Cyber attacks are occurring at a steadily increasing clip, leading each successive year to replace its predecessor as “Year of the Data Breach.” 2016 hasn’t exactly broken from this trajectory, but it has forged its own path by earning the title, “Year of Ransomware.” This trending attack type isn’t the most complex or innovative new threat on the block, but it is striking fear into IT departments across the country. Attackers initially targeted consumers but are increasingly targeting enterprises, and now even data stored in cloud applications. Let’s explore the evolution of this rising threat.
Anatomy of a ransomware attack
Ransomware refers a variety of malware that prevents users from accessing their files, demanding payment to restore access. Hackers have continuously innovated on this model, resulting in in a constant stream of dangerous new variations. An attack may lock a consumer’s personal computer unless she pays a few hundred dollars, or a large company’s systems for thousands.
Compared to stealing sensitive data, ransomware has a much lower threshold of success. Executing a ransomware attack requires minimal resources and poses little risk of getting caught since payment comes in anonymous bitcoin transactions. Hackers don’t need to steal data undetected or even view the information – they just need to inhibit the owner’s access.
Ransomware is distributed in several ways, including malvertising, emails, watering hole attacks, and zero-day vulnerabilities. New research found 93% of phishing emails contained ransomware. Attackers often mimic an already trusted source, deceiving both end users and security products. Researchers have even discovered file-less variations, which make attacks more difficult to detect.
Just like the best consumer applications, ransomware-as-a-service applications exist to make a hacker’s life easier. Commercially available exploit kits can be downloaded by anyone. Criminals can easily distribute the virus to numerous targets. The most effective ransomware variations essentially function like software businesses, earning a steady cash flow for their creators who release regular software updates.
For example, Ransom32, the first ransomware written in Java, is sold as a service on the Darknet with authors demanding a 25% cut of profits. The hacker can customize the ransomware by adding his or her own Bitcoin address, ransom amount, language, number of fake messages and more. Ransom32 tricks users into installing a fake Java update to take control of the computer. The creators have made the service so simple that criminals only need to enter a bitcoin address to get started.
The most effective ransomware varieties generate millions of dollars of revenue. Other “name-brand” versions include CryptXXX, CTB-Locker, CryptoWall, and most recently Locky. Their owners periodically issue updates to render decryption methods ineffective.
Following data to the cloud
Ransomware has typically targeted data on company servers or personal computers. Today, more and more companies are moving business-critical information into the cloud – often to improve security. Even data in the cloud is not immune from ransomware. Earlier this year, a small firm fell victim to an attack seizing over 4,000 files stored in the cloud. The ransomware circumvented the cloud provider’s antivirus after unloading from an email attachment.
The cloud provider did keep backups, which allowed the company to restore operations. On the one hand, the incident showcases a benefit of relying on established cloud providers who can offer a more robust set of people, process, and technology to protect data than many customers can achieve on their own. On the other hand, the attack shows that hackers have brought cloud applications into the crosshairs, adding to the attack surface companies need to worry about.
Enterprises fall in the crosshairs
So why does 2016 merit the title, the “Year of Ransomware”? The sheer volume and variety of attacks have been on a meteoric rise the past few years, increasing from 1.5 million samples discovered per quarter, 400,000 of which were new, in 2013 to 4 million samples, 1.2 million of which were new, in 2015. New strands have continued to proliferate in early 2016, according to researchers.
The development that has brought ransomware such notoriety in the past few months is use of the tactic against healthcare organizations, theoretically putting patient care at risk. Hollywood Presbyterian Medical Center became the first hospital to fall victim to a ransomware attack. The incident forced the hospital to resort to pen and paper record keeping, leading the chief executive to authorize payment of $17,000 in bitcoin. A month later, MedStar Health suffered from a similar attack.
Criminals have evolved their tactics from “spray and pray” to elephant hunting. Researchers make the point that new technology and greater profit margins have led criminals to target enterprises. Many would argue that the first instances of enterprises paying ransoms have guaranteed more attacks.
The question of whether to pay the ransom polarizes experts. Many information security and crime experts, including the FBI, advocate for paying the fine to expeditiously restore operations. In many cases, paying the ransom can cost much less than hiring IT security consultants. Others believe paying the ransom only incentivizes further attacks. Detractors of ransom payments received new ammunition this past week, when Kansas Heart Hospital paid a ransom only for hackers to refuse to unlock files, demanding a second payment. The latest incident may tip the scales in the debate, providing proof that companies have no guarantee hackers will hold up their end of the bargain. Regardless, there are always exceptions and every company will need to weigh their options.
How to protect yourself
Ransomware takes advantage of the same weaknesses in software and human error that allow hackers to gain access to virtually any company. However, companies can take steps to minimize the risk of being impacted and improve the odds of recovering quickly. Extensive lists exist, but here are a few essential steps to get started.
• Update software and operating systems to prevent exploits
• Backup data often and in multiple, independent locations
• Disable ActiveX content and macros in Microsoft Office to prevent malicious files from running ransomware
• Disable common paths for malware and block known malicious IP addresses
• Educate employees on how to recognize suspicious emails, especially malicious links and attachments
In short, ransomware has not necessarily changed the game for IT security, but it has proven to be an extremely profitable strategy for cybercriminals. That means security professionals should expect more investment and innovation in new ransomware varieties. To stay ahead of the threat, companies should practice data storage best practices and keep employees informed and alert to potential threats.