While there is some debate over whether the number of ransomware attacks is rising, there is no arguing that the losses suffered by both public and private sector organizations have increased. Hardening your organization’s security posture requires an understanding not only of how ransomware works technically, but also how the attacks psychologically compel victims to open emails, click on links or download attachments from unknown senders, even if they’ve been trained not to.
The FBI reports that ransomware attacks are becoming more targeted, sophisticated, and costly. Moreover, as Forrester VP and principal analyst Dave Bartoletti told an audience at this year’s CommVault GO conference, ransomware attacks are up 500 percent. The resultant losses have increased significantly, with costs expected to hit $11 billion.
Attackers have been using ransomware for decades, yet it remains an effective tool because it takes minimal skill and effort compared to traditional computer crimes. Dark web sites have all the resources that criminals need to execute their attacks. They can purchase Ransomware-as-a-Service (RaaS) and initiate the attacks themselves or use botnets to spread it. They can also easily find instructions for accepting bitcoin payments and anonymously communicating with potential victims.
The key factor that makes ransomware so effective is the psychological nature of the attacks. If an attacker sends an email carrying a malware-laden attachment to 10,000 people, and just one person downloads and opens it, the hacker has succeeded. As such, hackers will take advantage of users’ generosity, desire to save or earn money, or any number of other emotional triggers to increase the likelihood that they’ll convince that one user to fall for their phishing emails.
One particularly insidious example is the CryptoMix ransomware, which promises to send the ransom money to charities such as the “International Children Charity Organisation”. Of course, no money actually goes to any children.
If an organization has not implemented a robust system of backups, there’s no way to prevent a ransomware attack from crippling its IT systems and locking users out of important files. Once this happens and the malware spreads, it’s not uncommon for the victim to have no idea whom to call for help. This helpless feeling leads many victims to conclude that the only way to recover their files is by paying money to the anonymous criminal on the other end of the Internet.
Unless the ransomware is well known and decryption keys are readily available, the best that an expert can do is teach the victim how to rebuild the system from scratch and load the backups (if there are even backups available). The only other options are to pay the ransom or consider all of the data lost.
Many victims are too embarrassed by their mistake to seek help. They don’t want to be seen as technically inept, so they are left reliant on the criminal as their only source of guidance.
Attackers usually make it sound like they are doing the victim a favor by helping to recover the lost data. They might even be willing to negotiate with the victim, bizarrely making it seem like the victim owes them a favor. The criminal then frequently has to walk the victim through buying and sending the bitcoin payment.
At the other end of the spectrum are the enterprises, hospitals and government agencies that fall victim to ransomware attacks. For these entities, the question of whether or not to pay the ransom is a business decision. In some cases, the organization has a mandate not to pay criminals. No matter what the cost, on principle alone, they will deal with the consequences of non-payment.
The FBI does not advocate paying ransom, in part because it does not guarantee that the person or company will regain access to their data. In some cases, victims who paid a ransom were never provided with decryption keys. In others, flaws in the encryption algorithms of certain ransomware variants prevented victims from recovering some or all of their data, even with a valid decryption key. The FBI also warns that paying ransom emboldens criminals to target other organizations and provides an alluring and lucrative enterprise for other bad actors.
Many organizations analyze the costs of potential downtime and data recovery (assuming the data can be recovered) before paying the ransom. Then, as long as the ransom does not exceed the expected costs to otherwise address the attack, the company makes its decision based on the perceived likelihood that paying the ransom will result in the desired outcome.
As you can see, the technical issues of ransomware are the least of the problem. While it is not necessarily simple to mitigate ransomware, the process is known. The decision-making process is, however, a very emotional one.
As security professionals, it is our nature to approach the situation as a technical one. However, we need to be aware of how people rationalize the business decisions they make regarding which direction to take.