Ransomware traditionally has used self-replicating and distributing features written into the malware itself to search out, break into, and infect unsecure devices. The benefits of this are clear…fast and wide malware distribution touching thousands of devices.
Enter stage left, Popcorn Time…the first ransomware, which uses the human victim themselves to find and target additional victims to continue distribution of the malware. The idea is straightforward. When your computer becomes infected, you have four options: 1) Pay the ransom and gain back control of your data, 2) Identify personal contacts you will try to infect in order to have your data released, essentially blackmailing the victim, 3) Call law enforcement for help and hope they have the resources to help, or 4) Do nothing. Looking at these, there are really only two options that will help the victim: Pay out, or provide targets.
This is a game changer as it forces human intervention and moral dilemma to develop calculated targets of contacts they know to be easy victims.
The Social Engineering aspect of this malware is relatively simple: Humans are self-serving and will only look out for themselves. Either you are a “Good Person” and you find a resolution internally (or with law enforcement), or you are an “Evil Person” and send this out to a small list of contacts and further propagate the ransomware. There is no middle ground.
That said, this decision isn’t simply weighted with the original victim’s moral conscious. It has to do with the development and technology laws within the victim’s country, the resources of the business being attacked, and the bandwidth of law enforcement to help, mitigate, and trace the malware to the source.
As I mentioned above, traditional ransomware is self-distributing, and in many cases, has an electronic data trail leading law enforcement back to a Command and Control computer. What if that data trail runs back to a friend or business contact that knowingly targeted you to save their company? Are you at fault for opening a seemingly malicious email? Are they at fault for taking the bait and putting you on that list? Are you at fault for not having advanced malware filters in your environment? If law enforcement doesn’t help you, can you help yourself?
Security professionals need to be right 100% of the time…hackers need to get lucky once. The more hackers can increase their odds of network penetration through human interaction, the more effective they will be.
Will this strategy even work?
These are all questions that will be asked over the coming year. Until we start seeing this propagating, there is no telling what human-directed malware will do.
Part of the effectiveness of these strategies has to do with the deployment of encryption when hijacking and ransoming corporate data. Looking back, encryption has been seen as the “White Knight” protecting sensitive corporate information. Now, those tables have turned. Sun-Tzu stated in the Art of War, “To know your Enemy, you must become your Enemy.” In the case of most ransomware, hackers have used our own encryption techniques against us.
The only thing that is for certain, this is one Popcorn Time you won’t want to share with friends.