hide their identity using services such as Tor, and require the user to use the same encryption tools to access their content. The Tor web browser is commonly used for browsing the dark web, where the Satan ransomware site can be discovered.
On its website, Satan offers a brief description of itself: "Apart from the mythological creature, Satan is a ransomware - a malicious software that once opened in a Windows system encrypts all the files and demands a ransom for the encryption tool.
"Once you've signed up, you'll have to log in to your account, create a new virus and download it. Once you've downloaded your newly created virus you're ready to start infecting people."
It took Risk less than 15 minutes to find the Satan site on the dark web.
■ 11:01: Ransomware created (Fig 1, above, click to enlarge)
The process of actually making the ransomware took just three minutes. Absolutely no coding or programming skill is required. An online form asks for a malware name, the amount you want to charge, and the rate at which you want the ransom to increase over a period of time.
Once the malware is created you can view a dashboard, showing how many malwares you have created, how many people have been infected, and how much has been paid.
"What's interesting is at this point I haven't had to part with any money whatsoever," Risk said.
"I signed up on the website and didn't even need an email address. The company takes a 30 per cent cut and I get 70 per cent. I don't think that's too bad, and if I didn't like it I'd just charge more for my ransomware!
"I can even see how many people have been infected by the ransomware and if I want to take the money out I just pop in my Bitcoin address and press the withdraw button. It couldn't be any easier."
Interestingly, Satan states on its website that the commission it charges will reduce depending on the number of infections and payments a user generates, encouraging users to attack more targets.
Does it work?
Just three minutes later, at 11:04, Risk had downloaded the ransomware as an executable file, ready to be shared around potential victims.
While not knowing whether the ransomware would work, Risk checked the file on Google-owned malware scan engine VirusTotal, which had no record of this particular type of ransomware - meaning it is likely that Satan had generated a completely new strand of ransomware unknown to cybersecurity vendors.
"You can test malware on sites such as virusTotal," Risk said.
"You can open the ransomware file, look at the properties and copy the SHA-1 hash, which is the unique identifier and in theory these should be unique.
"If I take that hash and search it in VirusTotal I should see if anyone has seen this piece of ransomware before. It came back and said ‘file not found' which means that they haven't seen it before, from any of the 56 vendors that use VirusTotal's pool of malware."
Opening the ransomware on your own machine would be equivalent to cyber suicide, so Risk sacrificed an old laptop and opened the executable file.
Once the file was run, all files on the machine had their names changed to random combinations of letters, and when opened all documents and images had been translated into symbols and codes.
"There was a constant load on the CPU which normally with ransomware suggests that it's going through and encrypting all your files," Risk said.
"After that I got a message, and my documents had changed names - they looked like gobbledygook - then the browser window popped open and it told me what had happened to my files. They'd all been encrypted.
"I then followed the link to see what happens and it tells you that you have to pay specifically what I had set up - 0.1 bitcoins (approximately ￡96) to that particular address - and it even tells me that if I don't do this within 24 hours it will increase the ransom." (Fig 2, above, click to enlarge)
At this stage, the full ransomware life cycle is complete - all that is required now is for the cyber criminal to distribute the file through email, the internet, on a USB or a number of other methods. Once the file is open, the user has to face that dreaded dilemma - pay or bust.
"It is really, ridiculously simple," Risk said.
"It took me one hour from start to finish. Even if this took you a week, it wouldn't take any time to go and do this stuff.
"I did a bit more research after this and I found another 34 ransomware-as-a-service sites. It is just another world, so this is very real."
If your partners are not nominating your channel chiefs for CRN's newest award, then it doesn't look that way
EMEA VP calls out competitors as he explains vendor's new cloud-based capabilities
Next-gen security vendor raises $120m, taking total funding to nearly $300m
NHS contract triggers £20m expansion for Novosco