Ransomware has really captured the imagination of the public and, being truthful, it is a dream topic for me, a journalist – it is evocative, conjuring up images of ransom notes with miss-matched lettering and harkening back to Hollywood movies with kidnapping plots and explosions.
It is not, however, just the public who has become captivated with ransomware, businesses too are now scrambling to protect themselves from this growing cyber threat. But as ransomware continues to grab headlines worldwide, is the focus on this particular strain of malware justified? Or is it acting as a smoke screen, drawing the focus away from the more dangerous threats targeting today’s enterprise?
Let me be clear, ransomware is a serious problem and should be taken seriously by businesses. You only need look at some of the figures accompanying the aforementioned headlines to recognise the growing danger of this particular threat.
In January 2016, ransomware accounted for 18% of global malware payloads via spam and exploit kits. Fast-forward 10 months and Malwarebytes found that ransomware had skyrocketed to account for 66% of malware payloads – a staggering 267% increase.
This surge in growth can be attributed to how easy ransomware is for hackers; for $39 you can buy complete Ransomware as a Service solutions on the dark net, which require little technical know-how to deploy. Not only is it easy to stage an attack, but ransomware is incredibly lucrative – a $1 billion dollar business according to the FBI.
Proofpoint’s Adenike Cosgrove told CBR: “Ransomware has proven to be a successful business model with attackers collecting more than $209 million from victims during the first three months of 2016 alone, and the volume of attacks was ten times higher than all of 2015. Ransom amounts have tended to be relatively fixed at $300-$1k per machine. As long as the return on investment remains high for attackers, it seems likely that ransomware will continue to be a significant threat.”
Ransomware certainly knocks businesses for six – locking systems and data, ransomware is something that cannot be ignored. It flashes on the screen and demands not only attention, but payment. Recent research found that over half of UK businesses pay the ransom – what with data the oil of this digital world, businesses rush to unlock ransomed data or systems no matter the fact that there are no guarantees that the hacker will release what has been ransomed on receipt of funds.
The same Malwarebytes report found that 40% of companies with an average of 5,400 employees across the U.S., Canada, U.K. and Germany had experienced a ransomware attack. Of these victims, more than a third lost revenue and 20% had to stop business completely.
“Whether companies choose to pay the extortion or not, the real cost of ransomware is downtime and lost productivity,” Imperva’s Terry Ray told CBR.
“Even if victims have backup files or are willing to pay the ransom, the cost associated with productivity downtime adds up quickly. What’s more, the availability of ransomware-as-a-service combined with high profits for the attackers means ransomware attacks are likely to escalate in 2017.”
The stats and figures associated with ransomware make for grim reading, with many predicting that ransomware will only continue its upward trajectory – but are we right to regard it as the number one cyber threat to businesses today?
There is no denying that ransomware has turned the cyber landscape upside down – where once attackers prioritised stealth, wanting to go undetected, now they are unabashed with smash and grab ransomware attacks.
However, and this is a crucial point – if ransomware has successfully infiltrated your organisation, what other attacks do you not know about? Hackers who rely on companies failing to detect their attacks have not suddenly stopped, with ransomware potentially distracting the business while the crown jewels are being stolen.
“If [a business]has had 20 ransomware instances in the quarter, it means that they have had at least 20 stealth infections that they do not know about,” said Bromium President and co-founder Ian Pratt in a recent CBR interview.
“Ransomware is the thing that people are aware of, but actually it really isn’t going to be the most damaging thing, especially for a company with intellectual property. Stealth attacks cost you the real money.”
The real money that Pratt talks about is most often than not that oil of the digital age again – data. While script kiddies launch ransomware attacks to disrupt and extort, data theft can go undetected for years and hit not only the victim’s wallet, but also its brand, reputation and customer base.
“Looking at the enterprise, I see data theft as a top threat. Ransomware gets attention because it tends to be a noisy attack given that the attacker must notify the victim to get paid. Data theft requires the victims to find out for themselves they’ve been attacked, which can take years,” Imperva’s Terry Ray told CBR.
“The recent Yahoo breach of over a billion records going undetected for years is a clear sign that companies are not equipped to detect an internal attack on data resources, especially databases.”
There is one simple solution to ransomware – find out what on the next page.
This is where an important distinction must be made – those attacking with ransomware are cyber criminals with limited technical capabilities and looking for an easy buck. Hackers on the other hand are the ones with technical know-how, who are adept at infiltrating networks and remaining undetected. It is the latter which poses the more serious threat to businesses.
“Enterprises face many risks from various threat actors. Taking an attacker-centric approach can often help companies focus on what are the most likely threats they face and focus on controls that can help prevent or minimize the impact,” said AlienVault security advocate Javvad Malik.
“Typically speaking, ransomware is usually not a targeted attack. Rather, it is used by cyber-criminals (not necessarily hackers) as a mechanism to make money.
“From that perspective, it could be viewed as a lower concern (but not necessarily lower threat) when compared to targeted attacks.”
One such targeted attack which is emerging as an increasingly dangerous threat is highly-targeted, low-volume business email compromise (BEC) attacks. Unlike high-volume phishing attacks, BEC is a form of targeted spoofing campaign that impersonates corporate identities to steal data and commit fraud. According to recent Proofpoint analysis, 80% of organisations were hit with at least one BEC attack within one month.
“If we consider impact versus likelihood, BEC is by far the bigger security challenge for enterprises today. Highly targeted BEC attacks are hitting all industries, at a scale never seen before and the impact to a single organisation can run into millions in both hard and soft cost,” said Proofpoints’s Cosgrove.
“There is also a key distinction between the targets of ransomware attacks versus those of BEC – ransomware targets PCs, is largely mitigated by good backups, and is relatively cheap. By contrast, BEC attacks target business processes that are conducted, changed, or approved by email and has no simple technology mitigation.”
The biggest cyber threats differ from expert to expert, so maybe our focus is on the wrong aspect of cyber security. I accept that attackers and their different attack vectors must be analysed, but maybe the impetus should be on our defences. After all, malware, hacking, indeed any attack vector, is only effective if it gets past security controls.
“If we take a step back and look at the security landscape as a whole for most companies, the biggest concerns don’t necessarily lie with the attacker techniques, but rather the security controls that are in place. Many companies still suffer from not having basic security in place, such as not hardening systems, particularly public-facing systems. Or not having an accurate asset inventory, network diagram, or even understanding of where vulnerabilities lie,” said Javvad Malik.
“While it may not be possible to prevent against all types of attacks, companies should at least take stock of their environments and be able to reliably detect when attacks do occur.”
Those vulnerabilities being used to gain access to networks are surely only going to get worse, with every company becoming a software company.
“As software develops and becomes seasoned, more and more loopholes, backdoors or plain and simple vulnerabilities become common knowledge. Mass changes to established software are not as easy as the security expert saying “it’s unsecure and needs changing,” ESET’s Mark James told CBR.
“Often the logistics of doing so from a cost point of view could potentially be massive and not viable in the economic state, especially considering it’s for something that may or may not happen. For most companies the software infrastructure is the very core of everything they do, upgrades cost time and money.”
Ransomware grabs the headlines, but it would be foolhardy to think it is the only, or most serious, threat facing businesses today. In fact, McAfee has predicted that ransomware will remain a significant threat until the second half of 2017, when anti-ransomware technologies and law enforcement actions will reduce the volume and effectiveness of ransomware attacks by the end of 2017.
Also, there is a simple solution to ransomware – backup. A similarly easy solution cannot be prescribed to targeted attacks by hackers, with Proofpoint’s Cosgrove advocating a multi-layered defense strategy that spans people, process and technology.
“Ransomware is a popular topic because it has all the makings of a good news story. It’s always got a flashy screen to show in a picture, it asks for money right now so people see the consequences immediately, and it’s a simple smash and grab kind of crime where anyone can understand the motives,” Lieberman Software’s Jonathan Sander told CBR.
“However, the mighty ransomware is thwarted by a practice as old as computers – backups. So if simple backups can beat ransomware, why is it such a problem for so many? The answer is because of the same reasons we gain weight even though we know we should eat well and exercise.”
Ransomware is not fake news, but don’t be fooled by the headlines.