A thousand-fold increase in crypto malware (AKA ransomware) is a pretty impressive number. The reason is that it is like taking candy from a baby – not very hard. Rather than having to figure out how to break into a computer, then figure out where the juicy data is, next getting it back to you without getting caught and finally figuring out how to monetize it, all you do is infect the computer and wait for the money to arrive. If that doesn’t explain the popularity of crypto malware, nothing does.
Crypto malware just encrypts everything in sight and then says that they will decrypt it if you pay them. Maybe they will. A new form of ransomware called nukeware evolves this one more step. Erase the files permanently and demand money anyway. Whatever money you get is found money. The user of course, never gets their files back.
Since this attack is completely automated other than the part where the user gets suckered, it runs to completion extremely fast. The infection starts in seconds and may be complete in a few minutes.
The size of the infection is dictated by the cyber hygiene policies of the company. Better policies and quicker detection reduce the impact. If the infection waits until night time or the weekend to trigger, then it can be devastating.
While ransomware started as a consumer thing, as Hollywood Presbyterian Hospital and many others can tell you, it didn’t stay there. The problem is that if you ask a consumer for a thousand dollars, he or she are not going to pay. But ask an organization like Hollywood Presbyterian for $17,000 and, after 10 days of trying to avoid it and being on the receiving end of a lot of bad social media, they paid. The good news is that, for their $17k, they did in fact get the decryption keys.
Depending on the attack, they could ask for $50k or $500k and they might get it. It depends on how valuable the data is.
I used to work for a semiconductor manufacturer. If one of our assembly lines was down for just an hour, it cost us a million dollars. Translate that to 10 days like at Hollywood and the cost would be $250 million and that was in money from many years ago. Maybe it is double or quadruple that now. So, if an attacker asks for a million dollars and the company is poorly protected, they likely will pay it in a heartbeat. It is not a matter of enriching the bad guys or not, it is a matter of economics. $1 million vs. $250 million. Pretty simple calculation.
Hence businesses need to beware. SOME businesses are doing a good job at protecting themselves, but a lot of them, especially the small and medium size ones, are not doing so good.
The next evolution after nukeware is to encrypt the data and then export the data to China, Russia or some place like that. They have the key so they can decrypt it when it arrives. Now they can sort through it at their leisure in a safe place and figure out the next step in the monetization chain.
Now not only do you have an internal problem but you also have a reportable breach. And you can’t claim that the data was encrypted, so you don’t have to report it. It doesn’t count if the bad guys did the encryption!
What is true is that that yesterday’s solutions to keeping the bad guys out will not protect you today and will certainly not protect you tomorrow.
This means that you need to re-think, re-design, re-architect or be resigned to losing. And that means spending money. Sorry. There is no other way.
It is your choice.
Or possibly the choice of the person who replaces you after the breach.
Of course, management has to lead, support and fund it. That is their role. Your role is to figure out how to do it.
We are seeing more and more people losing their jobs after a breach. Look at how many people at the DNC have been fired over that breach and while that breach might not have been prevented (state sponsored terrorism is hard to protect against), there are a lot of things that they could have and should have done – starting with some user training.
Sorry for raining on your parade, but it is what it is.
Information for this post came from Dark Reading.