Ransomware 101
Ransomware 101

Ransomware has become one of the most - if not the most prevalent, effective and successful forms of cybercrime.

According to the DOJ, an average of 4,000 ransomware attacks occurred per day in 2016 in the U.S., a 4x increase over 2015. The FBI reports more than $1 Billion in ransoms were paid in 2016, up from 240M in 2015 - another 4x increase. The spikes are extreme, but for those familiar with ransomware, they come as no surprise. Ransomware is simple to create and distribute and offers cybercriminals an extremely low-risk, high-reward business model for monetizing malware. Combine that most companies and people are unprepared to deal with ransomware, no wonder it's become the fastest growing cyberthreat to date.

Simple code, sophisticated e-marketing

Ransomware propagates through the same channels of regular malware - email mainly but, also through compromised or malicious websites, pirated software, etc. Ransomware code is often not sophisticated, but it doesn't need to be, because unlike many types of traditional malware, in most cases it does not need to remain undetected (i.e. persistent) for long to achieve its goal. This relative ease of implementation versus high profit potential attracts both sophisticated cybercrime actors, as well as novice ones to operate ransomware campaigns. What is more sophisticated about ransomware is the e-marketing effort that drives its distribution.   

Ransomware purveyors are often savvy e-marketers that know their targets. It is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom then to recreate or restore the compromised systems, especially when the victim has a sense of urgency.

Ransomware exploits risk management gaps in Cyber Insurance, Operations

The end result is a whole new economy for cybercrime, one with risk management gaps that allow it to thrive. One significant gap is that the cyber insurance industry is in many cases useless when it comes to ransomware. Most policies have an “extortion” clause, but the deductibles are cost prohibitive - hundreds of thousands need to be extorted before the insurance will kick in. Plus, if you publicly disclose that you have a cyber-extortion clause in your policy - in a press release, or a public report for example - then you invalidate the policy. 

Another key factor is that it can take a medium-sized business days to restore from backup, which makes it cheaper / easier for victims to pay the ransom. Think about Presbyterian Hospital - when their labs and prescription systems were down, those orders had to be handled manually - think about the cost involved in that! 

Some believe paying the ransom will mark them as an easy target and invite future attacks. However, generic ransomware is rarely individually targeted - it's usually a “shotgun” approach - attackers acquire email lists / compromise websites and blast out ransomware. Given the amount of attackers out there, if you get hit again, it will likely be by a different attacker. Finally, if you have not taken precautions in advance, then might be easiest to pay, and better prepare for the next attack.

So what can you do to mitigate ransomware risk?

Here are some are some things you can do to mitigate ransomware risk and limit the fallout of a ransomware attack:

These include:

  1. Regular and constant backups, be cognizant and filter potentially malicious web sites and emails.
  2. Review cyber insurance plans - make sure they are in line with the level of risk you want from ransomware - help to innovate the industry by requesting a “ransomware clause” for cyber extortion that would eliminate the inability to publicly disclose and adjust the unrealistic high deductible to be more in line with current ransom demands.
  3. Whether you pay or not, keep in mind that attackers will always try and extract useful data off a compromised machine. Assume all sensitive data on the machine was compromised, this potentially includes; usernames & passwords for internal or web resources, payment information, email addresses of contacts etc.
  4. Consider deployment of advanced anti-ransomware technology to prevent execution of ransomware, either as a standalone tool or incorporated into the organizational anti-malware platform.