In an oft-repeated tale, Mark Twain once noted to a New York Journal correspondent who inquired about his health that “reports of my death are greatly exaggerated.” That quip, modified and misquoted over time, could easily be applied to ransomware, whose surge helped define 2016, but which was expected to die or at least fade away in 2017 as companies figured out how to thwart it. (Hint: a lot was hanging on backup.) But security pros now say that's not going to happen and, in fact, ransomware is facing a robust future.
Already rattled by big-name breaches in retail and heath care, the C-suite is now feeling the heat from ransomware. Once shrugged off by IT security pros as a threat to mom-and-pop businesses, ransomware has evolved into a sophisticated set of attacks that can go far beyond simply shutting down IT operations until money has been paid. These days, wrongdoers are ramping up malware that zeroes in on a company's intellectual property and threatening to release it – or else.
That's why cybersecurity pros who might otherwise be focused on APTs, cyberarmies and attacks on critical infrastructure, find themselves sounding the alarm on what used to be considered one of the most amateurish of cyberthreats. What's new isn't the quantity – a September FBI public service announcement stated that there were 100,000 computers infected by ransomware in a single day – but also the quality.
“There have already been examples of attacks where an organization's files were held ransom and their sensitive data was slowly made available to the public, by the attackers, until they paid the ransom,” says Steven Spano, president and COO at the Center for Internet Security (CIS).
There are a few cases where files were deleted even when the ransom was paid, adds Spano, a retired Air Force general. “We may see more examples of this sort of pressuring going on in order to force an organization to pay the ransom, even if they have a backup solution in place that would allow them to recover their files on their own.”
Ransomware trap: Escaping
And given its effectiveness, ransomware is unlikely to remain confined to squeezing money out of private businesses, says Michael Kaiser, executive director of the National Cybersecurity Alliance (NCSA). He points to the advent of the Internet of Things and anonymous payments via Bitcoin as opening the way to cyberextortion on a new scale.
“As things become more connected, such as infrastructure, there is a risk of different types of ransomware,” Kaiser says. For example, a city with stoplights connected to the internet could face a threat to turn if off. “The particulars of the attack can evolve as the internet evolves,” he says.
But, ransomware lurking in critical infrastructure may be upstaged by the malicious software sitting in the pockets and handbags of countless individuals. Ransomware became the biggest cyberthreat on Android devices in the first half of 2016 in the U.S., U.K., Germany, Australia and Denmark, accounting for half of the total malware detected, according to a study by Bitdefender.
Phishing is headed to phones and IoT devices, says Kristin Judge, a cybersecurity educator and consultant with Michigan-based Opcio Solutions and a director of special projects for the NCSA. “People are not as vigilant about protecting them. It's not on their radar as much as the laptop.” A typical mobile ransomware scenario centers around a text message with a link promising access to a coupon, she says.
As a result, cybersecurity experts must develop strategies to counter ransomware that allows for attacks from countless mobile devices as well as the targeted attacks by dark-side software engineers.
“Organizations need a proven security framework to guide them through and help simplify the complexity inherent in protecting their environment,” says Spano of CIS, pointing to the NIST cybersecurity framework as an example.
Even if enterprises and government agencies are fortunate enough to avoid the more sophisticated variants of ransomware, the attackers will continue to spray their malicious code widely to find the few that will pay. According to a report from Intel Security, ransomware samples worldwide spiked 127 percent in the year up to September, putting the total number of ransomware samples at 7.3 million. Another study by Trend Micro found that some 65 percent of ransomware victims in the U.K. forked over digital cash to unlock their data. That willingness to dole out Bitcoin is based in part on the increasing sophistication of the data hostage-takers, as asymmetric encryption has become a staple of the ransomware repertoire.
Upgraded malware may set the stage for more elaborate extortion in the future, says Mark Hofman, a handler at the SANS Internet Storm Center in Sydney, Australia. “Ransomware will continue to change shape to use current effective delivery mechanisms,” he says. As the perpetrators behind the malware already have access to the data, it would be a fairly trivial step to identify data of interest and potentially hold the information release as a ransom point, but likely they would have to change how they target victims, he says.
That shift in ransomware is already underway, says Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center in Austin, Tex. She's on the lookout for “integrity attacks” – the alteration of data to harm a business or organization. “The more insidious prospect would be for a criminal group to claim that they made such an alteration, but actually didn't,” she says. “It's almost impossible to prove a negative, but it will tie up the victim nonetheless as they try to confirm or deny it.”
A pristine backup could provide a rapid recovery to a pre-attack state. “Those using cloud storage exclusively may be in a better position, but that is usually a minority,” says Hofman at SANS. “Backups are obviously essential and certainly once infected they are pretty much your only recourse, unless you are lucky and were infected with one of the bad implementations of ransomware.” That is, hackers who have inadvertently stored their encryption key with their file.
If all prevention and recovery efforts fail, organizations will be tempted to pay up to release their data. But, before pressing the send button on Bitcoin-based ransom, organizations must face up to legal and ethical considerations, says Marcus Christian, a former federal prosecutor who is now a partner at the law firm Mayer Brown.
“The money will go to bad uses,” he says. “Criminal organizations are involved not only in cybercrime, but also narcotics and human trafficking.”