Most of us know that ransomware encrypts data and then demands payment to decrypt it. Attacks reached their highest historical level in April 2016 according to Enigma Software. This represented a 159 percent jump from March. Although this is an unusual surge, ransomware attacks have been increasing between 9 and 20 percent per month for a while now. There are various reasons for the increase:
Attackers are taking advantage of the panic caused by the highly-publicized attack in February against Hollywood Presbyterian Medical Center. The hospital paid a $17,000 ransom. Higher-level encryption technology such as 2048-bit version of the RSA cryptographic algorithm has become more widely available. Innovations in handling digital currencies such as Bitcoin have made it even harder to trace transfers. Attacker no longer need to be tech-savvy since most ransomware is available as packaged exploit kits.
Public entities are panicking. The U.S. and Canadian governments jointly released a ransomware alert in March . A U.S. Senate Judiciary subcommittee held a hearing in May to explore the issue. Since Hollywood Presbyterian Medical Center is in California, it is not surprising that the state has drafted legislation to establish specific penalties for ransomware.
Before you panic, consider that such malware comprises less than 1 percent of total infections. There has also been a determined fight against ransomware. Here are some examples:
In November 2015, Kapersky announced the ransomware variants Coinvault and Bitcryptor were dead. The alleged authors we arrested and all 14,000 decryption keys were released. Recently, a hacker (of the good variety) rendered a Locky ransomware distribution harmless. Instead of demanding money, the distribution warns potential victims not to open strange files. Whitehats tracked Cryptolocker and took down some of the command and control servers. Unfortunately this meant that some victims who had paid the ransom were not able to receive unlock keys. Strangely enough, in May 2016, the developers of TeslaCrypt shut down the ransomware and released the master decryption key.
In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Paying the ransom is not a security decision; it's a business decision. Recovering files from backup takes time and effort and can lead to lost revenue.
If you are a victim, should you pony up the ransom or not? Be warned: even if you pay, the attackers may not deliver a valid key or appropriate unlock code to free your files. According to the FBI, most organizations that pay the ransom do get access to their data. However, there is the recent experience of Kansas Heart Hospital. It was victimized on May 18 and paid, but the attackers demanded more money for the unlock key. The hospital refused to pay again.
However there is a concern with the Cerber ransomware variant that has been discovered which can potentially “sleep” in the attacked network. At a later date, it would be converted into a botnet, launching distributed denial of service (DDoS) attacks from the comprised network at third parties. The victims would have to pay a ransom again… and again?
As with any business, it is actually in its best interest to follow through on promises. CryptoWall attackers are known for decrypting the files upon payment. They have even walked victims through the procedure to obtain bitcoins and have given victims deadline extensions to procure the ransom. Then again, other ransomware families have less reliable reputations.
What does the law enforcement community recommend? The U.S. Federal Bureau of Investigation issued a notice in June about ransomware, advising victims to contact their local FBI field office if their data is held ransom. But individual FBI agents have cautioned that the Bureau most often cannot unencrypt the ransomed data. One agent was quoted, “The easiest thing may be to just pay the ransom.” Some business professionals suggest that paying encourages criminals to attack again and extort a higher ransom. In the same vein, some victims say that they decided to pay the ransom to preclude the attacker from causing more damage in retaliation. There seems to be no firm data supporting these positions.
The IT community in general is against paying. In a survey of the Spiceworks community, an online network of IT professionals, there was near unanimity against paying the ransom. This opinion was held even by members whose networks had been infected. These victims reported that most data was recoverable from backups, although they experienced data loss due to unmonitored and failed backups as well as the loss of between 1-24 hours of data from their last backup cycle. We are assuming that the organization has a choice of paying the ransom or not. But if it has no unaffected backups, there is no choice but to pay the ransom.
There is much that can be done to mitigate the damage that a ransomware attack can create, and even to prevent one. This is the subject of a future article; stay tuned!
Sign up to our blog below if you’d like to get the next blog post delivered right to your inbox.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us