Report: 2016 ‘Year Ransomware Holds America Hostage’
The report summarizes the ransomware threat and suggested ways to protect against it.
A new cyber security report released March 10 sees the threat of ransomware growing this year.
Researchers gave the history of ransomware in the report, explained the different types and targets of ransomware, gave methods that hackers use and strategies that victims can adopt to minimize the disruption of ransomware.
Instances of ransomware, a type of malware that holds computer systems hostage for money, first appeared in 1989 and have only grown more common as an increasing percentage of society relies on the internet and data stored on servers. As the Internet of Things has spread and mobile devices become regular accessories, the field of exploitable technology has widened. Additionally, organizations’ dependence on technology has made them more vulnerable.
The report characterizes ransomware as the latest evolution in a history of human thievery motivated by high potential rewards and a low risk of getting caught.
To prevent hacks and traditional malware, information security systems were developed by organizations to mitigate threats by preventing data modification, questioning unusual behavior and by other means. The researchers explained why ransomware renders many of these typical methods useless.
“After it is on a system, ransomware bypasses many of [the aforementioned] controls because it effectively acts as a security application. It denies access to data or encrypts the data. The only difference is that the owner of the system does not own the control.”
The FBI and the Department of Homeland Security typically analyze and respond to ransomware attacks, although researchers stressed that the public and private sector must work together to address the ransomware threat. In addition, victimized parties may work with foreign law enforcement agencies if necessary.
Authorities’ responses, however, are somewhat limited by the following facts:
- There’s no identifiable adversary to focus countermeasures on
- Anti-ransomware efforts are divided over response procedures
- Smaller agencies, like local police forces, lack the resources to effectively respond
- If the hacker is asking for a smaller sum, authorities may be less willing to extensively investigate the attack
- The “borderless” nature of the internet means law enforcement agencies may not have the authority or capability to appropriately investigate and respond to attacks
The methods hackers use for ransomware are nothing new to people familiar with traditional malware. Phishing emails and spam are the primary delivery methods because “users are culturally trained to open emails and to click on attachments and links…The larger the organization, the greater the risk of infection through malicious email.”
The amount of money that the hacker demands fluctuates widely in ransomware attacks. The more sophisticated the encryption the more the hackers can ask for to remove it.
Below is an excerpt of the report analyzing typical ransoms and their results.
“The average ransom for either ransomware is around $300, as of 2015. One might notice that $300 might be significant for an individual; however, the average includes attacks on commercial businesses…the cost to users (as of 2015) fluctuated between $21-700 depending on variant, criminal, infected device, and victim demographic. The wide range shows that some criminals prefer to make a small profit from a large number of victims while other prefer the inverse…
“In 2014, CTU researchers estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints, Cryptowall reportedly netted over $18 million from victims between 2014-2015. Who knows how many infections were not reported? The lesson is that ransomware… is still significantly profitable, even when only a miniscule number of users fall for its scheme.”
Although the report found that private businesses are the primary target for ransomware, Campus Safety has reported that members of the education and healthcare industries have also been targeted.
Ransomware Threats to Hospitals
Researchers say healthcare was not a “traditional target for ransomware,” but that’s changed in 2016 thanks largely to hackers that use the Locky strand of ransomware. The attack on the Hollywood Presbyterian Hospital was a game changer, and hospital officials’ decision to pay could draw more attention. In the same week as that attack, the Los Angeles County health department also fell victim to a ransomware variant, and two German hospitals were infected with ransomware after that. Besides Hollywood Presbyterian, healthcare’s ransomware victims have refused to pay the ransom and instead are restoring their systems through back up servers (which in some cases will take months). Read more about those responses in this Campus Safety article.
Ransomware Threats to Educational Institutions
Last month, the Horry County school district in South Carolina paid $8,500 to decrypt their servers after the FBI could find no alternative. School districts have been targeted because they lack the resources to restore their systems and colleges have been targeted because they have the funds to pay higher ransoms.
Researchers found that ransomware targets systems including :
- personal and company computers
- mobile devices
- Internet of Things devices
- critical systems
Researchers suggested the following methods to mitigate the threat of ransomware:
- Create an information security team that conducts risk assessments, teaches cyber security best practices, monitors adherence to those practices and ensures key assets are updated, patched and protected
- Train your personnel to recognize and report threats. They should know not to click on links in suspicious emails. All it takes is one employee’s mistake to compromise your entire network
- Use layered defenses to prevent attacks, or at the least detect malicious attacks, and slow them. “No single product should be relied upon because there is no single product that provides comprehensive security
- Make clear internet policies so users know what’s allowed on the network and how to recognize suspicious activity. It may also be helpful to negotiate a cyber security policy with a vendor
When ransomware compromises do occur, the report laid out options. Some of them are summarized below.
Option 1: Engage your Incident Response Team, who should notify authorities. A properly trained team should have a plan of action to respond to the attack and a disaster recovery p
Option 2: Attempt to recover the data if you have a backup system. If you don’t, attempt to recover the data through shadow copies or through a file recovery tool.
Option 3: If you have no information security team or vendor solution then your choices may be limited to paying the ransom or accepting the loss of data. Researchers caution that the hacker may not always restore your system, and paying may open you up to future ransomware attacks. Victims should never pay with their credit cards or using financial account information.
Overall, the researchers said improved cyber security “is the best strategy for mitigating the ransomware threat and reducing the impact of successful attacks.”