Information Security

Defending the digital infrastructure

igor - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Even with rise in crypto-ransomware, majority do not pay

With data increasingly held hostage, companies are learning the downside of encryption and cryptocurrency. As some organizations admit to paying ransoms, will the problem get worse?

Crypto-ransomware is big business for cybercriminals. In the first three months of this year, ransomware and recovery costs reached $210 million, according to the FBI. Law enforcement first noticed an uptick in ransomware activity against organizations in late 2015. The reason: Payouts from enterprises are usually higher.

Network security company FireEye also reported an increase in ransomware activity against enterprises starting in mid-2015. It reached similar conclusions: Corporate victims offer higher margins and low overhead, causing cybercriminals to up the ante beyond spray-and-pray consumers. Ransomware as a service has also created a framework for cybercriminals.

The ransomware threat to global enterprises increased in 2016. FireEye Labs' researchers observed a notable spike in March, based on data from the company's NX platform and Dynamic Threat Intelligence exchange. The researchers attributed the rise to two global spam campaigns, detected in 50 countries, that were tied to Locky ransomware. A variant of banking malware Dridex, the crypto-ransomware infected systems when victims clicked on email with malicious attachments disguised as "invoice notices," "images" and "document themes." The security researchers noted that the Locky malware included a JavaScript downloader (.js) in addition to the Microsoft Word and Excel macro-based downloaders that dominated early campaigns.

Microsoft Windows is still the biggest target, however. Variants of the CryptoLocker ransomware, such as TorrentLocker and CTB-Locker -- which takes advantage of those seeking Windows 10 upgrades -- hit enterprises worldwide. Keranger malware, identified in March by Palo Alto Systems, is the first to attack Mac OS X systems, according to the network security vendor.

'No more ransom'

While researchers are trying to stay ahead of crypto-ransomware and its variants, law enforcement joined forces in July with security vendors to launch a "No More Ransom" portal. The project -- developed by Dutch National Police, Europol, Intel Security and Kaspersky Lab -- offers educational information and free decryption tools. It also enables victims to upload a sample ransomware file to determine the variant.

The site claims that there are "more than 50 families of this malware in circulation." The malware behaviors and encryption are also getting harder to decipher. While there are lots of malware families and variants, the "No More Ransom" site is currently focused on three main types: encryption-based (AES-256), locked screen (mostly mobile) and master boot record -- which encrypts a computer's MBR code and prevents loading of its operating system.

During an August presentation on ransomware trends, Ryan Naraine, U.S. director of Kaspersky Lab's global research and analysis team, said he got a dose of the harsh reality that some companies face. "You have no idea what you are talking about," one victim told him when he advised companies not to pay ransoms.

More than hospitals

Who paid? In February, Hollywood Presbyterian Medical Center's computer systems were hacked, and access to critical files was prevented. In order to decrypt the files, CEO Allan Stefanek said the hospital paid 40 bitcoins, estimated to have an exchange rate of $17,000. Payment occurred before the incident was reported to law enforcement, according to the Los Angeles Times. After turning away patients and reverting to paper records, the IT staff was eventually able to retrieve its data with the decryption keys and help from security experts. The FBI is investigating the attack.

According to law enforcement, threat actors will escalate attacks on targets that have paid ransoms. While there is little public evidence that this has actually happened, a rash of ransomware incidents hit hospitals, according to numerous media outlets, following Hollywood Presbyterian's admission.

I would certainly advise trying your hardest to avoid the pain. But I understand that, for business reasons, the businesses are going to have to pay -- the bad guys understand that, too.
Paul VixieCEO, Farsight Security

"Law enforcement has always said about ransom -- if you pay them once, then the bad guys are going to come back and demand a new ransom, so there is really no way to win doing that," said Paul Vixie, CEO of Farsight Security and a renowned DNS expert, who co-founded the Internet Software Consortium. "But law enforcement has always understood that we have to get our kidnapped child back somehow -- or in this case, we have to get our files back somehow -- so they are stymied. The bad guys have found a way to align their interests."

While attacks on hospitals are alarming and potentially life threatening, other businesses have paid untraceable ransoms to retrieve high-value data. Circle Sport Levine Family Racing, a NASCAR team, got hit with a TelsaCrypt ransomware attack in April shortly after someone noticed unusual communications between their computer systems and a Dropbox account. The encrypted files, which contained critical data that represented millions of dollars of work, would be hard to recreate. The company paid the bitcoin ransom, estimated at $500, and restored the data using the decryption key.

"It is a terrible feeling of regret when you lose files and you say, 'Gee, I sure wish I had focused more on backups because now I am just out of business,'" Vixie said. "It is just one of the ways in which the internet has put assets at risk, by connecting them to this global network where anybody else -- if they are connected and relatively clever -- can reach in, pretend to be you and have the same access to your files that you would have.

"And that is not the only new danger that the internet has brought, but it is certainly a big one," Vixie added. "So I would certainly advise trying your hardest to avoid the pain. But I understand that, for business reasons, the businesses are going to have to pay -- the bad guys understand that, too."

Officials at the University of Calgary in Canada revealed in June that more than 100 critical computer systems were attacked, and the school paid bitcoins worth $20,000, based on Canadian exchange rates, to get decryption keys to restore critical systems.

No payment, lost data

The majority of businesses do not pay, however. In August, an Osterman Research study, sponsored by Malwarebytes -- the security vendor that Circle Sport Levine Family Racing eventually hired -- found that 39% of the 540 organizations surveyed in the U.S., Canada, Germany and the U.K. reported a ransomware attack in the previous 12 months. More than one-third (37%) of the companies whose machines were infected paid the cybercriminals, according to the more than 500 CIOs, CISOs and IT directors surveyed. 

Ransomware attacks during the previous 12 months

Healthcare and financial services were the hardest hit, the researchers found. "These industries are among the most dependent on access to their business-critical information, which makes them prime targets for ransomware-producing cybercriminals," the authors wrote.

The U.K. had the highest number of ransomware attacks (54%), and Germany had the lowest (18%). Ransomware attacks in the U.S. were more limited in scope, according to the report, based on the number of endpoints affected. Almost 80% of besieged organizations in the U.S. had "high-value data" held for ransom, however, and 68% said that middle management or higher had been targeted. 

Physical locations in which ransomware entered the organization

The "availability of recent backups" was cited most frequently by IT security professionals as the reason their organizations opted not to pay the ransomware. One-quarter of the organizations did not pay for lost files, according to Osterman's findings.

How to stop it

If your systems are under attack, disconnect infected computers from the internet immediately. It can take up to 30 minutes for malware to encrypt files, maintained Kaspersky Lab's Naraine, and organizations have a good chance of saving some files.

That strategy doesn't always work, however. Circle Sport Levine Family Racing immediately disconnected its computers once the company detected suspicious Dropbox activity, and it still got hit with ransomware.

It's also critical to back up high-value data on a routine basis -- before an incident can occur -- and store the backups offline. If computer systems are infected with crypto-ransomware and hackers demand bitcoins to decrypt files, the organization can roll back its systems and only lose weeks' or months' worth of data.

"It is much better to invest in backups up front so that, if your files get encrypted by some ransomware, you are able to say, 'Well, that was bad for me, and I lost a few days of work, but we are just going to rewind and do backups rather than paying these people,'" Vixie said, "because the more we pay them, the more copycats there will be.

"I don't know if we will ever be able to totally solve this problem," Vixie added. "But I would like to make it not get worse faster and, unfortunately, paying them is a way for it to get worse."

IT departments should regularly patch operating systems and applications. That includes letting software patch itself, maintained Naraine, especially highly targeted applications, such as Microsoft Windows, Adobe Acrobat Reader, Adobe Flash, Apple QuickTime, Java code and Skype. 

Applications by which ransomware entered the organization

Organizations should also train employees to practice good security habits. Monthly training may be in order for executives and others who have admin privileges, as well as employees who work in departments more likely to be targeted, such as human resources and financial services.

The problem is likely to get worse. Security researchers have begun to see more crypto-ransomware that encrypts web servers and mobile devices (primarily Android). A high-profile ransomware attack in May that used malvertizing, which routes unsuspecting individuals to malicious sites through banner ads, was detected at the BBC, The New York Times, AOL and other websites. Just by surfing the media companies' websites -- not clicking on an ad -- consumers became vulnerable to ransomware distributed using the Angler exploit kit, which tries to take advantage of weaknesses in browser plug-ins, such as Adobe Flash and Microsoft Silverlight.

As a last resort, some organizations may decide to set aside bitcoins as part of their incident response plans. "Sometimes paying is your only option to get back in business," Naraine said.

Article 3 of 6

Next Steps

Ransomware: The pay or not pay debate

What you need to know about ransomware as a service

Five ways to fight advanced encryption ransomware

This was last published in October 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Get More Information Security

Access to all of our back issues View All