By Israel Barak
Ransomware has become one of the most—if not the most—prevalent, effective and successful forms of cybercrime. Ransomware is simple to create and distribute and offers cybercriminals an extremely low-risk, high-reward business model for monetizing malware. Combine this with the fact that most companies and people are unprepared to deal with ransomware, and it’s clear why it has become the fastest growing cyber threat to date.
Simple code, sophisticated e-marketing
Ransomware propagates through the same channels as regular malware—mainly email, but also through compromised or malicious websites and pirated software. Ransomware code is often not sophisticated, but it doesn’t need to be. This is because unlike many types of traditional malware, in most cases ransomware does not need to remain undetected for long to achieve its goal. What is more sophisticated about ransomware is the e-marketing effort that drives its distribution.
Ransomware purveyors are often savvy e-marketers who know their targets. It is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. While ransoms have exceeded hundreds of thousands of dollars in some cases, the goal is to set a price that makes it either cheaper or easier for the victim to pay the ransom than to recreate or restore the compromised systems, especially when the victim has a sense of urgency.
Exploiting risk management gaps in cyber insurance, operations
The end result of ransomware is a whole new economy for cybercrime, one with risk management gaps that allow it to thrive. One significant gap is that the cyber insurance industry is often useless when it comes to ransomware. Most policies have an “extortion” clause, but the deductibles are cost prohibitive: often times, hundreds of thousands of dollars need to be extorted before the insurance will kick in. Plus, if the company publicly discloses that it has a cyber-extortion clause in its policy—in a press release or a public report, for example—then it could invalidate the policy.
Another key factor is that it can take a medium-sized business days to restore from backup, which makes it cheaper and easier for victims to pay the ransom. Think about Hollywood Presbyterian Medical Center in Southern California, which in 2016 had its computer systems crippled for more than a week as it worked to recover from a ransomware attack. When their labs and prescription systems were down, those orders had to be handled manually. Think about the cost involved in that!
Some believe paying the ransom will mark them as an easy target and invite future attacks. However, generic ransomware is rarely individually targeted—it’s usually a “shotgun” approach: attackers acquire email lists, compromise websites and blast out ransomware. Given the amount of attackers out there, if you do get hit again, it will likely be by a different attacker.
So what can you do to mitigate ransomware risk?
Here are some tips banks can follow to mitigate ransomware risk at their institutions and limit the fallout of a ransomware attack:
- Maintain regular and constant backups of important files and consistently verify that the backups can be restored. Be aware of and filter potentially malicious websites and emails.
- Avoid common malware delivery tactics. Ransomware is often delivered through the exact same channels as other types of malware—sometimes it’s even bundled and downloaded together with other types of malware. Refrain from downloading pirated software or paid software offered for “free.” (Remember: when a paid product is offered for free, you are the actual product.)
- Don’t download software from any non-trusted sources or websites or any key-gen, password cracking or license check removal software. In addition, don’t open email attachments from unknown or unexpected senders, and ensure that your staff is well trained on what to do in the event they receive a suspicious message.
- Review your company’s cyber insurance plans. Ensure your cyber insurance plans are in line with the level of risk you want from ransomware. Consider requesting a “ransomware clause” for cyber extortion that would eliminate the inability to publicly disclose and adjust the unrealistic high deductible to be more in line with current ransom demands.
- In the event of a ransomware attack, assume all sensitive data on the machine was compromised. Whether you pay or not, keep in mind that attackers will always try and extract useful data off a compromised machine. This potentially includes usernames and passwords for internal or web resources, payment information, email addresses of contacts, etc.
- Consider deployment of advanced anti-ransomware technology to prevent execution of ransomware. These technologies can be adopted either as standalone tools or incorporated into the organizational anti-malware platform.
If you have not taken precautions in advance and your organization falls victim to a ransomware attack, then it might be easiest to pay, and better prepare for the next attack.
Israel Barak is CISO at Boston-based Cybereason, a cybersecurity company specializing in endpoint protection, detection and response.