The Rise of Ransomware: How Criminals Cash in on Your Files

By Jenny Menna


Imagine you’re following your usual morning routine at the office: You boot up your PC, grab a cup of coffee, then attempt to log into your network. Only this time, you’re greeted with the message, “Your important files have been encrypted, including your documents, spreadsheets, photos, videos, etc. If you want to decrypt your files, your organization must pay a fee of $15,000.”   You can’t access your data or do your work. This scenario is unfortunately becoming a reality for some businesses and public institutions around the country.

What is Ransomware?
This extortion method of holding data hostage has been nicknamed “ransomware,” and it is fast becoming a popular shakedown method by resourceful cybercriminals who rake in a fast reward, then move onto the next target. Most ransomware cybercriminals demand reasonably small sums ($5-$20K) to encourage companies and institutions to pay as soon as possible to regain control.

Ransomware is downloaded and installed onto an unsuspecting user’s PC via email attachments, embedded hyperlinks within emails, internet browsing-type attacks, or web application vulnerabilities. The installed malware encrypts files, drives or networks, and locks down the system. Then the hackers send messages demanding money to decrypt your organization’s files.

The truly disturbing aspect of ransomware is that hackers are targeting critical infrastructure, such as health care facilities and local governments, which are organizations that cannot afford to shut down for long periods of time. A particularly disturbing ransomware scenario happened in February 2016, when hackers successfully forced Hollywood Presbyterian Medical Center in Los Angeles, CA, to pay $17,000 to unlock its computer files. The hospital attempted to recover its data for over a week, but eventually agreed to the hacker’s terms after determining their backup and restore options had failed. During the week-long standoff, the hospital staff was unable to access email or electronic records and was forced to use pen and paper to update records. Some patients were transferred to other hospitals.

Why Hackers Target Small Businesses
The problem with ransomware is that like most malware, it’s challenging to detect. Most users don’t realize it’s been installed on their PC or network until they receive the hacker’s message demanding a ransom payment. What’s particularly concerning is that hackers are specifically targeting small to medium-sized businesses and public institutions because they often have outdated security measures, and can’t afford the multiple layers of protection that a larger enterprise can, making them an attractive target for cybercriminals.

Ransomware Countermeasures
Although most ransomware cybercriminals demand small amounts, the FBI predicts total ransomware costs exceeding $1 billion in 2016. In the face of that scary statistic, here are some ways to prevent that horrible morning from ever happening to you or your coworkers.

The best countermeasure is a layered approach to security. Here are some basic suggestions for creating a layered defense:

  • Identify gaps – Implement security awareness training for employees and create restrictive roles for employees with privileged access. Employees are often overlooked as a business resource for security breach prevention, but they are one of the first lines of defense when properly trained.
  • Protect and prevent – Deploy layers of security including endpoint security, email security, network security, and applications security software, and advanced malware threat detection. Although this part will be pricey, it’s a long-term investment that will help prevent costly and reputation-damaging breaches.
  • Detection – Employ risk-based detection based on organizations, countries, or actors that pose a threat to your company. Don’t ignore warning signs.
  • Respond and remediate – You need incident response readiness and preparation to quickly respond to potential threats. Run test scenarios to improve employee response.
  • Recovery – Don’t forget backup and encryption of servers. Backup regularly, and keep a recent encrypted backup copy off-line.

 

Ransomware isn’t a new risk; we’ve seen CryptoLocker attacks on individuals and small businesses for years.  Over the past year, we’ve seen criminals raise the stakes, attacking what we would all consider critical infrastructure targets.  This risk is unlikely to go away in the coming year, because the current perpetrators are seeing “success,” which will encourage them to continue their activities and no doubt expand their targets and tools.  They will likely also inspire copy cat bad actors, as groups like DD4BC have done.  Because of the potential consequences, ransomware will continue to be a major risk area for 2016 and likely 2017 and beyond.

 

The FBI has created a very helpful document on preventing, responding to, and recovering from ransomware, which has been shared by the US Chamber of Commerce on their website.  The Financial Services Information Sharing and Analysis Center (FS-ISAC) also recently published a best practices paper for destructive malware, which would also be applicable to ransomware attacks like these. I encourage you to review those documents and stay engaged to learn more about this and other risks we face in cyberspace.  The Global Cyber Alliance is a great place to get involved.

The author, Jenny Menna, is a cybersecurity leader in the financial sector and a member of the GCA Strategic Advisory Committee.

Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.