February 02, 2017
An Austrian hotel lost control of its door locks, keeping new guests stranded in the lobby. A police department in Cockrell Hill, Texas abandoned years of video evidence and digital documentation. In Washington, DC, the police couldn’t access its CCTV footage storage system days before Donald Trump’s inauguration. All of this news came out in the last week, stemming from a rapid escalation of how ransomware is deployed. And it’s only going to get worse.
Ransomware has existed in various forms for over a decade. In a classic ransomware scenario, malware storms your computer, encrypts your data, and won’t give you the decryption key unless you pay a fee, usually in Bitcoin. Variations involve holding specific equipment, like your keyboard, hostage until you pay the ransom. But over the last 18 months, ransomware attacks have increasingly targeted large organizations and systems rather than individuals. One big payout from a group that can afford it beats stringing together lots of small payments from individuals. At this point, ransomware attacks are a $1 billion-per-year business. And, more importantly, the trend is creating collateral damage like never before.
“My prediction going forward is that we’re not only going to see ransomware focused on data, we’ll see more ransomware focused on other ways to disrupt a business.” says Marcin Kleczynski, CEO of the cybersecurity defense firm Malwarebytes. In its own way, ransomware is not dissimilar from other types of cyberattacks, which have increasingly targeted corporations with large databases of consumer info—think of how many times you’ve had to change your passwords and credit card numbers lately—over one-off consumer grabs.
“That’s really a huge change, that ransomware is actually ransoming back the ability to do business,” says Jack Danahy, CTO of cybersecurity firm Barkly.
More than half of corporate ransomware attacks start with an employee using an enterprise device for personal tasks, according to a joint survey by the cybersecurity firm Carbonite and The Ponemon Institute, an independent research group. Forty percent of corporate victims in the same survey said that ransomware spread across devices in their networks. Sometimes, all it takes is one person’s errant click to take down an entire system, especially if ransomware has circulated and can activate on many devices at once.
It’s also easier than ever to deploy. To carry out such a diversity of attacks, hackers have created hundreds of strains of ransomware, as Malwarebytes notes in its 2017 State of Malware report. Some versions represent sophisticated advances in how ransomware functions or how it’s delivered, but many are variations on readily available “off-the-shelf” malware.
“You can buy it in a marketplace, take the code, customize it a little bit and then start using ad networks or phishing attacks or just email spam to get [it] out there. There’s a very low barrier to entry,” Kleczynski says. Far from a simple encrypted hard drive, these new attacks can combine system downtime with data leaks and virality, with plenty of innovation still to come. “Every time I see a new delivery mechanism or a new idea, I sit there in a little bit of awe because I thought we’d be at the end of this, that there’s no more that can go into creating these threats.”
Bad New World
Some new directions are largely experimental, like the recent Popcorn Time ransomware that gave victims the option of infecting other people as an alternative to payment. More broadly, attackers now regularly threaten to release an individual or company’s stolen or encrypted data if they don’t pay the ransom. “Until last year people didn’t even think about ransomware as an attack where the privacy of the information was being compromised,” Danahy says. One variant that emerged last year, called Jigsaw, not only demands payment but threatens to send your data to all of your contacts. “The doxing component of ransomware is one of these game-changer kinds of developments,” Danahy says.
Both organizations and individuals can still best protect themselves by avoiding clicking untrusted links, being wary of phishing attacks, and watching for messages that could be dressed-up spam. Then again, your own defenses don’t come into play if a hospital, transportation ticketing system, or hotel you depend on is compromised.
There’s some good news, at least. Larger organizations are starting to take more precautions so they have a contingency plan in place to recover from an attack. And if they have to, organizations that are likely to be targeted are also likely to be in a good position to pay up—and are plenty motivated to do so. “Imagine taking down Ticketmaster or United Airlines ticket sales. That’s hundreds of millions of dollars in revenue per day,” Kleczynski says. “Now if you have a $500,000 ransom to get one hundred million dollars of revenue back as quickly as you can, you start thinking is this the more logical option for us as a business?”
It’s cold comfort that encouraging the criminals by paying the ransom is often the fastest way to restore a service. But the next time your hotel locks you out of your room, or the hospital can’t access your records you’ll know it was through no fault of your own.