Ransomware is enjoying an unprecedented level of success, with the number of attacks increasing threefold from January to September 2016, according to security company Kaspersky Lab. That’s affecting one in every five businesses worldwide, with 62 new types of ransomware ‘families’ and literally thousands of variants appearing this year.
The business behind ransomware
Ransomware is a form of malware that locks up critical resources and holds them hostage until a ransom is paid, typically in bitcoin. And in 2016, no one was immune.
Hackers weren’t just going after multinational corporations; they targeted hospitals, schools and small business owners. Why? Because those victims were less likely to have security tools and processes in place, making them easy targets.
Ransomware isn’t brand-new, but it’s evolving with more deviant strains. There’s even ransomware-as-a-service, making malware more accessible to those with little technical expertise. Some hackers even offer ‘support desks’ where victims can negotiate their ransom.
The evolution of online attacks
In 2013 we saw the emergence of Cryptolocker, which morphed into Cryptowall the following year. In 2015, TeslaCrypt came onto the scene, and this year we saw Locky (and many other variants) take down organizations of all sizes.
One of the most devious to date is Popcorn Time, which gives you the option to pay up or to share the link with friends and get the key to decrypt your data by infecting two other users.
For businesses, ransomware can be a nightmare, paralyzing operations and resulting in financial loss and reputational damage (some hackers threaten to release proprietary data onto the Internet if victims don’t pay up).
Why has there been such an explosion of ransomware variants? According to Justin Malczewski, Regional Manager of Security Solutions with Cisco, who spoke at the Epic Cybersecurity Summit in October, it’s the confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay.
Is it difficult to become infected?
The short answer is it’s pretty easy.
Typically hackers use a legitimate-looking email to deliver malware to employees — a manager might open an email that looks like it’s from a vendor, or an employee might open an email that appears to be from their boss or HR. A malicious file is then executed on the employee’s desktop or laptop, allowing the hacker to steal customer data and financial information.
How to combat a ransomware attack
Most experts agree that victims should never pay the ransom. There’s no guarantee you’ll get your data back, and even if you do, it makes you a target for further attacks. The best defense is to follow best practices, shore up your defenses and have a strategy in place to contain the damage if something does happen.
Cisco recommends looking at your most critical priorities: Can they be impacted if your systems are locked down? Do you have good disaster recovery? Do you have good backups? What people and processes do you have in place to handle a critical disruption or event?
There are no silver bullets, Malczewski warned in his presentation to conference attendees. But following best practices can prevent ransomware from taking root — or, at the very least, stop it before it extends into additional systems and network areas.
Cisco recommends a "defense in depth" strategy that includes threat intelligence such as:
- E-mail security to block ransomware attachments and links
- Web security to block Web communication to infected sites and files
- DNS security to break the command and control call back
- Client security to inspect files for ransomware and viruses
The strategy also recommends segmenting infrastructure to separate traffic based on role and policy — using intrusion prevention to block attacks, exploitation and intelligence gathering, and monitoring infrastructure communications to identify and alert on abnormal traffic flows. Learn more in Cisco’s Ransomware Defense Validated Design Guide.
When will ransomware stop?
Ransomware isn’t going away anytime soon — and in all likelihood the strategies will continue to become more devious (as evidenced by Popcorn Time). Kaspersky found in its research that SMBs are hardest hit by ransomware, with 42 per cent falling victim over the past 12 months. Of those, one-third paid the ransom, but one in five never got their files back.
That’s why more SMBs are turning to managed security services to design and manage a "defense in depth" security strategy with 24×7 monitoring and alerting. That way, they can thwart would-be hackers and avoid becoming another statistic.