Ransomware has quickly become one of the most pervasive and dangerous cyberthreats. And it’s not going away any time soon. Buoyed by Bitcoin and the underground digital economy, ransomware has evolved to become the most profitable malware threat in history.
The Rise to #1 Cyberthreat
A few years ago, ransomware was fairly primitive and benign. So-called “computer locker” attacks would seize a computer by disabling keyboard or mouse functionality. (Theoretically, the cybercriminal would unlock the keyboard upon receipt of ransom payment.) In most cases, IT professionals could simply ignore ransom demands and restore an infected computer to its previous working state using off-the-shelf malware removal tools.
Much has changed in the past several years. Today’s ransomware attacks are far more advanced and invasive. The latest ransomware programs can quickly spread throughout an organization, locking up data across the enterprise, and disrupting business operations. Some variants even threaten to post confidential data to the internet unless a ransom is paid.
According to Kaspersky Lab, “Ransomware has replaced advanced persistent threat (APT) network attacks as the most problematic cyberthreat – and early indications suggest that they’ll be the main problem for 2016 as a whole”.
Ransomware is big business. New “ransomware-as-a-service” schemes allow any criminal with basic computer skills and internet access to get into the ransomware business. The ransomware author makes the malware available to other cybercriminals in exchange for a percentage of the ransom payment.
Bitcoin is the preferred currency of the digital underground, and has contributed to the popularity and spread of ransomware. Unlike bank accounts, PO Boxes, and other mainstream payment methods like as PayPal, Bitcoin is completely anonymous and very difficult to trace. According to security researchers:
“The cryptocurrency has inadvertently helped the ransomware industry to flourish because users of bitcoin addresses can remain anonymous. Another complication for security researchers is that nearly all ransomware exchanges are conducted through Tor, an Internet anonymizer. Bitcoins also can be broken down into fractions, enabling adversaries to pay their entire team from just one bitcoin in a convenient and essentially untraceable way.”
Ransomware is also becoming more pervasive. Contemporary ransomware attacks are aimed not only at Windows machines, but also at Linux and Mac OS systems, and mobile devices. The latest ransomware are specifically designed to avoid detection by security applications – using techniques like polymorphism and throw-away command and control servers – and to impair recovery efforts.
According to the FBI, paying a ransom does not even guarantee an organization will regain access to their data; in fact, some were never provided with decryption keys after having paid a ransom. Some victims who paid the demand report being targeted again by cyber actors. After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
What you can do to prepare
Experts agree that there is little that can be done to prevent an attack, especially if malicious actors have enough incentive to target your organization. Instead, they recommend having backups in place that can be recovered quickly in the event of an infection. The latest Cisco Security Report states:
“Organizations and end users should prepare now by backing up critical data and confirming that those backups will not be susceptible to compromise. They must also ensure that their backup data can, in fact, be restored quickly following an attack. For enterprises, restoration can be a major undertaking; therefore, being proactive about identifying potential bottlenecks is essential.”