2016 was the year that ransomware became the most serious threat for businesses around the world, and the number of attacks shows no sign of falling in 2017. The precise number of successful attacks is impossible to count and expert estimates vary. But there is broad agreement that last year saw massive growth – between 50 per cent and 400 per cent depending on which analysis you choose. This figure is likely to at least double in 2017.
Another way to judge the size of the problem is to ‘follow the money’. Researchers have checked Bitcoin wallets associated with specific families of ransomware and believe crooks made at least $1bn from the scam last year.
The gangs are making money and with the rise of ransomware as a service – automated portals which allow crooks with no technical skills to launch attacks – there is no reason for them to stop. It is a billion dollar industry with hardly any risks to the crooks.
Victims in 2016 included hospitals and police departments, although businesses remain the favourite target.
Ransomware is software which encrypts data and sometimes even parts of the operating system. Victims can lose access to vital information or can even be left unable to use their systems at all.
Victims then receive a ransom demand, usually payable in Bitcoins, to get the keys required to regain access to their systems.
The big change this year is the growth of ransomware as an automated service. Crooks can now access portals which do all the difficult work of launching an attack automatically – you just need to choose a target and the amount to charge for a ransom. Some operate on a ‘no-win, no-fee’ basis: charging crooks a percentage of any ransom received. Criminals can also hire a botnet to send out the spam which delivers the ransomware.
Although high profile victims get hit with huge demands many ransoms are for relatively small amounts – a few hundred pounds or one or two Bitcoins – which encourages victims to make the payment rather than deal with the expense of lost business and fixing systems. Even if a company had back-ups of the inaccessible data it might still decide it was cheaper to pay the ransom.
This automation and profitability is fuelling the incredible growth of ransomware. It now makes up more than half of phishing emails compared to less than ten per cent at the start of last year.
The spams are also getting far more sophisticated. They often include random pieces of white text, invisible to the user, to evade filtering software. The social engineering aspects continue to get more sophisticated and difficult to spot.
Predictions for the future
It seems likely that the threat from ransomware will keep growing this year. Law enforcement has been slow to take action and the technology itself still has ways to develop.
Analysts at McAfee expect to see cyber crooks use machine learning to improve the social engineering they use to trick users into interacting with malware carrying emails. These systems could also provide better targets for the emails.
Just like the rest of the software industry the malware writers are shifting to constant development. Early ransomware strains changed every few months, modern variants are changing far more quickly.
McAfee also expect to see more attacks on hardware and firmware in 2017 not just applications. Internet of Things technology also provides new vectors for attack – late last year we saw the largest ever denial of service attack launched via a network of compromised IoT devices.
But it is not all bad news. Law enforcement is starting to take ransomware seriously – several big players have already been taken down and most observers expect more arrests this year.
Security vendors are also increasingly offering intelligent, automated behavioural systems to protect businesses instead of clumsy filters which rely on software signatures.
But alongside the best defensive technologies companies also need to train staff to be aware of the risks and to know what to do if they suspect the company is being targeted.