By Gautam Aggarwal
The saying “crime doesn’t pay” doesn’t seem to apply to the ransomware business. Despite the FBI’s recommendations against paying ransom demands, ransomware raked in an estimated US$1 billion in 2016. Attackers are capitalizing on this success with bolder demands, averaging US$1077 last year per incident in comparison to just US$294 in 2015 (CSO Online, Report: Average Ransomware Demand…, 2017). One of the reasons for this steep increase could be because tools such as ransomware-as-a-service (Raas) provide subscribers with curated statistics on how much victims are willing to pay by region.
Ransomware developers are finding better ways to deceive users and evade security defenses. Readers used to be able to identify suspicious emails because they were poorly written and contained spelling or grammatical errors. Today, however, professional copyediting services are available on the dark web to assist attackers in the creation of emails that appear more legitimate.
Instead of targeting single devices, new ransomware varieties can recruit infected machines into a botnet to spread malicious code across networks or propagate throughout a network on their own, similar to a computer worm.
One of the most notable ransomware trends of 2016 was the shift in attackers’ focus from individual consumer devices to targeting businesses. Historically, there has been a misconception that cybercriminals only target large enterprises so many small and medium size business owners have not prioritized ransomware prevention. The truth is that businesses of all sizes and across all industries are falling victim to ransomware, and of those have fallen victim, 48% have paid the ransom (Ponemon Institute, Rise of Ransomware, 2017).
Some businesses have made the strategic decision to mitigate their risk by purchasing ransomware insurance. The fact that they feel the need to take such steps indicates how serious a threat ransomware has become—as well as demonstrates how much power is being held by the cybercriminals who are sophisticated enough to craft new exploits.
These are just a few of the industries that have made the news due to ransomware attacks:
Healthcare facilities: According to the 2017 Verizon Data Breach Incident Report, ransomware accounts for 72% of malware incidents in the health care industry, and dozens of hospitals in the UK were victims of the recent WannaCry attack. Since medical records contain all the information needed to steal a person’s identity, they fetch nearly fifty times more than a credit card number on the black market, making them a very attractive target for cybercriminals. Credit card numbers have a narrow window of opportunity before they’re deactivated, but identity theft takes much longer to detect. More than a dozen US-based hospitals and clinics fell victim to successful ransomware attacks in 2016.
Public transit systems: San Francisco’s light rail system experienced a ransomware attack in November 2016 that took its ticketing systems offline on Black Friday, one of the busiest shopping days of the year. To minimize service disruption, customers were offered free rides until the systems were restored from backups, avoiding payment of the ransomware demand.
State and local government: Although it was by no means an isolated incident, a Dallas-area police department fell victim to a ransomware attack in December 2016 that was delivered through an infected email link. Unfortunately, the department’s automatic backups were not enabled until after the attack, so all of its backup files were also encrypted by the ransomware. After the police rejected demands for US$4,000 in bitcoins, the attackers made good on their threat and wiped out years of video evidence.
Higher education: In May 2016, the University of Calgary paid $20,000 Cdn in Bitcoin after a ransomware attack on approximately 100 staff and faculty computers, encrypting email accounts and other files. Fortunately, the university implemented improved network and monitoring tools after this attack, so they were prepared when WannaCry hit earlier this year and were able to catch and quarantine the new attack before any damage was done.
Politicians: In March of this year, a ransomware attack on the Pennyslvania Senate Democratic Caucus locked 16 senators and their employees out of their computers, email accounts, and websites. Although the amount of the ransom demand has not been disclosed, it has been reported that no ransom was paid. In the weeks following the attack, affected senators and their teams had to work using personal or loaner devices until the files were fully restored from backups.
Security teams recognize that ransomware threats are not slowing down and that current technologies are not sufficient to block all attacks. Businesses are responding by no longer allowing themselves to be sitting targets and by finding ways to fight back. They are investing in more sophisticated next-generation protections that capture more ransomware samples than their predecessors and boast increased detection and prevention rates. In addition, more businesses are partnering with law enforcement to find and disrupt cybercriminal networks, where in the past, companies avoided this practice to prevent bad publicity. Finally, security vendors, business owners, and law enforcement agencies are sharing threat intelligence in an attempt to even the playing field against the well-connected cybercriminal community.
Regardless of industry, continuous validation of security controls is key in a business’s ability to defend itself against cyberthreats of all types, including ransomware. To see how your defenses stack up against today’s active threats, check out NSS Labs’ CAWS Cyber Threat Protection Platform.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.