A new public-private partnership is a statement of intent against ransomware, says Raj Samani, CTO for Europe, the Middle East and Africa at security firm Intel Security.

Together with a portal dubbed "No More Ransom," the organizations behind the endeavor - the High-Tech Crime Unit of the Dutch Police Services Agency, EU law enforcement intelligence agency Europol, as well as security firms Kaspersky Lab and Intel Security - are attempting to give ransomware victims more options, as well as to emphasize that they're doing whatever they can to disrupt ransomware gangs and help more victims get their data back for free (see 'No More Ransom' Portal Offers Respite From Ransomware).

Many ransomware victims today must choose between paying criminals to obtain a decryption key to unlock forcibly encrypted files, or to not fund criminals, at the cost of potentially never regaining access to their data.

With the new NoMoreRansom.org portal, "we're saying, we're now committed toward a longer-term solution: not having to let people decide whether to pay the ransom," Samani says in an interview with Information Security Media Group. "We've now given you a third option," he adds - provided, of course, that a victim can obtain a decryption tool for their particular flavor of ransomware.

The new portal launched this week, together with an announcement that the organizations recently disrupted the malicious infrastructure powering the Shade ransomware. As a result, authorities were able to recover 160,000 decryption keys for PCs that had been encrypted by Shade and have released a related decryption tool via the portal.

So far, the portal will only allow victims to decrypt files that have been infected with a relatively small portion of all of the malware that's at the encryption of relatively few types of ransomware, according to Samani. But for anyone who is able to obtain a decryptor, that's obviously good news.

Incredible response so far on #NoMoreRansom.org. First 24 hours reveal 2.6m visitors to the site. #ransomware

In this interview (see audio player below photo), Samani also discusses:

In addition to his role at Intel Security, Samani is a member of the Advisory Group on Internet Security for the Europol Cybercrime Centre, or EC3, as well as the chief innovation officer for Cloud Security Alliance. He previously worked as a security consultant for CapGemini and as an information security manager for consultancy Deloitte.

CISOs face the continuing challenge of how to clearly communicate information security risk to the board and senior management. But now they can take advantage of a free metrics framework designed to help evaluate an organization's cybersecurity readiness.

UK-based ClubCISO, an independent forum for security leaders, developed the framework through its Metrics Project, and now hopes to gain feedback as it's put to use globally, says Phil Cracknell, the group's founder.

CISOs' ongoing use of homegrown metrics or standards, such as the ISO/IEC 27004, often comes up short when it comes to explaining cybersecurity in terms that senior management and the board can understand, Cracknell says in an interview with Information Security Media Group.

"Most CISOs by their nature want to demonstrate that they are effective. But they can't do that in the absence of incidents," he says. "So in the meantime time they are trying to demostrate that the defenses that they have put in place are working. And the only way to show that is through some kind of report or metric."

CISOs often scramble to generate these reports because the management wants some kind of performance indicator for security. For instance, CISOs spend days producing reports, such as the number of virus attacks per month, which take effort but are of no interest to the board from a business perspective, he says.

So a group of CISOs at ClubCISO have been working on the group's metrics project for nearly two years. The CISOs developed a standard set of metrics that is geared at measuring parameters that matter to the practitioner. Practitioners can use the tool to score their organization's cybersecurity and provide a clear assessment of security effectiveness in the organization to management in terms that resonate with them best..

Earlier attempts to develop similar metrics frameworks have involved too much interference from groups with vested interests, such as vendors, analysts and consultancies, Cracknell contends. "While practitioners just want these units of measurement to make their jobs easier, the involvement of other parties pursuing their own interests usually steers these discussions in a different direction," he says.

Another challenge has been the way in which practitioners have tried to communicate with business. Attempting to educate board members about technology and security is the wrong approach for a CISO to take, he believes. "You need to simplify what you are saying to them down to a language that resonates with them, not educate them - because boards already have too much to do," Cracknell says.

In this exclusive interview (see audio player below image), Cracknell discusses the challenges CISOs face in measuring the effectiveness of security and how ClubCISO's Metrics Project can help. He addresses:

Cracknell, founder and facilitator at ClubCISO, has worked in information security for more than 25 years, including serving as CISO at Yell, TNT Express and Nomura International. Now an independent security consultant, he provides "virtual part-time CISO" services to several businesses, including Company85, where he heads up the security and privacy practice.

Anti-Malware , Data Loss , Technology

Ransomware is so lucrative that cybercriminals have started creating "customer contact centers" to manage victims' related queries in hopes of maximizing their illicit profits.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

The criminal gangs are open to negotiation, offering discounts on ransoms to those who make a polite request, according to a new report from Finnish security firm F-Secure.

The company prepared the report by having a "non-technically oriented person" pretend to be a ransomware victim and document their experience of interacting with ransomware gangs' money collectors.

To focus the research, F-Secure says it studied active samples of malware for which there was also a working command-and-control infrastructure, coming up with a short list featuring Cerber, Cryptomix, Jigsaw, Shade and Torrent Locker, a.k.a. Teerac.

Initial ransom demands/deadlines for 5 ransomware families studied by @FSecure pic.twitter.com/pXCWTorf6E

The security firm then had the "victim" contact the customer support teams for one variant of each ransomware family. That individual pretended to be a 40-something married PC user named "Christine Walters" who sported very limited technical knowledge and a Hotmail account created in her (fake) name.

3 Ransomware Customer Service Takeaways

Here are a few takeaways, via the related report, from Christine's interactions:

To be clear, F-Secure says that it never followed through on payments, meaning that it neither funded criminals, nor verified if they would receive a working decryption key in exchange for bitcoins (see Please Don't Pay Ransoms, FBI Urges).

Discounts to Hand

Just by asking, however, Christine was able to knock the ransom asking price down for Cryptomix by 67 percent, for Jigsaw by 17 percent and for Shade by 30 percent, while the Cerber gang held firm, allowing no discount.

F-Secure says it wasn't able to make contact with representatives for the fifth ransomware family it studied - Shade.

On a related note, the High-Tech Crime Unit of the Dutch Police Services Agency, EU law enforcement intelligence agency Europol, as well as security firms Kaspersky Lab and Intel Security have announced they recently disrupted the malicious infrastructure powering Shade (see Ransom Smackdown: Group Promises Decryption Tools).

Claim: Targeted Attacks Were Commissioned

During her exchanges with ransomware gangs' customer support personnel, Christine didn't hesitate to pepper agents with questions. In one exchange with the team behind horror-movie-themed Jigsaw ransomware, for example, the agent reportedly expressed confusion as to how Christine's PC had been infected, saying that the attacks had been designed not to infect consumers at random, but rather to target a particular business (see Ransomware Grows More Targeted).

The agent claimed that the targeted attacks had been commissioned by a large business. "In follow-up questions, he explained that his service had been hired by a Fortune 500 corporation to disrupt day-to-day business of their competition, so the client could be the first to bring a product to market," according to F-Secure's report. "The purpose of the malware, he said, was 'just to lock files ... nothing major.'"

Of course it's not clear if the agent was being truthful. Sean Sullivan, a security advisor at F-Secure, says in the report that he doubts the veracity of those claims. "It's probably a young gun, just trying to make a hundred bucks; 95 percent chance he's spinning a yarn," he says. "At any rate, he was very sympathetic - he was so helpful he got our reviewer feeling guilty for tricking him. So very likely he's a master at social engineering."

We interacted w/ multiple crypto-ransomware families to judge their "customer journeys". https://t.co/6mQm8XKyxT pic.twitter.com/Jc6FDZBt73

Raj Samani, Intel Security's CTO for Europe, the Middle East and Asia, tells me that it's impossible to authenticate the Jigsaw agent's claims. "We can only go with the information we have before us," he says. On the other hand, "cybercriminals are available for hire," he adds, and if the account is true, it wouldn't be the first time that an unscrupulous competitor hired hackers to sabotage a rival.

Anti-Malware , Technology

So which endpoint protection product should your organization purchase? It's a difficult question to answer amidst shouts from overconfident vendors and swirling FUD. Industry anti-virus tests would be the easy answer, but unfortunately, not all vendors participate.

See Also: 12 Top Cloud Threats of 2016

To be sure, anti-virus vendor scuffles have stepped up a notch lately, with startups and industry stalwarts slinging mud more fiercely than ever. But one of the newer entrants, Cylance, says it plans to make its Protect software available for industrywide tests used to benchmark software, which industry experts welcome.

Cylance is one of several so-called next generation AV vendors that say they rely on a combination of machine learning and algorithms to detect malicious behavior. Many security software applications still rely on signatures - frequently updated descriptions of known harmful code - to detect malware.

Signatures are a good way to detect malware, but are unfortunately created after a piece of malicious code has been used in an attack. Signatures can also miss even known malware if it has been modified or compressed, making them an unreliable backstop.

The new approaches by next-gen AV vendors mean that some malicious code may not be detected right away. Instead, the products look at behavioral aspects of a new piece of code that might indicate it is harmful and should be stopped.

To Test, or Not to Test

As a result, next-gen vendors may not appear to be as effective in a simplistic test of one product vs. another against a set of malware samples. That has caused newer vendors to shy away from testing, fearing that a poor result on a simplistic test will cast a pall over their products - and potentially cause venture capital funding to dry up.

Chap Skipper, vice president of certification and testing for Cylance, says that testing needs to center on what defense contractor Lockheed Martin has popularized as the "cyber kill chain." It comprises seven stages of a cyberattack, all of which offer opportunities for detection.

Skipper joined Cylance last month after working in Dell's CTO office. He was instrumental in Dell securing a partnership with Cylance after Dell sought a security industry partner. He says it's important the industry agrees on how something is determined to be malicious, or "convicted," because next-gen products can make that determination in varying ways.

Even if a computer gets infected, a security product may halt the virus after it does other actions later, such as contacting a remote server, creating new processes or installing other obfuscated code.

"There's no silver bullet in security, and we're human," Skipper says. "I've seen Cylance miss [malware] even in my own testing. But it's now about engaging those third-party testing organizations to see if we can't have more of a cyber kill chain type method and understand their conviction process."

Tested Anyway

AV-Comparatives, a testing organization based in Austria, and MRG Effitas, a U.K. based research organization, published results in February comparing Cylance's Protect product and Symantec's Endpoint Protection. The report noted the companies had trouble obtaining Protect from resellers but eventually secured a copy from an unnamed third party.

"This behavior is seen by many of the newer products that claim to be next generation," writes AV Comparatives. "It looks like they try to avoid getting tested in order to continue to attract users simply by unproven marketing claims."

Since that test, AV-Comparatives has been in touch with Skipper.

Testing a product without permission is a thorny issue, and many security companies forbid it in their terms and conditions. A Cylance competitor, Sophos, obtained a copy of Protect and published a YouTube video of its own product test (see Anti-Virus Wars: Sophos vs. Cylance).

Sophos, perhaps unsurprisingly, came out on top. Cylance was furious and pressured the reseller who gave its product to Sophos. The video was taken offline, although Sophos says it was to take the heat off of the reseller.

Down With the Kill Chain

AV testing organizations say they're open to new ways to conduct tests and have already moved in that direction.

Maik Morgenstern, CTO for AV-Test, says that his organization already does full cyber kill chain tests, including from the original infection to execution of code. The test takes into account some of the many defenses built into security products, including URL blocking, static scanning, dynamic detection, reputation-based blocking and cloud detection.

"We are confident that our testing methodology is fully applicable to next-gen products as well," Morgenstern says. "As we are testing with the real threats and do so as a user would do (visit websites, receive emails) we are covering exactly that."

Simon Edwards, founder of the testing organization SE Labs in London, says just testing for an intrusion isn't enough. Otherwise, the test results aren't very useful for buyers who are trying to figure out which is the best product.

"Testing many modern security products requires that the tester expose them to the full range of attack elements," Edwards says. "Testers can't make assumptions about how these products work and what they do."

Time will tell how much Cylance and other vendors decide to open up. But if they do become more open, end users will benefit, and, hopefully, enterprises won't have to make shot-in-the-dark decisions when buying security software.