Data Shakedown

Almost half of companies were targeted by ransomware attacks in 2016. Here’s what you should know about this growing threat.

Security researchers and law enforcement officials say the spread of ransomware attacks has reached epidemic proportions. Organizations of all sizes in both the public and private sectors have been impacted by this insidious type of malware, which encrypts valuable digital files and demands a ransom to decrypt them.

The Federal Bureau of Investigation (FBI) reports that ransomware attacks resulted in losses of $24 million in 2015, a figure that jumped to a startling $209 million in the first quarter of 2016 alone. Ransomware has become so lucrative that the FBI expects it to become a billion-dollar industry very soon.

According to the H2 2016 Global Threat Intelligence Trends report by Check Point, ransomware attacks doubled during the second half of 2016, increasing from 5.5 percent to 10.5 percent of all recognized malware incidents. Although thousands of new ransomware variants were observed last year, Check Point’s researchers witnessed a change in the ransomware landscape in recent months. It has become more centralized, with a few malware families dominating the market and hitting organizations of all sizes. While some strains, such as Locky and CryptoLocker, are controlled by crime organizations, others are being used by individuals who buy Ransomware-as-a-Service from an underground market.

“The report demonstrates the nature of today’s cyber environment, with ransomware attacks growing rapidly,” Maya Horowitz, Threat Intelligence Group Manager at Check Point. “This is simply because they work, and generate significant revenues for attackers. Organizations are struggling to effectively counteract the threat: many don’t have the right defenses in place, and may not have educated their staff on how to recognize the signs of a potential ransomware attack in incoming emails.”

How it Works

Ransomware simply puts a high-tech spin on the age-old art of the shakedown. Much like 17th-century highwaymen who prowled roadways and forced travelers to pay a “traveler’s fee” to pass, cybercriminals use malware to extort money from organizations that rely heavily on their computer systems.

Ransomware is typically distributed via phishing emails with malicious links or attachments. Opening the attachment or clicking the link launches the malware, which shuts off system recovery mechanisms and uses strong encryption to “lock” all the files it can find. Once this process is complete, a dialog box appears notifying the victim that the data is locked and demanding that a ransom be paid, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. While email remains the dominant delivery system, newer attacks now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.

Many ransomware attacks are launched by hackers in Russia and Eastern Europe. According to a report by Flashpoint, the typical “ransomware boss” in Russia earns roughly $90,000 per year — 13 times the average current wage in Russia.

“Ransomware is clearly paying for Russian cybercriminals. As Ransomware-as-a-Service campaigns become more widespread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks," said Vitali Kremez, Cybercrime Intelligence Analyst, Flashpoint. "Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data."

Taking Precautions

In fact, the FBI recommends not paying a ransom, noting that criminals have no real incentive to actually deliver a decryption key. In addition, the Bureau says paying the ransom only emboldens criminals and most likely serves to fund other illegal activities.

Firewalls and other cybersecurity tools do a poor job of detecting ransomware. Once the ransomware is launched, there is little you can do — a recent backup is your best hope of recovering your files without paying the ransom.

However, individual users can avoid infection through common sense and vigilance. Organizations must educate their employees about the dangers of downloading or opening any email attachment unless they are completely confident of its source. Systems should be configured to block the download of executable files without permission. Data should be backed up regularly, and backups kept offline or protected so that the malware cannot encrypt the files (so-called “cold” backup).

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said FBI Cyber Division Assistant Director James Trainor. “But contingency and remediation planning is crucial to business recovery and continuity — and these plans should be tested regularly.”

According to a new report from Radware, 49 percent of businesses were targeted by ransomware attacks in 2016, and it’s only going to get worse. Organizations must take steps immediately to educate users and implement policies, procedures and tools for protecting against a ransomware attack.

Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload