Data Shakedown

Ransomware attacks becoming more frequent and more sophisticated, and aimed at manufacturing companies.

atlantic-it-ransomwareSecurity researchers and law enforcement officials say the spread of ransomware attacks has reached epidemic proportions, with organizations of all sizes in both the public and private sectors increasingly impacted by this insidious type of malware that encrypts valuable digital files and demands a ransom to decrypt them.

The healthcare sector has been a frequent target of attacks, with several large hospitals virtually shut down by ransomware in the past year. Manufacturing may be the next industry to be hit by ransomware — according to a study of 59 midsize to large manufacturers by Fortinet, nearly 9 million attempted attacks on those companies were recorded in just seven months.

The U.S. Computer Emergency Readiness Team (CERT) says there is not only an increase in the number of attacks, but also a proliferation of ransomware variants — by some accounts, there are now more than 120 separate families of the malware. While some strains, such as Locky and CryptoLocker, are controlled by crime organizations, others are being used by individuals who buy the service from an underground market. Infoblox reports a startling 3,500 percent increase in ransomware domains in the first quarter of 2016 compared to the last quarter of 2015.

“There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “The threat index shows cybercriminals rushing to take advantage of this opportunity.”

How it Works

Ransomware simply puts a high-tech spin on the age-old art of the shakedown. Much like 17th-century highwaymen who prowled roadways and forced travelers to pay a “traveler’s fee” to pass, cybercriminals use malware to extort money from organizations that rely heavily on their computer systems.

Ransomware is typically distributed via phishing emails with malicious links or attachments. Opening the attachment or clicking the link launches the malware, which shuts off system recovery mechanisms and uses strong encryption to “lock” all the files it can find. Once this process is complete, a dialog box appears notifying the victim that the data is locked and demanding that a ransom be paid, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. While email remains the dominant delivery system, newer attacks now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers. In addition, mobile devices are increasingly targeted.

Many ransomware attacks are launched by hackers in Russia and Eastern Europe. According to a new report, the typical “ransomware boss” in Russia earns roughly $90,000 per year — 13 times the average current wage in Russia. The report from Flashpoint, titled “Inside an Organized Russian Ransomware Campaign,” is based on a five-month study of a ransomware organization. The report identifies the healthcare industry as a priority target of the organization.

Taking Precautions

In fact, the FBI recommends not paying a ransom, noting that criminals have no real incentive to actually deliver a decryption key. In addition, the Bureau says paying the ransom only emboldens criminals and most likely serves to fund other illegal activities.

Firewalls and other cybersecurity tools do a poor job of detecting ransomware. Once the ransomware is launched, there is little you can do — a recent backup is your best hope of recovering your files without paying the ransom.

However, individual users can avoid infection through common sense and vigilance. Organizations must educate their employees about the dangers of downloading or opening any email attachment unless they are completely confident of its source. Systems should be configured to block the download of executable files without permission. Data should be backed up regularly, and backups kept offline or protected so that the malware cannot encrypt the files (so-called “cold” backup).

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said FBI Cyber Division Assistant Director James Trainor. “But contingency and remediation planning is crucial to business recovery and continuity — and these plans should be tested regularly.”