Ransomware is rising at an epidemic proportion. They are not only growing in number but also sophistication. Ransomware – when hackers take control of the system and demand money release them – is morphing into the scariest digital threat.
The inflection point came earlier this year when attackers encrypted the entire system of Hollywood Presbyterian Medical Center in Los Angeles had had to pay $17,000 in bitcoin to get control over its system.
And since then the number of such attacks has been growing.
As most victims of ransomware prefer to pay rather than lose their data in turn feeds into the whole system of ransomware environment which gives rise to more attacks. And the mode of payment through Bitcoin makes it harder to trace the culprits.
The spurt in ransomware cases has shaken everyone be it an enterprise big or small or an individual, absolutely no one is safe.
Based on data from FireEyeDynamic Threat Intelligence, ransomware activity globally has risen fairly steadily since mid-2015. In India, ransomware detections increased 292 times from November 2015 to February 2016.
Earlier this year Economic Times reported how hackers targeted three banks and one pharma company and demanded ransom in bitcoin.
Recently, Kerala Forest Department’s crucial financial and accounts was hacked into by ransomware attackers and they their encrypted files to the attackers. Organizations across the board need a new strategy to battle ransomware.
Money, to be precise, is the sole motivation for the attackers and they will not discriminate between a large or a small organisation or an individual. However, smaller organisations are attractive victims because they have limited security resources and expertise.
“The current wave of ransomware families can have their roots traced back to the early days of Fake AV (Fake Anti-Virus), through Locker variants, and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware shares a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration,” informs Sunil Sharma, VP (Sales, India and SAARC), Sophos.
The fact that 55% of Indian companies surveyed by Sophos have already faced a form of ransomware attack proves the menace that it is causing in the country.
Why the spurt in ransomware?
Today, Ransomware has taken the form of an epidemic.
No week passes by without a news about a ransomware attack.
At a recently concluded Cyber Security Weekend for Asia Pacific Countries conducted by Kasperksy Lab it was revealed that the number of ransomware incidents detected in APAC soared in July and August compared to February and March (114%).
India takes the cake when it comes to having the largest number of ransomware infection, followed by Vietnam, as per cybersecurity firm Kaspersky. The usage of smart devices is increasing rapidly in the country aprt from people now preferring online transactions be it purchasing stuff or paying bills, but the absence of correct protection the devices and not following some basic best practices when online makes them easy target for cybercrimes.
“India is an attractive country for hackers because of the sheer numbers, which are sure to grow even further in the coming years,” says Altaf Halde, Managing Director (South Asia), Kaspersky Lab.
A host of factors are fuelling the rise of ransomware.
First, Simplicity: Once the hacker is able to access the users’ system the only option left for the victim is either “pay or lose data.” And we know no one can afford to do that so most of us end up paying the ransom.
“Anyone can become a hacker through the easy availability of exploit kits that have been instrumental in the spread of phishing attacks that lead to ransomware.”
VP (Sales, India and SAARC)
Second, the mode of payment: With hackers demanding the payment to be made through Bitcoin makes the whole process anonymous and almost untraceable thus making it an attractive mode of payment to fraudsters.
Third, users believe the threat is unbeatable. “Businesses and individuals are not aware of the technology countermeasures that could help to prevent infection and the locking of files or systems; and by ignoring basic IT Security rules they allow cybercriminals and others to profit,” says Halde.
Fourth, freely available source code for ransomware: The easy availability of exploit kits is easy to use, is of low risk and offers a high reward in return (ROI).
“Criminals no longer need to have expertise in coding to launch an attack. Anyone can become a hacker through the easy availability of exploit kits that have been instrumental in the spread of phishing attacks that lead to ransomware,” explains Sharma.
Fifth, ransomware-as-a-Service (RaaS): The rise in RaaS is making it easier for new groups to enter the field.
“Another threatening trend is the RaaS business model where cybercriminals pay a fee for the propagation of malware or promise a percentage of the ransom paid by an infected user,” says Halde.
“Cyber criminals understand that systems are not often patched with latest security updates, effective data back strategies are still not widely used and practiced,” informs Sanjay, Joint MD and CTO, Quick Heal Technologies Ltd.
Mirror mirror on the wall …
Crypto-ransomware has emerged at the most fearsome variant of ransomware, and the consequences of it can be very severe.
CryptoLocker was the most well-known ransomware until it was shut down in 2014. More advanced forms of ransomware have taken its place, such as CryptoWall, TeslaCrypt and more recently, Locky.
According to a security report, 2015 was a record year with 100 new ransomware families discovered. All but one of the new variants discovered so far in 2016 are crypto-ransomware, which uses strong encryption on the user’s files. If the victim has no defence and/or has no back-ups paying ransom may be the only alternative.
“India is an attractive country for hackers because of the sheer numbers, which are sure to grow even further in the coming years.”
Managing Director (South Asia)
Today, Ransomware has taken the form of an epidemic.
In most cases victims are rendered helpless and the only way they see to get out of the mess is to Pay which in turn brings a lot of money into the underground ecosystem that has grown up around this malware. This ends up in creating a vicious circle, which is why new cryptors are appearing almost daily.
“The irreversible consequences of this kind of malware infection, along with the high value data that is being encrypted by ransomware tempts victims to pay for decryption, which in turn draws more cybercriminals into the business,” informs Altaf.
A recent Sophos study found that at least 55% of the organizations surveyed in India (790 organizations) had been attacked by a form of ransomware. Ransomware is certainly a growing problem across industries. Education, government, and healthcare are most vulnerable to ransomware attacks.
Organizations in Education had the highest rate of ransomware, with at least one in ten experiencing ransomware on their network according to a Bitsight insight report, The rising face of cyber crime: Ransomware. The report also listed that 133 healthcare organizations, 115+ companies in finance, and 67 different Government organizations had ransomware on their corporate networks over the last year.
“Some 13% of education industry organizations were attacked by ransomware in the past year, compared to about 6% of government agencies and 3.5% of healthcare organizations. The lowest risk was in the financial sector, with only 1.5% of companies affected, as per some reports,” informs Govind Rammurthy, CEO and Managing Director, eScan.
Traditional security software
This brings us to the next question: How helpful are traditional endpoint security software to detect ransomware? Well, not much it seems.
According to FireEyeTraditional security solutions rely on static analysis and signatures to detect and block known threats. Ransomware attackers can test those defences and adjust their tactics to bypass them.
Ransomware is often encrypted which leads to huge delay in detection. Furthermore, the attacks are tailored and customised as per the requirements of the recipient. Hence a standard detection process fails to detect it.
Sometimes organisation become lax in their attitude towards security and fail to follow security best practise. Insufficient implementation of security layers in organisations also lead to attacks on them.
“Traditional security solutions rely on static analysis and signatures to detect and block known threats. Ransomware attackers can test those defences and adjust their tactics to bypass them,” adds Vipul Kumra (Regional Systems Engineer), FireEye India.
New variant of ransomware can avoid detection from anti-virus products that require unique signatures added to their database.
“Some 13% of education industry organizations were attacked by ransomware in the past year, compared to about 6% of government agencies and 3.5% of healthcare organizations.”
CEO and Managing Director
“Anti-virus products that rely on signatures alone are unable to detect previously unseen versions of the malware. A new wave of next-generation or signatureless endpoint security products are needed to run alongside traditional endpoint security to detect today’s sophisticated attacks,” informs Sharma.
Quick Heal’s Katkar says, “Antivirus (up-to-date) is still one of the best methods to protect yourself against known ransomwares in the wild. With an added layer of proactive protection capabilities, you strengthen the defence layer. At the same time, security vendors deploy multi-layered solutions to tackle the menace of ransomwares.
How does it spread?
Most of the time it just takes an innocent click on what otherwise seems to be a genuine mail attachment for the ransomware to control the whole system. And bang, you are in deep trouble.
Email-based ransomware is generally used in targeted attacks, and relies on a variety of methods, including phishing, spear phishing, malicious attachments and URLs.
At other times, it can be compromised websites that redirect users to servers hosting exploit kits.
Cyber crooks not only target individuals and email addresses but most importantly human psychology (popularly known as social engineering) informs Sophos.
In a recent geomalware study by Sophos Labs, India was amongst the TOP 5 vulnerable countries to phishing attacks with a Threat Exposure Rate of 16.9%. Geomalware refers to attackers using techniques which are unique to a particular geography and will enable them to hook their baits more effectively.
“Traditional security solutions rely on static analysis and signatures to detect and block known threats. Ransomware attackers can test those defences and adjust their tactics to bypass them.”
(Regional Systems Engineer)
What is frightening is that Exploit kits are readily available in the dark web and are used by criminals to gain entry into the network. Phishing is the most common technique that is used by the crooks to get a hold onto your network and data.
Another popular mode of attack is Malvertising – malware hidden behind lucrative advertising.
“Web-based attacks tend to use drive-by exploits that target browser, platform or system vulnerabilities, or rely on malicious URLs or malvertising that may redirect users to sites that host exploit kits,” says FireEye’s Kumra.
IoT and ransomware
With the rapid rise in Internet connected devices or the more popular term Internet of things (IoT), IoT Ransomware threat is more serious than ever. Today, IoT devices have become the preferred choice for cyber attackers which can be manipulated by them using malware or ransomware attacks to either hijack the sytems, cripple the network, to steal valuable data or financial information of the users.
“Also, with the growing awareness of ransomware affecting traditional computers, attackers may turn to IoT to find new and easy targets,” adds Sharma.
Why is it easier for cyber attackers to hijack the IoT devices?
Ramamurthy replies, “One of the key reasons being the different standards of embedded software used to develop IoT devices and the difficulty to provide any vulnerability update to the devices already sold or in use. These devices at times are huge in numbers and it is virtually impractical to provide the vulnerability patch updates, due to lack of user awareness. Cyber criminals are very much aware about these lacunas and use it to their advantage to use IoT devices as bots or ransomware attacks.”
Last year, Kaspersky Lab predicted that 2016 will see ransomware spread to new frontiers such as the Internet-of-Things — Internet-connected devices and appliances over which users have little technological control.
“Cyber criminals understand that systems are not often patched with latest security updates, effective data back strategies are still not widely used and practiced.”
Joint MD and CTO
Quick Heal Technologies Ltd.
“Ransomware’s direct monetization model is very appealing to cybercriminals, and its consumer model is savvy in demanding relatively little money from each victim,” says Halde.
To understand the significant rise in ransomware attacks, Kaspersky Lab conducted a survey which revealed that majority of the consumers are unware of what ransomware was and the rest of users don’t know what to do in the event of an attack.
A lack of comprehension around ransomware shows how vulnerable consumers are to this rapidly developing form of cybercrime informs Halde. “As long as people are willing to click on attachments in emails or visit suspicious websites to see the latest viral video, cybercriminals will continue to prey on them using ransomware,” he warns.
According to an FBI estimate early this year, $209 million were lost in first three months of 2016 in extortion money paid to cyber-criminals by businesses and institutions to unlock their computer servers informs Sophos.
According to Halde, “The complete extent of losses are tough to determine, because the figures only reflect what is reported. The actual losses are bound to be much higher than the official figures. It’s safe to say that several millions of dollars have been lost in both, data loss as well as paying up in ransom.”
FireEyeiSIGHT Intelligence observed one ransomware family generate illegal gains of USD 1 million over a six-month period in 2015.
Predictions for 2017
While 2016 will definitely go down as the year of Ransomware, Sophos see in 2017 these attacks will become more sophisticated.
In the coming years, Halde see ransomware getting smarter and tougher to detect. “The CoinVault malware was so good, that even the FBI had to acknowledge it. By popular, trusted worldwide estimates, the cost of ransomware is expected to exceed a whopping $1 billion,” he informs.
In addition, Sophos further predicts social engineering threats continuing to be popular in 2017 including HD phishing (high definition phishing which is hackers buying data from known breaches and using that data to create very convincing phishing emails). Document and macro malware will also continue where users may receive emails asking them to “enable macros” to read the full document and this downloads the malware.
Exploit kits will continue to be popular in 2017 there will be an increase of “in-memory” attacks in 2017.
Better be safe than sorry
Prevention is better than cure and to stay safe everyone needs to take proactive measures so as not to fall prey to such a scenario. Some of the best practices to stay protected from ransomware attacks and threats to follow include:
- Back up regularly and keep a recent backup copy off-site – The more updated your backup, the more secure you are. Adopt this best practice as a part of your online activity as soon as possible to successfully ward off any kind of ransomware.
- Use a reliable security solution – And when using it do not turn off the advanced security features which it most certainly has. Usually these are features that enable the detection of new ransomware based on its behavior.
- Don’t enable macros – As a part of a security measure Microsoft turned off auto-execution of macros by default many years ago. So if a favourite site tells you to turn them on, see this as a red flag and never ever turn macros back on.
- Be cautious about unsolicited attachments – Crooks often take advantage of your dilemma that you can’t tell if the file is the one you want until you open it. So, if ever in doubt better dump the mail.
- Stay up-to-date with new security features – Doesn’t sound that exciting but nevertheless you still have to do it. Sorry, there is no short-cut here.
- Use only a respected security suite: Trying to save money on buying a trusted security suite that works, is rarely a wise decision. Cheaper ones may not do their job and could end up costing you a fortune in data loss.
- Always report an attack to the police in order to start an investigation.
- Don’t pay – Last but not the least, if under ransomware attack never ever pay.
The low overhead cost – as there is no requirement of technical expertise for hackers to unleash ransomware which can be easily done by obtaining exploit kit on the web – and easy money as most of the times victims end up paying has led to the proliferation of more such attacks. Though smaller in amount ransomware is fast increasing and everyone needs to take precautions to prevent such a thing from happening to them.