Ransomware: Holding Businesses Hostage to Fear
The concept of encrypting files and holding them ransom for money isn’t new. But over the last year, ransomware has become one of the top security concerns for businesses, with the number and sophistication of attacks increasing to alarming levels.
The rise of connected devices, an increase in cloud use and greater numbers of mobile workers means that the network perimeter has expanded, and there are more potential vulnerable spots for attackers to capitalise on. “As we add more employees in more locations using more mobile devices and cloud services, we also add new network security vulnerabilities,” says Jason Hancock, global senior network engineer at Octapharma. “We’ve seen a spike in a variety of malicious activities, including ransomware.”
The payoff for cybercriminals, on the other hand, is rising. Annual revenue from the Angler exploit kit, which can be used to distribute ransomware, is an estimated $34m1.
Depending on the extent of the breach and the criticality of the affected data, an attack can be catastrophic. It can make it difficult or even impossible for the organisation to function and bring in revenue, not to mention the loss of reputation and customer trust. Eric Rockwell, President and CIO of centrexIT, provider of outsourced IT services, highlights the potential risks: “We knew that antivirus and firewalls were not enough to protect our clients. [One client’s] electronic health records have to be online – we can’t have a security incident or something that brings it down because it literally is a life or death situation.”
How does malware work?
There are many different versions of ransomware that operate in slightly different ways. The vast majority, however, use DNS or an IP address as an exploit method. A ransomware infection generally begins when a user clicks on an email attachment or a malicious advert on a website, or accesses a compromised server. A piece of code runs on the user’s machine or device and an asymmetric key exchange takes place, either on the machine itself or over the internet. The key is then used to locally encrypt the target files and a ransom request is displayed on the screen. Potentially, all the drives that are mapped on that machine or that the user has access to can also be encrypted. This leaves targeted organisations with the toughest of choices: pay the ransom to regain access to their files, meaning the attacker is incentivised to repeat the crime; or go down the extremely difficult and uncertain road of trying to restore or reinstate the files.
What’s next for ransomware?
This kind of malware is increasingly available as a service, allowing new entrants into this space who want customised versions of ransomware but don’t have the technical skills to design their own. As this trend increases, bad actors may target high-value data more precisely and therefore ask for higher ransoms. Worm-enabled attacks are beginning to appear, which allow a malicious entity to enter an organisation’s systems but then move laterally to inspect and infect other machines. Currently, attacks are generally based on common file types such as Microsoft Office documents. However, future attacks could encrypt more selectively, targeting information such as certain fields within databases or instances in payroll or CRM systems. Attacks may also become more common over other platforms, such as Macs, mobile operating systems and embedded systems. It’s clear that the traditional ‘collect and react’ model cannot respond quickly enough to this rapidly changing threat landscape. In our next post, we’ll look at how organisations can protect themselves more effectively against this mounting threat.
To find out more about Ransomware click here.
1 Source: Cisco 2016 Annual Security Report