Ransomware is an old threat that has come roaring back with a new ferocity. This type of malware—which gets its name from the payment it demands after locking away victims’ files— has quickly become one of the top types of cyber attacks. More than half of companies surveyed in a recent Ponemon Institute poll said they have experienced a ransomware attack.
Among that half, victims saw an average of four attacks each. They paid an average of $2,500 per attack.
Aside from the ransom itself (assuming victims pay), these attacks can exact a heavy toll: business disruption, remediation costs, and a diminished brand. Most ransomware spreads through phishing email, though mobile devices and infected websites are also vectors.
Why ransomware is surging
Ransomware has exploded in recent years because of four primary drivers:
- Attackers have many distribution channels, boosting the chances of success
- It’s cheaper than ever to build
- If provides more lucrative targets that are highly motivated to pay the ransom
- The ransom is easier to collect, thanks to Bitcoin and other digital currency
Surviving ransomware Most companies are ill-prepared for a ransomware attack. Although 66% of those surveyed in the Ponemon poll agree that ransomware is “very serious,” only 13% said their company can prevent it.
During the Attack: Getting Back to Business
While the best ransomware strategy is to avoid it in the first place, this advice means nothing if you’re newly infected.
You have short-term problems to resolve, like getting computers, phones and networks back online, and dealing with ransom demands.
Disconnect from the network
The second employees see the ransomware demand or notice something is odd, they should disconnect from the network and take the infected machine to the IT department.
After the Attack: Review and Reinforce
We recommend a top-to-bottom security assessment to find threats that may still linger in your environment. Take a hard look at your security tools and procedures—and where they fell short.
The real world costs
Nearly 60% of companies surveyed by the Ponemon Institute agreed that a ransomware attack would have “serious financial consequences” for their business. Aside from the ransom itself (assuming victims pay), these attacks can exact a heavy toll: business disruption, remediation costs, and a diminished brand.
Consider the WannaCry attack. While it didn’t net much of a payday for the attackers, the ransomware was highly disruptive. Not having access to critical information and working systems can slow emergency response and jeopardize public safety. The healthcare sector has been hit especially hard. Infections lock away patient records, slow workflow, and even affect patient monitoring systems. This can make ransomware remediation a matter of life and death.
Exploiting the human factor
Most ransomware spreads through phishing email. These emails trick users into opening a malicious attachment or clicking a malicious URL. In February 2016, a widely used ransomware strain called Locky infected Methodist Hospital of Kentucky through a targeted email campaign.
After an employee opened what looked like an unpaid invoice, Locky executed and propagated itself through the entire internal network. It locked down workstations and restricted access to the central server. The hospital’s choice: restore each workstation from backup or cough up a relatively modest four bitcoins (about $1,600) to unlock the files.
WHY IT’S SURGING
Ransomware is a decades-old exploit. But it has exploded in recent years because of four primary drivers:
More distribution channels
Cyber criminals can attack thousands of entities simultaneously using a variety of attack vehicles. That means ransomware exploits are succeeding more often.
Conventional email gateways are overwhelmed with threats from all sides:
- Massive botnet-driven email campaigns
- Polymorphic malware that outpaces security vendors’ ability to build new signature
- Malicious URLs and malvertising that contain no attachments
Cheaper to build
As in any business, success breeds success. Ransomware authors have honed their craft. And sophisticated tools that would have been feasible for only elite cyber criminals just a few years ago are now widely available. The result is higher success rates and ultimately, economies of scale.
More lucrative targets
Instead of targeting individuals, cyber criminals are increasingly turning their sights to organizations with sensitive data, thinly stretched IT departments, and a high incentive to quickly settle the matter. Adding fuel to the fire are poor networking configurations common in hospitals, police departments, schools, and other state and local governments.
Imagine whipping out your phone, but instead of seeing your home screen, it’s a warning—seemingly from the FBI—accusing you of viewing illicit images. Your phone has been encrypted and someone is threatening to contact authorities unless a $300 payment is surrendered to make it all go away.
For countless mobile users, this situation is all too real, just one example among hundreds of versions of mobile ransomware. We have detected three main attack vectors for mobile ransomware.
We have Android-targeted ransomware derives from the same general family as the ransomware variant Cryptolocker. It may masquerade as an Adobe Flash Player update that requires permissions. Or it might piggyback a popular game or “free” app from a rouge app store. (The vast majority of Android ransomware arrives third-party app stores, not the official Google Play store.)
Ransomware targeting iOS devices typically comes in the form of browser-based ransomware. It often warns victims that they’ve downloaded illegal images or claim that their device is infected. To unlock or “fix” the device, the victim is directed to a site for payment via Bitcoin or pre-purchased debit card.
The best security strategy is to avoid this extortion altogether. This is well within the power of most companies, but it requires planning and work—before the crisis hits.
Back up and restore
The most important part of any ransomware security strategy is regular data backups. Most companies do this, but surprisingly few run backup and restore drills. Both processes are important; restore drills are the only way to know ahead of time whether your backup plan is working.
You may have some kinks to work through before crisis mode hits. If backups and restore testing are done regularly, a ransomware infection won’t have a devastating impact; you’ll have a safe, recent restore point.
Update and patch
Ensure operating systems, security software and patches are up to date for all devices. It sounds basic enough, but according to a recent survey, about half of IT professionals admit they struggle to keep up with sheer volume of patches released every month. And respondents reported that updates vary wildly in terms of complexity and release schedule.
Invest in robust email, mobile and social media security solutions
Even the best user training won’t stop all ransomware. Today’s phishing email is sophisticated and highly targeted. Attackers carefully research their targets to create email that looks legitimate and preys on human nature to get them to click.
Because most ransomware is transmitted through email, mobile and social media, you need advanced solutions that can stop these threats in real time. According to our research, the volume of ransomware attacks has soared. In the email channel alone, ransomware accounts for nearly 70% of overall malicious messages.
Traditional legacy mail gateways, web filters, and antivirus software should be updated and running on all networks. But they alone cannot counter the ransomware threat. An effective email security solution must go deeper. That means analyzing embedded URLs and attachments to ensure no malicious content breaches the system. Cyber thieves are always one step ahead, and typical email security configurations rely far too heavily on outdated signatures.
As “Ransomworms” Grab Spotlight, Email is Still King
High-profile outbreaks of ransomware threats such as WannaCry and Petya—which spread like a computer worm rather than email—have ushered ransomware into the global spotlight. But these so-called “ransomwoms” remain the exception. Most ransomware attacks, like most cyber threats overall, are sent through email.
Consider Jaff, a strain of ransomware that quickly and quietly eclipsed the largest malware campaigns of 2017. By midyear, Jaff was by far the top malware payload by message volume seen in Proofpoint deployments around the globe. It accounted for 72% of ransomware email and nearly half of all malware-laden email overall.
High-volume Jaff campaigns stopped as soon as a decryptor was made available in mid June. But the attacker behind them switched back to Locky and continued to send another ransomware strain called The Trick. This fast pivot underscores just how easily attackers can adapt to new defenses.
Many other ransomware strains are sent in smaller, more targeted efforts. Cerber, for instance, targets U.S. companies. TorrentLocker is aimed at Europe. And Serpent has affected Belgium and Netherlands. Some ransomware strains, such as the easy-to-customize Philadelphia, even targets specific firms.
WannaCry and Petya remain the exception for another notable reason: they appeared to focus more on wreaking havoc than actually collecting a ransom.
“I’m willing to say with at least moderate confidence that [Petya] was a deliberate, malicious, destructive attack,” Nicholas Weaver, a security researcher at the International Computer Science Institute, told journalist Brian Krebs. “Or perhaps a test disguised as ransomware.”
For verified ransomware attacks, email is by far the most common source.
Ransomware has made an impressive and lucrative comeback. These guidelines can start you on the path of dealing with ransomware before, during and after an actual attack. Of course, the easiest way to combat ransomware is to stop it at the gates.
That requires an advanced threat solution that can detect ransomware delivered via email, mobile devices, and social media. Robust cybersecurity identifies and kills ransomware before it sets foot in your environment.
This includes the ability to analyze email attachments and links in real time, deconstruct threats in a virtual environment, and update policies on the fly. This helps reduce the human factor—the weakest link in most security infrastructures.