Ransomware and Extortion

Over the past few months there have been a number of 2016 surveys looking at various aspects of information security, all drawing comparisons on the previous annual surveys, all highlighting trends.

A sobering take-home from the majority of reports is that they back up strident headlines warning of the rise of ransomware. Apparently, 2016 will be the Year of Ransomware. Reading between the lines, however, it would be hard not to ask why 2017 won’t go on to claim the title, and 2018 after that.

This is because people and firms are paying up, and where there is money, cyber-crime will follow.

The reasons why are not hard to start enumerating. The crime is, at the outset, a non-specific, loosely-targeted game of numbers requiring little up-front investment. This carries through to there being very little risk to the perpetrator. Such targeting as there is will aim for consumers and small to mid-sized businesses which lack the more sophisticated defences and have lower tolerance to data or income loss. Paying-up can seem like the best, or only, option.

As part of a complete risk assessment framework, this growing threat is worthy of its own specific attention. While it shares a number of root causes and attack vectors with other malware, the time-sensitive nature of its exploitation makes pre-planning prudent.

Ransomware is downloaded malware which will remove your access to your data until a ransom demand is met. There are a number of ways this can be carried out and many variations to the monetisation of the attack. A lot depends on the sophistication of the attacker and, also, the perceived value of the victim.

Systems can be locked with the attacker holding the password to unlock. Whole file systems can be encrypted, requiring not only the decryption key or password, but the software to carry out decryption. Whole file systems can be exported, leaving junk behind and a requiring ransom for it to be returned or, in extreme cases, for it not to be published to the wider world.

The threat to publish is a particular nightmare for firms holding clients’ personal data. Healthcare and financial services are particularly sensitive to this particular exploit and in a number of cases have, unfortunately, paid the ransom.

Past reports have put the figure of ransomware demands being met at 40%. Not all of those will have been under threat of publication, but those levels of payment will not have gone unnoticed by attackers.

Clearly there is no guarantee that paying the ransom will result in recovering your data, nor will it necessarily prevent the release of stolen data. If personal data starts being leaked out onto the internet at large, for a financial services firm, there will be considerable damage to reputation and client trust in addition to potential regulatory penalties and investigation.

The attack technique for ransomware is most often via poisoned links on compromised websites or in emails, or carried as attachments to emails. Clearly, up-to-date anti-malware software will go a long way toward mitigation of the threat, and education of staff can alert them to the dangers of ill-advised clicking.

Furthermore, there are a number of pre-emptive strategies that can limit the effectiveness of malware of this sort, including:

  • Regular, complete and tested back-ups are an obvious starting point, with segregation of especially sensitive data to prevent propagation of malware across your network.
  • Limiting the running of executable files from unexpected areas of your files systems, such as Temp directories.
  • Locking down of browsers to block unauthorised downloads, pop-ups or potentially unsafe software extensions.
  • Firms very often concentrate their security efforts on preventing unauthorised entry into their systems, but are less equipped to prevent unauthorised export.

But the risk of a successful ransomware incursion is, of course, not zero and, despite the most stringent precautions, the worst can still happen.

As previously mentioned, robust recovery and response planning can go a very long way and pay enormous dividends.
Ransoms often have a time-limit associated with payment. Do not let this divert your firm from assessing the credibility of the ransom’s demands and its technology, utilising expert help.

Not all ransomware is created equally. Make sure you have the details of a specialist firm who can quickly assess the nature of the attack. In many cases, the encryption keys or passwords used by each malware family are known and experts may be able to undo the damage.

Ensure that you established the entry point of the attack. Obviously this needs to be blocked against future repeat attacks, but it will provide useful information of the scope of the damage and enable you to prioritise clean-up and recovery.

When restoring data and systems, engage experts and be prepared to rebuild all systems from the ground up. The recurrence of persistent threats is not unusual.

There is a lot of debate on the subject of ransom payment. If a business is well prepared, and has in place robust and effective defensive systems and controls, it should not be necessary. In some cases, pragmatism and overriding ethical issues have overrule received wisdom, as in February’s payment of $17,000 by the Hollywood Presbyterian Medical Center, but this can only be a measure of last resort.

Limiting the potential damage by careful pre-planning is infinitely preferable to the risks of funding the problem.