Imagine turning on your computer one day and being greeted with this message:
This is ransomware, and in 2016 over 4,000 ransomware attacks occurred daily, raking in nearly $1 billion in profits for attackers.
While there are many types of ransomware, they all result in users being unable to access their files or even fully boot up their PCs. Ransomware is malware that locks and/or encrypts a user’s files or computer and demands a ransom be paid within the allotted time for the computer to be unlocked. All sorts of computers are vulnerable to ransomware including home computers, endpoints on a corporate network, or servers used by a government agency. To make matters worse, upon paying the ransom, there’s no guarantee your files will be unlocked, and your willingness to pay could make you an even bigger target for more malware or extortion attempts. Additionally, ransomware is hard for security software to detect and once your data is made a hostage, there’s no stopping your sensitive data from being copied over to the attacker. The ransomware is also likely to search for other accessible computers on the same network, which is devastating in a corporate environment.
In the U.S. alone, victims lost $209 million due to ransomware in the first three months of 2016, compared to a total of $24 million all throughout 2015. With this rapid new onslaught of attacks, ransomware has become big business for some hacking groups. This new cybersecurity battle has lead to a digital arms race with both attackers’ increased investment in advanced attack delivery automation methods and private firms’ increased funding in corporate protection measures.
These attackers continue to make money at an alarming rate and most often employ spear-phishing tactics. Phishing is the fraudulent act of claiming to be a legitimate party in an effort to coax users into revealing sensitive information like usernames and passwords. Spear-phishing ups the ante by targeting a specific group of people, like employees at a company an attacker wants to infiltrate. (There’s even a term called whaling used to describe phishing attempts made specifically at high-level executives like CEOs.) So an unsuspecting employee at a company can accidentally click on a link in an email that looks like it’s coming from their boss, but instead, ransomware is being downloaded onto the computer, and even if that computer that has traditional anti-virus software installed, chances are the ransomware will be able to evade the security measures in place. The ransomware can now move laterally across the network, infecting countless computers in its wake, requesting additional ransom money from each machine it claims.
A company that finds itself the victim of ransomware has little recourse, and the attackers know it. Not only is the problem new enough that most corporations either are not protected or have no policy to address such an issue, but the clock is ticking and law enforcement is very limited in the aid it can offer. Since most attackers are either foreign actors or state-sponsored hacking groups, the chances of local authorities being able to track own those responsible are very slim. And with 4,000+ daily ransomware attacks, it would be unreasonable to assume that law enforcement would have the bandwidth or necessary technology forensics skills to be of help. Companies can then turn to private incident responders to help, but without access to the machines on the network, finding clues about how the attacker got in or to what extent they have control is nearly impossible. As a result, most companies are forced to consider the paying the ransom, knowing full well that their data might not get unlocked, might have already been resold, and the attacker might try to leave a backdoor to regain access in the future.
So the good news for the average person is that attackers are much more interested in corporate environments than they are the average person’s laptop. Attackers know that the real money is in compromising company networks where ransomware can cause major disruptions in business operations which really increases their chances of getting paid. Business networks are also complex and with so many eager clickers employed, their attack surface is spacious and vulnerable. Those in charge of network security at a company need to be vigilant and stop every attack, but the attackers only need to succeed once. Since ransomware can affect not only personal laptops but other endpoints like POS systems and servers, it can really hit the core of an affected business. Most small- to medium-sized businesses don’t have the capital to invest in prevention measures and won’t have a plan to deal a ransomware situation if it occurred.
Ultimately, only two things can keep you safe from ransomware: back-ups and a basic knowledge of security. Although a ransomware attack still leaves your data vulnerable, at least a back up would restore your access to it. Most victims of a ransomware attack find it difficult to even assess what they’ve lost since without a back-up there is now no record of what did exist and could now be in the hands of an attacker. Security also needs to be everyone’s business; a properly-trained employee should be able to spot a phishing email or at least be able to follow a protocol for emails he or she is unsure about. While there’s no silver bullet for security, proper etiquette and education are half the battle.