Ransomware Attacks' New Focus: BusinessesWhy Experts Say Employee Education Is Critical
Ransomware attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors, rather than consumers.
See Also: Rethinking Endpoint Security
These attacks involve two-part schemes. First, a device is infected with malware that locks the user out or encrypts files so that the user can longer access them. Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased.
In recent weeks, three reports from security firms and researchers have noted new ransomware scheme trends that are making these attacks more difficult to thwart and detect.
As a result, experts say businesses need to focus more attention on employee education about how to avoid falling victim to these attacks and other socially engineered schemes.
On March 2, security firm FireEye warned that hundreds of websites may have been exposed to "malvertisements" - ads containing ransomware - via criminals' abuse of ad networks that use real-time bidding.
"Real-time bidding is an ad sale and delivery system that allows for instant, autonomous ad auctions at the time the ads are served," FireEye says. "A number of buyers set up bids ahead of time for a certain amount of ad impressions (i.e., page loads) on pre-selected sites and certain target demographic characteristics. When a user requests an ad, the ad exchange awards the highest bidder who has an active bid on advertising matching the incoming user's demographic profile. As a result, the auction winner's ad is displayed."
In another recently released report, anti-virus provider Bitdefender noted that cybercriminals were using help files as a way of infecting devices with a variant of the ransomware known as CryptoWall. Attackers sent malicious emails with the subject "Incoming Fax Report" that contained help files with a compiled HTML extensions, Bitdefender noted. When users opened the files, they were presented with a help window that automatically downloaded CryptoWall in the background.
In a third report, released March 6, a French malware researcher known as Kafeine said he discovered what at first appeared to be a new version of the ransomware known as TorrentLocker, but was later determined to be new malware. This is concerning, researchers say, because it proves how quickly hackers are adapting by developing entirely new malware strains that evade current detection mechanisms.
The Evolution of Ransomware
"Ransomware is flourishing as the criminal community appreciates its viability and the ease by which ransomware can be shared," says Tom Kellermann, chief cybersecurity officer at security firm Trend Micro. "The most troubling evolution is the migration to mobile ransomware.
In May 2014, security researchers warned of a new type of ransomware attack taking aim at employees and customers of banking institutions in Europe. The attack was being spread to mobile devices through the banking Trojan known as Svpeng (see New Ransomware Targets Mobile).
Today, attacks waged against Windows and Android operating systems have continued to spread.
"There is a lot of momentum behind ransomware and we do expect it to be a continuing issue throughout the rest of this year and beyond," says John Miller, manager of the Cyber Crime Threat Scape at cyber-intelligence firm iSIGHT Partners. "Law enforcement in different countries can help educate residents about the threats," which are designed for targeted global markets based on language and payments habits, he explains.
But it's up to individual companies to educate their own employees about how to identify a ransomware attack before becoming victimized, Miller adds.
Why Ransomware Is So Dangerous
Rather than targeting home-users' files, as was common in 2012 and 2013, attacks emerging in late 2014 started targeting business assets by encrypting enterprise database files and shared storage systems, says Jeff Horne, vice president of the security firm Accuvant.
"This is extremely dangerous to an enterprise network, as it could potentially destroy a business if offline backups haven't been stored," Horne says. "The real issue is the encryption that is being utilized, more often than not, cannot be broken with today's computers. Therefore, when these files are locked, if the ransom isn't paid, the files are gone until computers can break the encryption."
Another danger, he says, is that hackers sometimes collect the ransom but never unencrypt the data, making it virtually useless to the business.
Randy Abrams, research director for cyberthreat intelligence firm NSS Labs, malware strains used in ransomware attacks are getting stealthier. And like Horne, he says the encryption hackers are using to lock files is getting harder to break.
"Older ransomware used cryptographic techniques that could be cracked," Abrams says. "This currently is no longer the case."
Ransomware can be devastating to victims who have no back-ups or who don't back up to local or network-connected drives, he says. "Online backup services, such as Carbonite, are very useful. But users must be certain that file types are also backed up."
A Growing Threat
The use of ransomware is spreading because the attacks make good business sense for cybercriminals because they can reap big payouts, iSIGHT's Miller says. "Windows ransomware is all over the place," he says. "It's very effective and very popular."
Cryptolocker was the first type of ransomware that got attention, Miller points out, "and criminals' observations of the damage that Cryptolocker was doing made them realize how profitable ransomware could be."
Today's attackers, who range from organized cybercrime rings to nation-states, are selling ransomware using sophisticated business models, says Peter Tran, general manager and senior director of security firm RSA's global advanced cyber-defense practice.
"The hacker distribution techniques and ecosystem are run like a business," Tran says. "The development, buying, selling, trading and distribution creates micro-economies that scale very quickly for both cybercriminals and nation-state attackers. This is a global network much like the open-source software developer communities, where software can be developed very quickly and with greater capacity than closed, proprietary development."
Also, most of the malware strains used in these attacks are evading detection by anti-virus programs, he adds.
"In the past 12 months, over 300 million malware samples have been reported in circulation, many of which are modifications of existing variants, but many are unique," Tran says. "The sheer scale is overwhelming."