Closer collaboration between departments such as business continuity and information security could help raise the necessary staff...
Ransomware either blocks access to the computer or device (‘locker ransomware’) or encrypts files and data on the system (‘crypto ransomware’). But both types of malware are designed to extort money from their victims in return for a decryption key.
Companies that fail to pay up find access to their files remain blocked with a devastating effect on their ability to operate. And even those that decide they have no alternative but to pay must ask themselves whether they can trust the integrity of their data once files have been compromised in this way.
Ransomware is not a new phenomenon, first appearing in a fairly crude form as early as 1986 as the AIDS Trojan. Tactics steadily evolved over the years to become a serious threat about ten years ago.
Today, ransomware is a global threat touching all corners of the world, although certain countries tend to be affected more than others. According to the latest report3 from security firm Symantec, the three countries most affected are the US, Japan and, in third place, the UK. The study reports the number of crypto ransomware families increased by 250% between 2013 and 2014. The authors note, “Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
“Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today.”
You may be familiar with some of the more common malware – BitLocker and Locky, which deny access to the computer or device, and CryptoLocker, CryptoWall or Reveton, crypto ransomware that prevents access to data. While typically the sum requested is $300 per computer, the going rate for Locky was three bitcoins (around £885) per infected machine in March of this year4 and with the huge volumes involved, this particular form of malware is big business.
In March 2014, Symantec found that Trojan. Cryptowall earned at least US$34,000 in its first month of operations. A further study by other information security researchers found that by August 2014, Cryptowall had earned more than US$1.1 million. In June 2015, data from the FBI’s Internet Crime Complaint Center (IC3) showed that between April 2014 and June 2015, it had received 992 Cryptowall-related complaints. The victims were a mix of end users and businesses, and the resulting losses from these cases amounted to more than $18m.
How it works
There are many routes for the malware to reach a computer. Spam email is a primary tactic. As users became more savvy about opening unsolicited email attachments or clicking on unknown links, hackers adapted their tactics to deliver ransomware through ‘spear phishing’ emails targeting specific individuals. And as email systems got better at filtering spam they evolved still further bypassing the need for individuals to click on a link altogether by seeding legitimate websites with malicious code on poorly protected end user computers.
Other routes include malvertisements, social engineering, SMS messages, data breaches, exploit kits, downloaders and bot infection. Mimicking the marketing strategy of legitimate companies, some cybercriminals even offer affiliate schemes – effectively ‘Ransomware as a Service’ where the buyer is responsible for distributing the malware and the developer takes a cut.
Once the infection is present in the system the malware begins encrypting files and folders on local drives, any attached drives, backup drives and, potentially, other computers on the same network. Users and organisations will usually be unaware they have been infected until they can no longer access their data, or see computer messages informing them of the attack and requesting payment.
Bitcoins were originally the favoured method of payment due to the anonymity the virtual currency affords but Sungard Availability Services has seen requests for wire transfers, online payment vouchers (such as a UKash or Paysafecard) and, recently, even Amazon and iTunes gift cards.
To pay or not to pay?
The FBI has reversed its advice issued in October last year5 and no longer recommends paying a ransom in response to a ransomware attack.
“Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organisation might inadvertently be funding other illicit activity associated with criminals.”
Perhaps surprisingly, in the majority of cases victims do recover their data or use of their computer. This is less down to altruism on the part of the cybercriminal and more because it makes good business sense. They recognise that without the reputation that they can be trusted to decrypt files once the ransom has been paid no new victims would pay a ransom demand. To build ‘trust’, some ransomware – CTBLocker is one example – actually includes the option to ‘try before you buy’, allowing the user to have five randomly chosen files decrypted as proof of the attacker’s ability and willingness to do so once a ransom is paid.
Although ransomware is currently hitting the news headlines, it is only one of many ways hackers can cripple a company’s IT systems.
As April’s leak of 11.5 million files from the Panama-based offshore law firm Mossack Fonseca demonstrated, sometimes a simple hack on an email server can wreak untold damage. In what is the biggest data leak in recent history – bigger even than WikiLeaks in 2010 or the NSA files in 2013 – 2.6TB of confidential data was released relating to some of the most powerful people in the world.
The ‘Panama Papers’ data leak (as it is commonly known) revealed how the rich and famous hide their money offshore, resulting in lurid news headlines. Twelve national leaders are among 143 politicians around the world known to have exploited offshore tax havens. While there is no suggestion that those named have done anything illegal, the revelations have proved intensely embarrassing for many.
What you can do about the ransomware threat
Ransomware is the kind of threat where effective business continuity management comes into its own as organisations that regularly back up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection.
With any kind of cyberattack, cybercriminals will typically go for the easiest targets first so efforts should focus on prevention. Analysing the attacks directed at Sungard AS customers and picked up by our Intrusion Detection System, we have seen OpenSSL, Heartbleed, Magento SQL Injection and Apache Struts exploit attempts along with the Bandook Trojan infection and Webshell Backdoor code.
Here are some proactive measures all organisations should follow to guard against any form of cyberattack:
If you are interested in finding out more about Information Security Consulting from one of Sungard Availability Services’ security experts, speak to your account manager, call us on 0800 143 413 or email email@example.com
1Eset: LiveGrid telemetry – April 2016
2Trustwave blogpost – Rodel Mendrez
3Symantec: ‘The evolution of ransomware’ – 6 August 2015
4www.bbc.co.uk/news/technology-35773058 – 10 March 2016