By Alan Zeichick
Principal Analyst, Camden Associates
Ransomware is a huge problem that’s causing real harm to businesses and individuals. Technology service providers are gearing up to fight these cyberattacks – and that’s coming none too soon.
In March 2016, Methodist Hospital reported that it was operating in an internal state of emergency after a ransomware attack encrypted files on its file servers. The data on those servers was inaccessible to the Kentucky-based hospital’s doctors and administrators unless the hackers received about $1,600 in Bitcoins.
A month earlier, a hospital in Los Angeles paid about $17,000 in ransom money to recover its data after a similar hack attack. According to the CEO of Hollywood Presbyterian Medical Center, Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”
As far as we know, no lives have been lost due to ransomware, but the attacks keep coming – and consumers and businesses are often left with no choice but to pay the ransom, usually in untraceable Bitcoins.
The culprit in many of the attacks — but not all of them — is a sophisticated trojan called Locky. First appearing in 2013, Locky is described by Avast as using top-class features, “such as a domain generation algorithm, custom encrypted communication, TOR/BitCoin payment, strong RSA-2048+AES-128 file encryption and can encrypt over 160 different file types, including virtual disks, source codes and databases.” Multiple versions of Locky are on the Internet today, which makes fighting it particularly frustrating. Another virulent ransomware trojan is called CryptoLocker, which works in a similar way.
Ransomware is a type of cyberattack where bad actors gain access to a system, such as a consumer’s desktop or a corporate server. The attack vector might be provided by downloading a piece of malware attached to an email, visiting a corrupted website that runs a script that installs the malware or by opening a document that contains a malicious macro that downloads the malware. In most ransomware attacks, the malware encrypts the user’s data and then demands an untraceable ransom in order to either decrypt the data or provide the user with a key to decrypt it. Because the data is encrypted, even removing the malware from the computer will not restore system functionality; typically, the victim has to restore the entire system from a backup or pay the ransom and hope for the best.
As cyberattacks go, ransomware has proven to be extremely effective at both frustrating users and obtaining ransom money for the attackers.
Beyond the ransom demands, of course, there are other concerns. Once the malware has access to the user or server data… what’s to prevent it from scanning for passwords, bank account information, or other types of sensitive intellectual property? Or deleting files in a way where they can’t be retrieved? Nothing. Nothing at all. And even if you pay the ransom, there’s no guarantee that you’ll get your files back. The only true solution to ransomware is prevention.
RANSOMWARE’S SCOPE AND IMPACT
The U.S. Federal Bureau of Investigation received 2,453 complaints about ransomware cyberattacks in 2015, which the FBI says cost the victims more than $24 million dollars in ransom. Who knows how many people quietly paid and didn’t tell anyone, because of shame, perhaps, or lack of knowledge about who to tell?
One top network security vendor, Wedge Networks, has seen huge growth on the carrier networks that its service monitors. “On those networks”, says CEO James Hamilton, “We saw a 100% increase in the observed number of ransomware attacks detected in 2015 verses 2014, and a 50% increase in mobile ransomware from Q4 2015 to Q1 2016.”
Wedge Networks is an Alberta, Canada-based company with extensive customer deployments across Canada, the United States and Asia Pacific. Mr. Hamilton explains that “Last year, our customers in Canada reported more ransomware attacks (as a percentage) than we observed in the U.S. In APAC, Japan and Taiwan are experiencing a slower increase in ransomware than we’re seeing in Southeast Asia, possibly due to more mature and advanced security practices in those markets.”
Mr. Hamilton continues, “Just last week I was discussing ransomware with a service provider planning to roll out Security-as-a-Service in a major Southeast Asia market and they stated that ransomware has become more widely active in their country over the past 12 months. Previously it was very infrequent, but they are seeing it spread rapidly.”
Jason Steer, EMEA Solutions Architect for Menlo Security, based in Menlo Park, Calif., explained that while consumers can lose important files, especially irreplaceable financial documents and personal photos, ransomware can be devastating for businesses.
“For enterprises, ransomware is a major pain and slows them down from getting on with their key IT-related business functions,” Mr. Steer explains, adding that Menlo Security focuses on malware prevention. “We have met many customers where every local file and central server stored file has been encrypted by ransomware. This impacts every user accessing any central file on the network and for any user impacted it encrypts every local file on their PC as well.”
The impact? “You are dependent on the age of the most recent backup and may not be able to restore every file. The cost of losing that data may be minimal or large depending on the importance of the file.”
Cylance has seen some pretty devastating ransomware damage recently. A cybersecurity firm based in Irvine, Calif., the company is spending a lot of time helping its customers prevent ransomware attacks, as well as helping new victims recover from trojans. Andy Solterbeck, Regional Director APAC for Cylance, explained about Angler, a cyberattack exploit toolkit that hackers can use to customize their own attacks – kind of a do-it-yourself starter kit. The damage from Angler: “It’s currently causing 90,000 infections per day, and bringing in at least $60 million dollars per year.”
There are so many attack vectors, it’s virtually impossible for a consumer – or an IT professional – to keep track of them all. Jayendra Pathak, Chief Architect at NSS Labs, a top tech security analyst firm based in Austin, Tex., says “Adobe Flash is becoming an extremely troublesome vector towards delivering ransomware. Microsoft Word attacks are also on the rise, exploiting human weaknesses in opening email attachments.”
The days of paying a few hundred dollars as ransom may be over, as cyberattackers target businesses, Mr. Pathak adds. “On top of that, ransomware authors are moving to more targeted campaigns aimed at the enterprise. Asking ransom for hundreds of thousands of dollars is on the near horizon. NSS Labs has tracked thousands of infections primarily coming from drive-by campaigns.” He adds that while ransomware is a problem all over the world, it is more prevalent in areas where online payment systems are extremely common. “The United States and Europe are primarily targeted. Japan, Korea, China, and Singapore’s ransomware infection rates are relatively less in comparison to Europe and the U.S. However, APAC countries must take note of the prevalence of ransomware attacks in the U.S. and Europe. Now is the time to be embracing preventative cybersecurity measures.”
THE INDUSTRY RESPONDS
For consumers, the best way to prevent a ransomware attack is to be proactive. Backup often, and maintain many backups so that recovery can pre-date the infection. Don’t click on email attachments. Use up-to-date anti-virus and anti-malware tools and services. Don’t use old versions of Web browsers that lack current protections. Disable macros in Microsoft Word and Microsoft Excel, and consider uninstalling Adobe Flash. Even then, however, there is no guarantee that systems will be protected against ransomware.
In the enterprise, and on carrier networks, there are larger-scale tools that can be more effective. For example, Menlo Security offers an isolation platform that ensures that malware cannot touch the end user’s laptop, desktop or mobile computer, or infect a corporate server, explains Mr. Steer. It’s ideal for implementation by enterprise IT and security professionals.
“Isolation is a new concept on the block to help organizations become more resilient to attacks. Enabling endpoints to be more secure and robust ensures they get hacked less and the fallout of data and intellectual property loss is reduced,” he says. “Gartner considers isolation as key in the malware prevention capability: It’s what administrators can do to prevent their users running into bad things through no fault of their own.”
Wedge Networks’ customers are carriers and cloud service providers, who want to detect and block malware – including ransomware – before it ever gets close to the end-customer’s network or devices. Its technology is based in the cloud, and that’s where Mr. Hamilton says security like this belongs.
“One of the biggest breakthroughs is the realization that security needs to evolve from an endpoint and perimeter paradigm to a cloud-based connectivity paradigm in order to close gaps with today’s IT model,” he explains. “The network, the users, and their devices are no longer static. They are dynamic and constantly moving and changing. As a result, the only way to secure the network is to secure the connections for everything connecting to that network. This can only be achieved by moving security to the cloud-layer of the network, which has visibility of everything connecting to the network.”
How does Wedge Networks’ technology protect against ransomware? “Our Wedge Cloud Network Defense was purpose-built to run in the cloud to support virtually unlimited scale, and to support the multi-tenancy operational requirements of service providers that want to offer Security-as-a-Service to their customers,” Mr. Hamilton describes. “Cloud Network Defense dynamically scales up or down cloud-compute resources to support the widely varying security workloads of their customers with efficiency and sustained performance.” In other words – it blocks ransomware trojans and related threats without affecting network performance or application response time.
Cylance’s Mr. Solterbeck explains how his company addresses ransomware: Artificial Intelligence. “We apply the power of Machine Learning and Artificial Intelligence to the problem of malware detection,” so that even if the attack has never been seen before, Cylance’s technology can successfully block it. “CylancePROTECT predicts cyberattacks and blocks them on the endpoint in real-time before they ever execute – and that includes malware like ransomware, memory attacks, unauthorized scripts and privilege escalations that can give hackers complete access to your systems.”
THE PROBLEM WILL GET WORSE
The bad news is that malware, including ransomware, is on the rise. The good news is that the cybersecurity industry is responding with tools and services that can help protect businesses and consumers. Don’t get complacent, however: There will always be malware, and ransomware isn’t going away. “There is no magic fairy dust to solve this problem on the near horizon/in the near future, says NSS Lab’s Mr. Pathak. “The effective solution to combat this threat is keeping applications up to date, not putting implicit trust on anything that is received via email, disabling macros altogether, and keeping backups regularly.”
Have you done your backups? If not… now is the time.