Extortion as a Service: Ransomware and the consumerization of IT crime

by Edward Cone

We spoke with Dan Taylor, head of security for NHS Digital, not long before last week’s devastating ransomware attacks on England’s health service and many other organizations around the world. He talked about exponential growth in ransomware incidents, but said the danger was less with the inherent properties of this particular threat and more with general weaknesses in security systems.

Maybe, but taking bits hostage is one of the fastest-growing threats to data security for a reason, and part of the story is that these attacks have gotten so easy to perpetrate.

Bad guys used to have to know something about computers to make their misdeeds pay. Now data theft and extortion, like so many other software-based activities before them, are feasible for anyone with an internet connection. Think of it as the consumerization of IT crime, or hacking as a service.

Carsten Scholz, chief information security officer for Munich-based financial services giant Allianz SE, told us about the trend while we were working on the same program for which we spoke to NHS. He said this:

“Ransomware is not new, but what is new is that ransomware is very easy to use. You can find services for it on the ‘darknet’ side of the internet—you simply plug in your Bitcoin and get the software, and then you can go and shoot campaigns out. Of course, this is a criminal act, but it’s easy for even non-IT-savvy people. They do not need to have any kind of IT knowledge. They do not even need to know where the potential victims are sitting.”

So you’ve got a way of committing data crimes that is drop-deal simple. And, per Mr. Taylor, a lack of effective systems to stop these and other attacks. The NHS has its own challenges in strengthening security across a very large, decentralized organization, but so do a lot of places.

That does not bode well for data security in the days and months ahead.