Basics

What is Ransomware? How does it work? Who does it affect?

As our world moves more and more to a digital one, we have seen an increase in cyber attacks with this forward digital movement. One cybercrime that has been on the rise the last few years is ransomware. Ransomware appears similar to a virus, but it has a much different purpose. Ransomware is a type of malware that is used to breach security and take over a network, computers, and other digital devices, and payment is demanded for the return of data and usage of the device. Essentially, data is taken and held ransom in return for a payout.

There are different families of ransomware, and each family disrupts a user’s access of digital devices in different ways. Some ransomware families can lock access to computer, device, or network, while others can encrypt data. One ransomware family has the capacity to delete files over time if the victim delays the ransom payment. Cyber criminals can infect a victim’s device through a variety of vectors, including email attachments, malicious websites, malvertising, drive-by downloads, infected external storage devices, brute force attacks, exploitation kits, and infected software apps.

Due to the urgency that loss of access to data can cause for individuals and businesses, many victims will pay the ransom. Since many victims are willing to pay, ransomware has gained popularity among hackers as a lucrative business. As of January 2016, approximately 4,000 ransomware attacks have occurred daily. Ransomware has established itself as a global cyber threat. Many countries have experienced ransomware attacks; the United States being one of the most widely affected. Other countries heavily affected by ransomware include Japan, Italy, India, Germany, Netherlands, the UK, Australia, Russia, and Canada. Some significant attacks include Britain’s national health service, San Francisco’s light rail network, and FedEx.

 

 

The Growing Threat of Ransomware

In the past few years, ransomware has become a major cyber threat to individuals, businesses, and organizations. Europol recently named ransomware as one of the biggest online threats and warned that it has a large capacity to negatively affect consumers and businesses. The threat of ransomware continues to rise due to the continued evolution of digital devices and technology in general. As technology advances, we have also seen ransomware become more sophisticated as a result.

Fig. 1. The number of users attacked by ransomware in 2015. (Kaspersky securitybulletin 2015, KLReport: KasperSky Lab (2015)).

Despite the growing popularity of this cybercrime, many consumers and business executives are unaware of the threat it creates. According to the 2017 Internet Security Threat Report by Symantec, 1 of every 131 emails contains malware. Microsoft reports that cybercrime has a potential to cost the global community $500 billion. Last year alone, the global community saw an increase of 36% in ransomware attacks. This increase in cybercrime puts every individual, business, and organization at risk of a cyber-attack, with ransomware being one of the more likely avenues. Costs of a ransomware attack include loss of data, decreased revenue, delay of productivity, IT expenses, legal fees, and reputational damage.

 

Various factors contribute to the rise of ransomware, including the following:
  1. The growing use of cryptocurrency:

Cryptocurrency is typically the payment currency of choice for most hackers. Cryptocurrencies, like Bitcoin, are an untraceable payment method. As the global use of cryptocurrency increases, this could also drive ransomware attacks.

  1. Advancing encryption capabilities
  1. Digital lifestyle:

The adoption of a greater digital lifestyle creates a growing platform for cybercrime. Creation and implementation of new digital devices increases the risk of cyber threats, including ransomware. The expansion of Internet of Things (IoT) devices, such as watches, household appliances, and cars, are all targets for cyber-attack, especially due to poor security in many of these devices. The continued reliance on connectivity and the increased smartification of devices will continue; therefore, it can be expected that attacks on these devices will follow suit. Without proper security measures and regular backups, the rate of successful ransomware attacks will also increase.

  1. Better defense:

As defense against ransomware has improved one would expect that cyber-attacks of this nature would decrease. Unfortunately, the installment of more advanced security measures has not showed a halt in ransomware attacks. Awareness of ransomware and improved security has forced cyber criminals to use more advanced tactics and tools. As a result, cyber criminals have developed new forms of ransomware.

  1. Continued development of ransomware families:

The expansion of connected devices has resulted in the development of new and advanced ransomware families.

Ransomware variants have expanded to feature attacks related to:

  • Data infiltration
  • Distributed denial of service (DDoS)
  • Anti-detection
  • Lock access to a device
  • File deletion (some variants delete regardless of payment)
  • Locking cloud-based backups under systems that continually backup
  • Usage of the cloud and cloud-based file sharing apps (Dropbox, Google Drive, OneDrive)
  • The ability to infect devices across a network and onto other organization via internet connection
  1. Availability of ransomware kits:

Many cybercriminals have expanded their business by providing unskilled criminals with ransomware kits or ransomware as a service (RaaS). These criminals sell their ransomware and other services to other cybercriminals, providing more criminals with the means to attack individuals and businesses.

  1. Complex social engineering:

Cybercriminals use social engineering to trick individuals into opening attachments or clicking malicious links or “malvertisements.” Some cybercriminals even pose as law enforcement, claiming that the victim has performed illegal acts and need to pay a fee.

  1. Lack of awareness, security, and preparation:

According to a study by IBM that surveyed 1000 individuals and 600 business executives, only a third of the survey respondents were aware of the existence of ransomware. White most respondents (~75%) were confident in their ability to secure their computers, the majority (~60%) neglected to perform security measures for their devices in the previous 3 months. As malware behavior like ransomware continues to sophisticate, older platforms and security measures become more susceptible to attack. Likewise, traditional security mechanisms may no longer apply to new devices. As ransomware risk continues to rise, the need for greater implementation of awareness, security, and preparation measures are a necessity.

  1. Development of artificial intelligence (AI):

Currently, there is an “arms race” regarding AI technology. AI can be a useful tool for greater society, but it can also be used as a weapon by criminals. The development of AI can be used for machine learning models to better anticipate cyber-attacks, but cyber criminals also have the potential to use AI for hacking and exploitation.

  1. Movement toward less traditional targets:

Many cybercriminals have moved from less traditional individual targets to targets with a greater margin of profitability. This means that not only are high-net worth individuals at risk, but every connected device and business is at risk. Beyond having the ability to exploit individuals, ransomware can be used to extort, sabotage, district, and disrupt organizations for the purpose of monetary gain.

Along with new technological advances that drive ransomware, traditional ransomware continues to remain a threat to consumers. This traditional ransomware is often referred to as mass emailing and spam phishing that occurs on thousands of devices every day.

 

 

The Threat of Ransomware for Business

The rise of ransomware instigates a need for awareness and improved security to decrease the risk of attack for every business. While every industry is at risk for ransomware, healthcare, energy and utilities, and professional service industries often endure the brunt of attacks.

Sophos recently conducted a survey regarding ransomware with a focus on mainly mid-sized businesses. They found that over half of the organizations that completed the survey had experience ransomware in the last year, and half of these expected another attack in the near future. These attacks produced a median loss of roughly $133,000 per organization for ransom payments and the cost of cleanup resources. Over half of the organization’s stated that they do not currently have ransomware protection, exposing them to the risk of cyber-attack.

Costs of ransomware for business:
  1. Temporary or permanent loss of data
  1. Operational disruption & loss of productivity

For small companies, disruption in operations could result in the entire company under shutdown. A ransomware attack gone bad has the potential to easily cripple a business overnight. For many industries, a loss of productivity can result in greater catastrophe than missed deadlines. For instance, loss of access to a network could be devastating for a healthcare organization, causing significant harm and even death.

  1. Financial loss
  • Ransom payment costs
  • Reduced earnings from loss of productivity
  • Cleanup costs
  1. Reputational damage

Fig. 2. Factors that contribute to why business is a target for ransomware.

 

 

Why businesses are a target:
  1. Attacks have shifted from mostly consumer attacks → enterprise attacks

One expected target of 2018 is cloud computing businesses, which house large amounts of data for many companies.

  1. Wide range of hackable devices
  • IoT devices
  • The cloud & cloud-based file sharing apps (Dropbox, Google Drive, OneDrive)
  • Computers
  • Organization network
  1. 3rd party risk

A ransomware attack on a small vendor or contractor has the capacity to infect a large company through their network.

  1. Changing dynamics of the workforce

Many businesses are utilizing bring your own device (BYOD) policies. Lack of security on employee devices, such as tablets, laptops, and smartphones, has the potential to disrupt the entire business through the organization’s network.

  1. Increase in reliance on technology
  1. Lack of employee awareness, education, and security training

A study by IBM uncovered that many businesses lack awareness, security, and preparation for a ransomware attack. According to the study, almost 1 out of every 2 business executives have experience with a ransomware attack, and 70% of those with ransomware experience have paid for the return of their data. IBM also found that small to medium sized businesses are often less prepared for a ransomware attack than large businesses.

  1. Ease of infection and distribution
  • Laptops, mobile devices, IoT devices
  • RaaS platforms
  • Infection of thousands of computers through a single network
  • Every individual and business is reliant on connection to the internet
  • Large scale infection through email

 

Businesses and organizations are forced to take holistic security measures to help prevent the risk of ransomware attack. If more organizations can provide quality security measures and resist paying ransom payments, ransomware will lose its thrill among cybercriminals.

 

 

The Threat of Ransomware for Healthcare

Healthcare is often hit by ransomware and needs to take similar measures for awareness and risk prevention to business organizations. According to McAfee research, the healthcare industry has suffered more than most from ransomware. Healthcare providers are a target largely due to the significant amount of personal information they retain. A consensus is that hospital administrators and healthcare providers tend to focus on other threats outside of cybersecurity. Many administrators and providers delegate efforts to HIPAA compliance in terms of data protection rather than overall security. In 2017, many medical facilities were targets of ransomware attacks, resulting in significant costs. Productivity loss remains a major cost of ransomware for healthcare facilities; productivity loss for healthcare could likely result in delay or loss of patient treatment. These costs have the potential to devastate a healthcare organization and risks the lives of patients.

 

 

If you have questions or concerns regarding how your organization can prepare for a ransomware attack, contact us.