According to recent reports, ransomware is now a billion dollar business for cybercriminals. Attackers are honing in on the weak spots of organisations; human behaviour through social engineering and ineffective cyber protection techniques based on static analysis. They’ll lure individuals to open phishing emails, or simply wait for users to click on a compromised website before executing malware that alters data and corrupts or deletes back-ups.
Certainly, these figures point to the fact that cybercriminals have tapped into a lucrative form of attack and ransomware has become one of the more prolific means of targeting organisations. From our own findings, nearly half of all businesses reported that they had been attacked by ransomware in the past year, with 81% of companies indicating that they’ve suffered from three or more attacks. Ransomware, it would appear, is ramping up.
Given the prevalence of ransomware attacks and the impact they can have, it is perhaps not surprising that organisations now express a sense of powerlessness and are prepared to accept that cyber criminals are ahead of the game. In fact, a third of all organisations now report that they feel helpless in the face of these attacks.
Is this the new reality? Should users feel they’ve been left ‘high and dry’ when it comes to protecting themselves against different variants of ransomware or is there hope that they can arm themselves and avoid the operational and financial fall-out that a ransomware attack leaves in its trail?
Are we resigned to ransomware attacks?
For the victims of ransomware that have had their data and, in effect, their business held hostage, there can be serious repercussions with businesses grinding to a halt or forced to put emergency contingency plans into action. Organisations may suffer the loss of irreplaceable data or the financial consequences of downtime compounded by the man hours and human resources which need to be dedicated to decrypting data or restoring it from backups.
In November, hackers infected and took over more than 2,000 computers used to operate San Francisco’s public transport system. This resulted in the Municipal Transportation Agency (MTA) opening its gates and allowing passengers to travel for free. Ransomware attacks can even put the safety of individuals at risk, as seen when an attack on the Hollywood Presbyterian Medical Centre in the US took systems off line for a week and caused massive disruption to its healthcare systems. In the UK, an attack on the computer network at Northern Lincolnshire and Goole NHS Trust in October encrypted a number of the Trust’s servers resulting in the cancellation of operations and appointments.
It seems there is also a direct impact for security teams in the aftermath of an attack with not only the reputation of the organisation damaged, but jobs being put at stake. In our research, nearly a quarter of organisations which experienced an attack reported that the buck stops squarely with the Head of Security and that a senior member of security staff had lost their job in the wake of an attack.
Perhaps, unlike other forms of cyber attack, the very nature of a ransomware attack can make organisations feel resigned to the fact that the cyber criminals are winning. Loss of data, revenue, downtime and the ‘human’ impact can be devastating. However, in spite of organisations’ sense of powerlessness, should they feel that the fight against ransomware is futile? Is ransomware, in any way, less preventable than other forms of malware?
The fact that so many organisations are being attacked, multiple times, does point to the fact that traditional, signature-based detection methods, which look at the identifiable characteristics of malware – such as the servers it’s communicating with – are not adequate to protect against ransomware.
Examining the characteristics of ransomware, however, we can see that it’s actually not so different from other forms of malware. What’s different is the payload and the after effect that this has on a company.
In common with other viruses, ransomware is designed to hide itself from detection, through encryption or evasion techniques such as wrappers – which protect executable files – enabling malware to bypass every security mechanism. Signature-based methods will not identify malware that has been modified or obfuscated. Nor can it detect malware which has been designed to recognise when it’s in a virtualised environment; a technique used by the Cryptowall ransomware. Attackers can quickly adapt and create more variations on a theme that will render these static techniques redundant.
We must look for different ways of protecting against threats and detecting new malware variants. Approaches which analyse the malware’s behaviour and determine a threat’s next action based on attack patterns, techniques and crowd-sourced threat intelligence, will remove this blind spot in malware detection and protection. Focussing on the malware’s behaviour means that we’re not reliant on static indicators that can be easily changed.
Ransomware may be on the rise, but there are approaches that can help organisations in the fight back against this stealthy and burgeoning threat. Cybercriminals are developing new techniques, but innovative approaches that can discover and stop this new breed of threats means the fight is far from lost.