The 2018 Verizon Data Breach Investigations Report (DBIR) declares ransomware “the most prevalent variety of malware”.
- Over 181 million ransomware attacks happened in the first six months of 2018.
- That is a 229 per cent increase in ransomware attacks reported compared to the same period in 2017(SonicWall)
Let us take a look at ransomware, the most prevalent types of the threat facing organisations today and what the future holds for this growing malware menace.
A definition of ransomware
- Ransomware is a form of malicious software. It is also known as malware
- Once ransomware seizes control of your computer, it threatens the users by denying access to their data
- Attackers then demand a ransom be paid to release the data. However, the cybercriminals can be overtly devious and do not always relinquish access to the data upon receipt of the payment
- In most cases, by paying a ransom through cryptocurrency Bitcoin (an untraceable payment method), the victim will receive a decryption key
- Ransom demands range from hundreds to thousands of pounds or dollars
- Part of the reason behind the frequent use of ransomware derives from the fact that it is easy to deploy, it is low cost to implement, and stolen data does not require monetisation with low levels of traceability
- Low-level cybercriminals are using off-the-shelf toolkits to create and implement ransomware in a matter of minutes
- Overall ransomware provides a low risk to a vast pool of criminals
- Ransomware also offers an opportunity to encrypt a file server through to a prize as significant as a database
- For those criminals looking for fame or notoriety, ransomware can make the news headlines, severely damage a company’s reputation and those organisations that are not adequately backed up could face major disruption to their business operations and even take the firm offline
What are the main types of ransomware?
Ransomware identified in the 2018 DBIR as the leading type of malicious software, 39 per cent of cases detected malware with the use of ransomware scams growing internationally.
Ransomware creating the headlines over the years:
- 2018 - From January to July 2018, there were 181.5 million ransomware attacks. That equates to a 229 per cent increase over the same period in 2017. (SonicWall)
- 2017 - Office 365 phishing attacks - In 2017, 54 per cent of firms on the Office 365 platform were the subject of phishing attacks. While email-spoofing attacks through Office 365 such as spear phishing rose by 26 per cent in the same year.
- NHS attacks cost £92 million - The UK’s National Health Service (NHS) computer network was affected in a six-day ransomware attack at the cost of 92 million pounds.
- 2016 - Microsoft reports an estimated ransomware cost of 325 million dollars in 2016.
Looking to the future of ransomware headlines In 2019, the cost of ransomware is predicted to rise to 11.5 billion dollars (Cybersecurity Ventures)
Six of the most notorious ransomware attack campaigns in history:
- 5 September 2013 to late May 2014
- Credited with starting the modern ransomware age
- Method: The cryptovirus utilised a trojan horse that compromised computers running Microsoft Windows. Infecting up to 500,000 machines at its peak
- Launched February 2016
- Users opened a malicious Microsoft Word file that stated: “Enable macro if data encoding is incorrect”
- Method: A ransomware malware delivered through social engineering
- First discovered 2016
- NotPeya spread fast proving to some that cybersecurity was not taken seriously
- Method: NotPetya is from the Peya a trojan horse encrypting malware family affecting Windows. The NotPeya version is considered by many as the Russian nation-sponsored cyber attack concealed as ransomware
- Launched late 2015
- A pervasive ransomware campaign targetted at mobile devices
- Method: The first known ransomware that delivered its malicious payload via a trojan downloader
- Launched February 2015 (now redundant)
- Targeted gaming files with relentless progress during its campaign
- Method: A ransomware trojan horse mainly affecting Window machines
- WannaCry case study
- Campaign dates: 12 May 2017 to 16 May 2017
- Hailed by many as the worst ransomware attack in history
- During the May 2017 ‘WannaCry’ ransomware attack, the infamous cyber attack campaign hit news headlines globally because of its size and scale
- WannaCry affected the operations of organisations worldwide by exploiting vulnerabilities in computers running Microsoft Windows (MS), but that had not updated
- From Renault in France to FedEx in the US through to Deutsche Bahn in Germany, WannaCry hijacked the data of the world’s best-known brands with seemingly the biggest IT budgets
- However, WannaCry also hacked smaller organisations, using the worldwide adoption of MS, the ransomware attack did not discriminate and directly infected any computer that had not been correctly patched or was end-of-life
- WannaCry demanded ransom payments in the form of Bitcoin cryptocurrency
- It circulated through EternalBlue; an exploit allegedly developed by the U.S. National Security Agency and leaked by The Shadow Brokers attackers’ group in the months before the attack
- WannaCry also exploited machines through the installation of backdoors onto the affected systems
WannaCry key statistics:
12 May 2017 to 15 May 2017
Demand to decrypt files
$300 to $600 Bitcoin
Over 200,000 victims
Over 300,000 computers infected
Up to USD 4 billion
How does ransomware work?
The primary goal of criminals is to utilise ransomware to receive large ransom payments. And the criminals use two main types of tactics to achieve their goal:
- Threaten to publish the victim's data
- Prevent ongoing access to data
There are generally two types of ransomware attack:
- Simple ransomware - In a less sophisticated ransomware attack, the system will be locked, but it is feasible for an experienced IT professional to reverse the actions.
- Cryptoviral extortion - Cryptoviral extortion is an advanced form of ransomware malware. In cryptoviral, the targets files are encrypted causing them to be inaccessible. The attacker demands a ransom payment to decrypt the data.
There are two main types of attack methodology:
- During a ransomware attack, criminals deceive users into downloading or opening a bogus Trojan file from an email attachment. Also referred to as a phishing scam
- Victims are directly infected as the malware travels between computers without user interaction, g. a real-life attack of this kind occurred through the 2017 WannaCry cryptoworm
Who can be the target of ransomware?
Cybercriminals often carefully select the companies they target with ransomware:
- Organisations with small security teams or no security professionals
- Firm’s that hold or share a large amount of data
- Organisation’s that are file dependent
- Companies that store and work with sensitive information
However, do not get complacent about ransomware. Ransomware can spread like a virus automatically and indiscriminately throughout the internet. Remember attacks are not always aimed at individual organisations and often derive from weakness exploited in programs which thousands of worldwide companies use every day.
Should the victims of ransomware attacks, pay the ransom?
The for and against debates continues surrounding the subject of paying the ransom payments.
Here is some guidance underpinned by advice from both the UK and US governments who actively support the practice against giving into a ransom payment.
The UK government’s National Crime Agency encourages industry and the public not to pay the ransom (NCA):
- The governments are quick to remind victims that they are potentially trading with criminals and sometimes terrorists
- In fact, paying the ransom does not always guarantee decryption of files or databases. It is common for criminals to promise to provide the private ‘key’ but not follow through
- Criminals have also been known to demand more money after receipt of the initial ransom charge
- Ransom payers can also find their details sold to other cybercriminals for future attacks
66 per cent of companies say they would never pay a ransom. However, in reality, 65 per cent, do pay the ransom at the point of attack (Trend Micro).
Ransomware prevention tactics
Here are some practical ways to protect your data:
Backup your data
Create off-network backup copies
Overwrite encrypted data in the event of an attack
Store backups outside of the network
Prevent access in the event of an attack
Other security measures against ransomware could include:
- Employee security training
- Keeping operating systems updated and patched
- Utilise good antivirus software
- Daily backups
- Deploy security policies and actively enforce there use
- Understand your weakness and threats
- Prevent automatic software installation