Most senior executives have heard of (or experienced) ransomware. They now need to know how it is evolving and what that means for the business. Here is a breakdown of the future of ransomware for your next executive presentation.
Ransomware is all about the money – and there’s plenty of it. In 2016, ransomware cost companies over $1 Billion. As the number of incidents exploded (an increase of 6,000% in 2016), ransomware became a buzzword, and CISOs/CSOs were called in front of senior executives to explain it.
By now, most senior executives are familiar with the basic concept: bad guys hold your data or systems hostage and demand money to release them. (If you want a good, basic overview of ransomware, check out the “No More Ransom” website.) The question now is “what’s next for ransomware and what does that mean for your business?”
The first thing to know is that there is plenty of motivation for ransomware to rapidly evolve. People are paying the ransoms. According to IBM, 70% of business victims paid the hackers to get their data back. That kind of effectiveness is not only driving up the number of attacks (they are expected to double in 2017), but it has also captured the attention, investment, and focus of attackers. This means that ransomware is going to go through a lot of changes, and become a lot more potent, over the next couple of years.
Here’s what to expect:
The Business Model Is Changing
Like any business model, ransomware is adapting to its market demands and conditions. Attackers are getting more formalized, specialized, and effective. For example, they are starting to offer Ransomware-as-a-Service (RaaS). Under this model, hackers provide the platform and the necessary technology to launch a ransomware attack. They then sell this capability, and either take straight payment for the service, or take a share of the profits. This drives down the price of a ransomware attack. (One ransomware package offers a lifetime license for the low price of $39.)
So what? RaaS lowers the barrier of entry for attackers. You do not have to be technically savvy or invest a lot to launch an attack. This both expands the number of attacks, and diversifies the types of attackers. It allows for attackers to concentrate on developing their ransomware, instead of launching attacks. (See our blog for more information about Hacking-as-a-Service (HaaS).)
Ransomware Is Becoming More User Friendly
Ransomware hackers have the same problems developers do – those pesky end users. They realized that their victims are not often very technically savvy, which hurt their extortion processes. Users have a hard time buying BitCoins (the preferred cyber currency), can’t figure out TOR (the preferred network), and didn’t understand the interfaces. So, hackers are making their attacks much more user friendly. They provide everything from point-and-click interfaces to support chat lines. F-Scure recently released transcripts from a ransomware support chatline. It is a fascinating read. Here’s an excerpt:
Victim – “I already sent you 98USD worth of bitcoin”
Ransom Rep – “But do you agree, that it is you [sic] mistake, that you entered incorrect address?”
Victim – “I literally copied the address that was given at the refill page. How could I be mistaken?”
The Spora ransomware strain that started to show up in 2017 has radically changed the user experience for ransomware. First, it doesn’t make users download the TOR browser, simplifying the process. More importantly, it offers victims a dashboard of different options, depending on the data they want released and the amounts they’re willing to pay. Victims can select from unlocking all data, clearing all Spora-related files off the machine, or unlocking selected files. They also offer a “freemium” option to unlock only a few files, to prove that they are “legitimate.” They even offer a secure SSL connection to their ransom site. It’s very considerate of them to protect you against hacking while, you know, you’re getting hacked.
Source: Malware-Traffic-Analysis.net
So what? The easier and faster hackers make the payment process, the more often people will pay. Also, the diversification in payment options means that hackers are learning, and adapting to, customer purchasing behavior. The more they understand how you pay, and what’s most important to you, the more targeted they will become. The largest impact, however, could be that victims can get lulled into a false sense of security by the apparent professionalism of the attackers – victims need to remember that these are thieves and extortionists.
They Will Infect…Everything
Ransomware has evolved from locking files, to locking screens, to holding entire operating systems hostage and attacking web servers. This means that administrators can expect ransomware to pop up on servers, databases, ERP systems, and back-end applications. Software-as-a-Service (SaaS) ransomware could be next, with attackers successfully breaking into SaaS networks and disrupting operations, or attacking SaaS customers by preventing them from accessing the data.
Ransomware is going mobile. Ransomware targeting Android users has increased by over 50 percent in just a year. It also is creeping into your TVs. The FLocker strain of ransomware targets your smart TV, and demands $200 in iTunes gift cards to unlock the infected device.
IoT ransomware is on the horizon. At last year’s Def Con conference, two white hat hackers installed ransomware on a smart thermostat. This was the first proof-of-concept that this can be done. IoT ransomware, also called jackware, is a game changer. Aside from locking out data, ransomware hackers can start hijacking devices and manipulating kinetic effects in the real world. Imagine, for example, a hacker stopping your car from running, or your fleet of cars. How about connected medical devices? It doesn’t even have to be that dramatic. They could run up all of your energy costs by making your thermostats run too hot, so that it’s cheaper to pay the ransom. Given the immature state of most IoT security, many devices are left open to attack. With the immense number of devices that are increasingly coming online, the opportunity will be too good to pass up.
So what? Ransomware defense is going to get a lot more complicated. Every new type of device, from mobile to IoT, means new ways to defend, detect, and remediate attacks. These attacks will also start hitting enterprise-wide capabilities, which will lead to bigger payouts and more headaches. Lastly, attacks will spread from data extortion to kinetic impacts. That has an entire new set of safety, legal, and regulatory implications that will need to be addressed over the next few years.
Once You Pay, They Own You
Ransomware hackers, like any good business model, are looking for repeat business. If you pay a ransom, you are marking yourself as a priority target for future hacks. The Spora ransomware mentioned above is already capitalizing on this. They have an “immunity” option, that allows you to pay future protection money. If this sounds like your local mafia, it’s because organized crime is a driving force behind ransomware. This immunity, of course, does not protect you from any other hacker running a ransomware attack on you. Neither does it protect you from any other kind of hack. There is nothing stopping a hacker to whom you are paying immunity from selling your information on the dark web as a premium target. In fact, that would be just good business.
So What? You really need to think through the full implications of paying a ransom. Once you’re a premium target, it’s going to be hard to wash that stigma off. Maybe they’ll start a frequent payers program…
What Can You Do? Implement Cyber Security Basic Best Practices
Ransomware is forcing companies to take a good look at their cyber security hygiene and basic practices. Since there is no silver bullet, most of the prevention, detection, and remediation comes down to doing the basics. Below is a list of recommendations that will not only help you with ransomware but will help you reduce your overall security risks.
- Map and prioritize your “Crown Jewels” of data, systems and processes. Once you know these, you need to limit access, increase monitoring, and create special procedures to protect them. For more guidance about protecting your crown jewels, see our blog.
- Keep current on decryption keys. Check out the “No More Ransom” site for an updated list of decryption keys.
- Make back up capabilities and recovery times a strategic priority. One of the major issues with ransomware is either not having sufficient backups, or not being able to restore back-ups in a reasonable amount of time. Companies experienced an average of 2-5 days of downtime due to ransomware attacks. Back-up capabilities need to advance to keep up with ransomware threats.
- Develop clear policies and procedures for ransomware protection, including patch management, end-point management, software updates, back-ups, and what to do if infected.
- Have great end-point virus protection and patch management programs. The more current these are, the lower your risk.
- Restrict administrative rights on endpoints. This might not be popular, but it is the new reality of cyber safety.
- Have a plan for where Ransomware will hit next. Ransomware is spreading into everything from web servers, to mobile, to IoT. You need to make ransomware part of your digital expansion planning and implementation.
- Go beyond annual training. Have continuous reinforcement of ransomware prevention. Ransomware is heavily dependent on social engineering, so the better trained your employees are, the better off you will be. Wired put out a Hostage Rescue Manual for ransomware that has some useful tips.
- Keep up on the latest ransomware detection/prevention technologies. Some developing technologies include behavioral detection, authorization management, and bait files. PC Magazine has a good overview of some of the latest technologies.
Although it’s been around a while (it traces back to the 1980’s when attackers demanded people to snail mail in their payments), it’s just starting to take off. It’s proven, it’s popular, and it’s very lucrative. This means that it’s going to evolve very quickly. The more you can keep up with how ransomware changes, the more you can avoid becoming a digital hostage.