Since early 2015, the number of incidents of “ransomware” attacks has escalated dramatically, with further growth in the number of these attacks expected in 2016. Just recently, a Californian hospital was forced to transfer patients to other hospitals because hackers used ransomware to take down its system.
This is how it works: the victim inadvertently runs the malware by visiting a malicious website, opening a malicious email attachment or installing an infected application. The ransomware then, encrypts files on the infected computer using a random, one-off encryption key which is sent to the perpetrator. A message appears on the computer’s screen telling the victim that the only way to recover the files is to pay a ransom using cryptocurrency (e.g. Bitcoin) and receive, in return, the decryption key and instructions for how to use it. To make things worse, more sophisticated malware doesn’t even require sending keys or data and is able to avoid detection based security solutions.
Security researchers have concluded that files encrypted by the current generation of ransomware cannot be decrypted using brute force algorithms, leaving many victims no choice but to pay up. In fact, the FBI suggested last November that, when necessary, victims should just pay the criminals to retrieve their files. According to the FBI, ransomware is now affecting thousands of people and businesses causing more than $18 million in losses every week. It is estimated that one family of ransomware alone has generated more than $325 million.
Ransomware is Rapidly Evolving
Given the lucrative returns that this criminal enterprise is generating for its perpetrators, it is no surprise that ransomware attacks are quickly evolving into more sophisticated variants. Some of these recent developments include:
Ransomware that targets business users – Instead of purely opportunistic attacks focused on the general population, cyber-criminals are increasingly targeting specific businesses with ransomware. Both because of the inherent value of business data and the deeper pockets corporations have, the perpetrators are able to extort substantially more money from successful attacks on corporate victims. https://threatpost.com/chimera-ransomware-promises-to-publish-encrypted-data-online/115293/.
Ransomware that targets corporate websites – Instead of attacking an individual’s PC, website-specific ransomware aims to hold hostage the webpages, images, code libraries and databases that are the backbone of every website. For example, the “Linux.Encoder.1” ransomware is inserted via known vulnerabilities in website plugins and third-party site software, such as shopping cart programs. Once on a host machine, the malware encrypts all of the website’s files, rendering the site inoperable. Because of the economic value to companies of their websites, and the high costs associated with every hour of downtime, these attacks are proving particularly lucrative to the perpetrators.
Ransomware that no longer contacts a C&C server – While earlier ransomware variants relied on client-server communications to exchange encryption keys and data, the latest variants run entirely on the infected machine. This allows the malware to evade most detection and bot prevention solutions.
Ransomware that scrambles file names – The “Cryptowall” ransomware, which first appeared in late 2015, makes locked files even harder to recover because it encrypts and scrambles the file names (not just the content of the files), making it even more difficult to determine the most important files to recover.
Ransomware that threatens to make files public – Instead of simply encrypting files on compromised PCs, the latest variant of the “Chimera” ransomware threatens victims that if they don’t pay up, their data will be published online for all the world to see. This generates ransoms even in situations when the individual or corporate victims have backups from which their files can be recovered, at least in situations that they fear damage from the exposure of their private or regulated data.
Evolving Malware Requires Evolving Defenses
The cyber-security world primarily relies on detection as the antidote to most malware attacks. However, detection, reputation and categorization are often impossible, especially when it comes to new, short-lived sites with no meaningful history. and ransomware is often delivered via uncategorized sites. And once ransomware has managed to execute, it is, of course, too late for the victim.
This is not to say that there are not important steps that individuals and organizations should take to defend against a possible ransomware attack. Some basic precautions that everyone should take include:
Make regular backups, and keep at least one recent backup off site – With a good backup in hand, you will always be able to restore your files without paying a ransom.
Keep your software and operating system patched– Software vendors regularly update their software to fix security vulnerabilities, so you should always be using the latest versions.
Avoid unsolicited or unexpected attachments – While doing this will not prevent every avenue of infection, this is still the most common way malware payloads are activated.
However, no security professional would argue with the statement that the best defense is to ensure that the malware never gets a chance to reach the computer in the first place. As William Shakespeare wrote, “Better three hours too soon than a minute too late.”
In other words, once the malware reaches a computer, it is often too late to prevent damage from occurring! For this reason, detecting malware is not a complete solution; organizations should also isolate potentially malicious content to prevent it from reaching endpoints at all. Web Isolation executes web sessions in a secure remote environment.. Combined with secure web gateways, Web Isolation enables safe unrestricted access to uncategorized and risky sites and eliminates the risk of ransomware from malicious sites.