Ransomware’s targets are changing, and the stakes are rising. Traditionally, ransomware attackers have gone after individual PC users and demanded their ransom in virtual currency known as bitcoins. The attackers kept the ransom relatively small — about $300 — so victims had an incentive to pay. But the early successes have opened wider horizons. Ransomware attackers are now targeting big companies with deep pockets, and the ransom demands are higher. Much, much higher.
Hospitals are attractive targets
Ransomware got a lot of attention earlier this year when Hollywood Presbyterian Medical Center in California was hit by a ransomware attack and had to resort to pen and paper to take care of patients because its computers were unavailable for more than a week. The hospital ended up paying the $17,000 ransom to regain its data and computer system.
This attack was followed by a rash of ransomware attacks on hospitals in California, Indiana, Carolina, Kentucky, Maryland, and Washington, D.C. Some hospitals paid the ransom; others were able to restore their computers and networks using backup systems and data.
Hospitals are not the only ones in the ransomware attackers’ crosshairs. Large companies in the financial-services industry and other key sectors are being targeted, and attackers are demanding big bucks to free up the data of victims, according to two recent reports.
40 percent of firms hit by malware
A report released in early August found that close to 40 percent of firms around the globe were hit by ransomware attacks last year. In fact, more than one-third of victims lost revenue and 20 percent even had to shut down their business completely, according to the report, The State of Ransomware, by Osterman Research on behalf of Malwarebytes.
Osterman polled 540 chief information officers, chief information security officers, and IT directors in the U.S., U.K., Canada and Germany and found that nearly 60 percent of all ransomware attackers in the enterprise demanded more than $1,000 in ransom, and more than 20 percent of attackers asked for more than $10,000. But it goes beyond the money. About 3.5 percent said “lives were at stake” because of the devastating aftereffects caused by a successful ransomware attack.
More than 40 percent of victims paid the ransom, with Canadian firms being the most likely to pay. Health care and financial services were the leading industries hit by ransomware globally.
As a result of the ransomware attacks, close to two-thirds of businesses spent more than an entire business day trying to fix their computers, which of course required them to be taken offline.
“Over the last four years, ransomware has evolved into one of the biggest cyber security threats in the wild, with instances of ransomware in exploit kits increasing 259 percent in the last five months alone,” said Nathan Scott, senior security researcher at Malwarebytes.
“Cybercriminals are increasing their use of ransomware in their attack strategies globally, causing business disruption, loss of files and wasted IT man-hours. In order to stay safe, businesses must invest heavily in both employee education and technology,” added Marcin Kleczynski, CEO of Malwarebytes.
Ransomware is a moneymaker
The second report (signup required), by tech behemoth Cisco, warned that “ransomware has become a particularly effective moneymaker, and enterprise users appear to be the preferred target.” In fact, Cisco’s 2016 Midyear Cybersecurity Report noted that ransomware has become the most profitable malware type in history.
Both reports confirm what many big companies have learned: No longer content to encrypt data on individual PCs, many attackers have altered their attack vectors to go after corporate networks, scoring big money by holding entire companies as hostages.
Criminals are particularly interested in vulnerabilities in Red Hat’s Java-based JBoss enterprise application servers. A full 10 percent of Internet-connected JBoss servers worldwide were compromised, according to Cisco data. Many of these JBoss vulnerabilities were identified five years ago, meaning that basic patching and vendor updates could easily have prevented such attacks.
Other issues that make companies vulnerable to ransomware attacks include fragile infrastructure, poor network hygiene, and slow detection rate, which provides lots of time for attacks to operate in the network.
And it may get worse. Cisco predicts future ransomware attacks will limit CPU usage and refrain from communicating with the criminal’s command-and-control servers, making detection harder. These new ransomware strains will spread faster and self-replicate within companies before conducting ransom activities.
What firms can do
According to Cisco, there are steps that firms can take to stop ransomware before it locks up their data:
- Improve network security by monitoring the network, deploying patches and upgrades on time, segmenting the network, and implementing defenses at the edge.
- Integrate defenses by using an architectural approach to security instead of deploying niche products.
- Measure time-to-detection of breach, insist on fastest time available to uncover threats, and then mitigate against them immediately.
- Protect employees everywhere they are and wherever they work, not just when they use corporate equipment on the corporate network.
- Back up critical data and routinely test effectiveness while confirming that backups are not susceptible to compromise.
- Develop and test an incident-response plan that will enable a swift return to normal business operations following an attack.
- Move quickly to patch known vulnerabilities in software and systems, including routers and switches.
- Educate users about the threat of malicious browser infections and how threat intelligence can help thwart ransomware attacks.
The bottom line is companies and organizations need to understand the ransomware threat and take steps now to prevent an attack later. Probably the most important step is for companies to securely back up their data by using a cloud-based data backup and recovery service.
Organizations that fail to prepare for ransomware attacks may end up returning to paper and pencil to get their business done.