Just a few years ago most people had not even heard about ransomware. Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack. Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to hospitals to little mom and pop stores, ransomware is the scourge of our technical world.
There really is one major reason for ransomware attacks – money. If you pay the ransom, even what you perceive to be a small one, it sustains the attacker’s morale and encourages more attacks.
Although no one really knows the statistics, people do make educated guesses. According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful). By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.
In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.
And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in. That includes a billion dollars for WannaCry alone.
People are paying millions in ransom as well.
See this article for more stats.
So why are we seeing the increase in ransomware?
#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards. Hackers are turning to other ways to make money.
#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.
#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.
So here are some thoughts about dealing with ransomware.
In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly. In these cases several thousand devices were compromised in an hour. That doesn’t give you much time to detect the attack, never mind respond to it.
In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised. The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.
Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two. Weeks later, many of their computers are still only useful as doorstops.
Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.
First, you don’t pay the ransom. Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.
Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.
But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread? PROBABLY NOT!
The best technique for preventing successful ransomware attacks is training your users. Clicking on links and opening attachments are likely the two most common ways to get infected.
There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.
The next thing that you have to have is a very robust incident response program.
When I speak at seminars I talk about the Sony attack disaster. A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions. The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network. They had people running through the casinos pulling cables. The result was a greatly diminished attack.
On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet, it took them hours to figure exactly how to do that. A lot of damage can be done in hours. You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.
Two different organizations, two different outcomes.
Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack. How devastating that attack is will be based on how prepared you are.
How prepared are you?
Information for this post came from SecurityInfoWatch.