If the ready-to-go ransomware in the Trojan development kits (TDKs) surfacing online in the last few months doesn’t have you worried, it’s time to wise up. These apps might be a boon for aspiring hackers looking to create ransomware, and that’s extremely bad news for Android smartphone owners—or anybody who has them on payroll.
Symantec raised the alarm about TDKs in August 2017, when it noted cybercriminals were dispensing them through hacking forums and a Chinese social messaging service. Why does it have IT teams so freaked out? This is the kind of cybercrime your great grandma could pull off.
Create ransomware for fun
All entry-level hackers need to do to create ransomware is download a TDK app and navigate a straightforward interface to customise and generate their malware. That’s it. The illicit vendors on the app take care of everything, including the message displayed on the screen of the infected device, the key to unlock the infected device, and the animation to display on the device.
“The entire process of creating a ready-to-use piece of malware is done on a smartphone without any requirement to write a single line of code,” Symnatec’s principal threat analysis engineer Dinesh Venkatesan explained to ZDNet.
Even top-tier cybercriminals may see these starter kits as a valuable, labour-saving device for creating ransomware. As Venkatesan points out, “Even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves. We expect to see an increase in mobile ransomware variants as these development kits become more widespread.”
Ransomware as a Service rears its head
The TDK samples that have made headlines are directed at Chinese users, but Symantec cautions that different language versions could appear soon. TDKs are part of the broader Ransomware as a Service threat the 2017 SonicWall Annual Threat Report identifies as the cause of a spike in ransomware attacks. More than 20 percent of the Australian and New Zealand businesses that responded to BDO/AusCERT’s most recent Cybersecurity Survey said ransomware was involved in the cybersecurity incidents they endured.
IT security specialists often wonder how many WannaCrys and Petyas it’s going to take until businesses and governments get serious about IT security—or at least do the bare minimum of keeping systems patched and up to date. The emergence of tens—or possibly hundreds—of thousands of small-time but devastatingly effective ransomware hooligans may be the crisis that results in a cybersecurity tone shift.
In the meantime, a lot of individuals—especially small business owners who can’t afford it—will likely end up as casualties. If you don’t want to see sand thrown in the digital gears of the business you work for, here’s what you should pay close attention to:
1. Is your BYOD security policy stringent enough?
Bring a security policy into your business that trusts nothing and nobody—and that includes network, resources, franchisees, vendors, and everything in between. Once that’s in place, you can make exceptions and adjustments.
To create an effective, workable BYOD security policy, you’ll need to address the following issues:
- Decide what devices are permitted
- Determine how corporate data should be stored on a personal device
- Clarify what company data employees can access via their device
2. Is your network sufficiently protected?
As we move deeper into the digital age, IT departments are called on to protect larger and more complex networks. While IT budgets are almost always under pressure, the costs of failing to adequately safeguard a network central to an organisation’s operations can be enormous.
With that in mind, you’ll want to prioritise platforms that support your IT staff in delivering a reliable mobile experience for users without diminishing security and control. Only approve and authenticate safe IoT, corporate, and BYOD devices by identifying each device on the network, how they’re connected, and their operating systems. This enforces proper policy adherence irrespective of user, device type, or location. It also features dynamic policy controls and real-threat fixes that cover third-party systems.
3. Are your employees playing it safe?
A respondent in the BDO/AusCERT survey said it best: “Staff can be naive about security implications and see security precautions as an inconvenience. Having them understand the importance of proper security processes and procedures is a challenge.”
You know the old saying about the dangers of assuming anything? Don’t make an ass of yourself or a steaming pile of rubble out of the organisation that pays your wages by assuming staff have paid close attention to all those dire warnings in the induction manual, on the intranet, or in those company-wide emails you send out. Have a procedure in place to ensure every member of staff properly understands that their device of choice could blow up the company. Insisting staff memorise a brief list of IT security commandments and testing their memory periodically is a good place to start. If you want to get Machiavellian, you can try to entrap them by sending fake malware to see if anyone at your organisation ignores the IT security policy and downloads it.
When the cyberhooligan amateurs turn pro—or at least get easy access to top quality tools to create ransomware—IT security professionals need to take their game to the next level. Are you up for the challenge?