Ransomware is a type of malicious software designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt the files on the affected computer, making them inaccessible, and demand a ransom payment to restore access.
Ransomware code is often not sophisticated, but it doesn't need to be, because unlike many types of traditional malware, it usually does not need to remain undetected for long in order to achieve its goal. This relative ease of implementation versus high-profit potential attracts both sophisticated cybercrime actors, as well as novice ones to operate ransomware campaigns.
Most ransomware is delivered via email that appears to be legitimate, enticing you to click a link or download an attachment that delivers the malicious software. Ransomware is also delivered via drive-by-download attacks on compromised or malicious websites. Some ransomware attacks have even been sent using social media messaging.
Generic ransomware is rarely individually targeted, but rather a “shotgun” approach where attackers acquire lists of emails or compromised websites and blast out ransomware. Given the number of attackers out there, it will be likely that if you get hit multiple times, it will be by a different attacker.
Whether or not the ransom is paid, keep in mind that attackers will always try extracting useful data from a compromised machine. Assume all sensitive data on the machine was compromised, which could include usernames & passwords for internal or web resources, payment information, email addresses of contacts, and more.
Unfortunately, the methods that companies use to protect themselves from ransomware haven’t developed at the same pace as the malware authors. However, there are a few actions that organizations can take to help mitigate risk and limit the fallout of a ransomware attack.
The most important thing that organizations can do is make sure that they regularly and consistently back up data, but filter out potentially malicious websites and emails. If a ransomware attack is successful, they will at least have their important data accessible elsewhere.
Organizations can also deploy an anti-ransomware technology in order to prevent the execution of ransomware, either as a standalone tool or incorporated into the organizational anti-malware platform. Cybereason offers RansomFree, a free tool to protect PCs and servers from ransomware attacks.
According to the DOJ, an average of 4,000 ransomware attacks occurred per day in 2016 in the U.S., a 4x increase over 2015. The FBI reports more than $1 billion in ransoms were paid in 2016, up from 240M in 2015. In April 2017, Verizon published its 2017 Data Breach Investigations Report (DBIR), which confirmed the rise in these attacks.
The spikes are extreme, but for those familiar with ransomware, they come as no surprise. Ransomware is simple to create and distribute and offers cybercriminals an extremely low-risk, high-reward business model for monetizing malware. Combine that with how most companies and people are unprepared to deal with ransomware, and no wonder why it's become the fastest growing cyber threat to date.
Ransomware purveyors are often savvy e-marketers that know their targets. It is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom than to recreate or restore the compromised systems, especially when the victim has a sense of urgency.
The end result is a whole new economy for cybercrime, one with risk management gaps that allow it to thrive. One significant gap is that the cyber insurance industry is in many cases useless when it comes to ransomware. Most policies have an “extortion” clause, but the deductibles are cost prohibitive and require hundreds of thousands to be extorted before the insurance will kick in. Plus, policies are typically invalidated if a cyber-extortion clause is publicly disclosed.