theless severe since organizations and
individuals were not diligent enough
We finally point out that cryptovirology has influenced popular culture as
well, inspiring the plot in Barry Eisler’s
techno-thriller Fault Line. 3
Over the years we have observed a
palpable reluctance by security com-
panies to describe the cryptoviral ex-
tortion attack in detail and discuss
countermeasures. We view this as be-
ing fundamentally flawed; it is the clas-
sic phenomenon of “reactive security”
(acting after the attack) as opposed to
the preventative “proactive security.”
We believe ransomware is the tip
of the iceberg. Most cryptovirology
attacks are covert in nature, allow-
ing the adversary to securely steal
information completely unnoticed.
These attacks would slip past or sty-
mie the vast majority of computer
incident response teams. It took over
20 years for cryptoviral extortion to
gain worldwide recognition, and it
appears that the bulk of these other
attacks, which are fully described in
the scientific literature, are heading
in the same direction: destined to be
overlooked until a large-scale real-
world attack is publicized. Santaya-
na’s aphorism: “those who cannot
remember the past are condemned
to repeat it” 4 seems to apply equally
well to malicious cryptography.
1. Barth, B. California ransomware bill supported by
Hollywood hospital passes committee. SC Magazine
(Apr. 13, 2016).
2. Christensen, C. The Innovator’s Solution: Creating
and Sustaining Successful Growth. Harvard Business
School Press, 2003.
3. Eisler, B. Fault Line. Ballantine Books, 2009.
4. Santayana, G. Reason in Common Sense, (1905), p.
284, volume 1 of The Life of Reason.
5. Scott, R. Alien. 20th Century Fox, 1979.
6. U.S. Dept. of Health and Human Services. FACT
SHEE T: Ransomware and HIPAA; http://bit.
7. Volz, D. and Auchard, E. More disruptions feared from
cyber attack; Microsoft slams government secrecy.
Reuters (May 15, 2017).
8. Young, A. and Yung, M. Cryptovirology: Extortion-based security threats and countermeasures. In
Proceedings of the IEEE Symposium on Security and
Privacy, (1996), 129–140.
9. Young, A. and Yung, M. Malicious cryptography—
Exposing cryptovirology. Wiley, 2004.
Adam L. Young ( email@example.com) is a researcher
at Cryptovirology Labs.
Moti Yung ( firstname.lastname@example.org) is a Security
and Privacy Scientist, Snap Inc., and Adjunct Senior
Researcher, Computer Science Department, Columbia
Copyright held by authors.
does not belong. We warned the public
about these threats and similar ones
by publishing our findings, thereby
providing a significant head start to develop and deploy defenses.
It has been a long road that we
have followed, fraught with skepticism and criticism, ultimately resulting in worldwide recognition
that cryptoviral extortion is a severe
threat. Over the years we have given
numerous lectures on cryptovirology. We have experienced the spectrum of possible reactions. Some
concurred that the threat is real. Others insisted that cryptoviral extortion
was pointless, that it offered nothing
to the attacker beyond deleting the
hard drive. Still others professed that
no victim would ever pay.
Shortly after we published our
book, it was met with harsh criticism.
An expert who had written books on
computer viruses published a scathing review, concluding that for those
seriously involved in the study of
malware the book is of “little practical use.” This opinion directly translates to telling the public there is no
need to worry about ransomware. We
attributed such reactions to the inherent resistance many people feel
toward new ideas, especially ideas
that merge two previously distinct
disciplines, in this case, malware and
cryptography. It seemed to us that the
difficulties known as the “innovator’s
dilemma” 2 apply also to proactively
addressing threats and risks.
Cryptovirology has proven itself to
be a formidable threat. Ransomware
attacks make the news daily. Victims
include individuals, hospitals, police
precincts, universities, transportation systems, and government offices. We even saw the development
of “ransomware as a service” where
cryptovirology tools are sold to criminals that perpetrate cryptoviral extortion (for more details on ransomware, see https://en.wikipedia.org/
wiki/Ransomware). This past year
we have witnessed a vicious downward spiral: the more organizations
that were attacked, the more news
coverage there was on ransomware.
The more news coverage there was
on ransomware, the more criminals
got in on the action, prompting ever
more news coverage. The media
amplified cryptovirology awareness
among law-abiding citizens and
Social and legal reactions to the
damage followed. In fact, the trip further down the spiral changed the very
definition of a “computer breach.”
Prior, a computer breach was synonymous with the exfiltration of sensitive data from an organization. This
past year the meaning expanded to
account for ransomware. A recent
fact sheet published by the U.S. Department of Health and Human
Services on ransomware and HIPAA
states that when electronically protected health information is encrypted
by ransomware a breach has occurred
and the incident therefore constitutes
a disclosure that violates HIPAA. 6 The
justification for this definition is that
the adversary has taken control of
sensitive health information. This is
a significant change in the definition
of a computer “breach” since now, due
to the threat of cryptoviral extortion, a
breach can occur even when no sensitive data is exfiltrated!
A highly publicized and effective
ransomware attack was carried out
against the Hollywood Presbyterian
Medical Center, and the hospital
paid $17,000 in bitcoin for restoration. This, along with the epidemic
levels of similar attacks, prompted
the state of California to enact a new
law that addresses ransomware. 1 “SB-
1137 Computer crimes: ransomware”
amends Section 523 of the Penal Code
to outlaw the introduction of ransomware into a computer system with the
intent of extorting money. Reuters
reported that the WannaCry crypto-worm from May 2017 locked up more
than 200,000 computers in more than
150 countries. 7 The attack exploited a
vulnerability hoarded by the NSA that
was exposed by whistle-blowers and
later patched. The attack was none-
proven itself to be
a formidable threat.