First, we had viruses, then Trojans, then rootkits. AdWare made its presence felt. Now, with the advent of Cloud Computing and businesses increasingly relying on the Internet as a business tool, we have ransomware. The coming Internet of Things makes for a very scary future of cyberattacks and cybersecurity battling it out for supremacy.
First, a definition of ransomware: Simply put, ransomware is a type of malware that blocks user access to their data. Simple attacks are can be reversed by a specialist. More advanced malware encrypts user data, followed by a ransom demand requesting payment before is it decrypted. It is usually categorised as a denial-of-access attack.
By denying users access to data, businesses can be shut-down until the malware is removed and the data recovered. One study found that an attack usually resulted in at least two days of downtime. For small businesses, the downtime could cost an average of just over $8,500 per hour.
Ransomware attacks are usually delivered via a Trojan embedded in a legitimate file. Infected email attachments (Microsoft office files are a favourite, followed by scanned image files) are often the favoured delivery medium.
A final kick-in-the-teeth is that ransomware usually has a time limit within which the ransom needs to be paid. If not paid in this time window, the user data becomes unrecoverable.
If we take 2016 as a baseline, the statistics are bad enough already. The FBI reckon that over $209Million was paid to ransomware criminals in Q1 2016 alone, expecting it to become a billion dollar business by the end of the year:
- The number of infections increased to over 56,000 in March 2016 with the advent of the Locky Trojan;
- Infected emails increased by 6000% over 2015
- 40% of all spam email was infected with ransomware.
IBM also found that 70% of victims paid the ransom. While the average payment was around $1,000, 50% paid more than $10,000 and 20% more than $40,000.
Most businesses, around 70%, when faced with a ransom demand paid up. They considered it easier and more cost effective to pay up than face the downtime and uncertainties of trying to fix it themselves. That obviously does not include those businesses that did not report an attack. And like other forms of ransom, there is no guarantee that you will get your data back and the likelihood of your being targeted again just increased.
What trends in ransomware can we expect in 2017?
Already in 2017, we have seen a quantum increase in ransomware attacks directed against major IT installations. The recent ransomware attack on the UK National Health Service highlights the devastating effect even a threat of it can have on public reputation and service levels. Unusually, ransomware is not limited to Windows systems. It can be directed against Apple and open systems too.
We can expect the ransomware assault to continue. Some commentators predict a 100% increase, some even more. We can expect the typical targets of the ransomware crooks to change slightly. Delivery systems will become more sophisticated and there will be an increase in a number of infected spam emails. Cyber attacks will increase in number and target.
A trend for 2017 attacks on individuals. The study by IBM highlighted that more than half of parents surveyed would pay to have their personal data back, particularly photographs and video. The ransom might be a lot lower, but the increasing use of digital media to store precious and irreplaceable personal memories makes for a very big and very easy market.
Targeted corporate users are those in the public sector, healthcare, and financial services segments. They are perceived as being highly or critically dependent on their business information, and therefore more likely to pay up. The public sector is also perceived as having weaker data protection regimes. That business model seems to be working.
In regard to the ransomware itself, that will also change, even if only in an effort to disguise or change the signature identified by cyber security systems. The basic premise of preventing access to user data, and only releasing it on payment of the ransom will not significantly change.
The other expectation for 2017 is an increase in defensive tactics.
What is becoming clear is that an organisation must have cybersecurity as a key component of its business continuity programme. The FBI consider that a backup may be your only recourse in recovering your critical data without paying the ransom.
However, not all businesses have suitable backup regimes. Some are already infected, some are incomplete as a result of unmonitored and failed backups. Some critical data can also be lost if the last data snapshot was some time back.
Organisations are increasingly looking at enhanced detection and prevention systems, a dependable backup regime, and documented and tested protocols and training to mitigate against the effects of not just ransomware, but all cyber attack scenarios.
Individual users need to do the same.