Ransomware attacks are never far from the headlines and that’s likely to remain the status quo for the foreseeable future. Indeed, Verizon’s 2016 data breach investigation report states that attacks have grown 16% globally year on year, a worrying trend for security professionals everywhere. But what’s behind the explosive growth of this relatively new form of cyber attack? To answer that, we must first look at how ransomware has evolved to date.
What is ransomware?
Ransomware is a distinct type of cyber attack, in that it extorts payment from the victim in exchange for allowing access to something that was encrypted during the attack.
Early ransomware disguised itself as spyware removal or PC cleanup applications. These did not rely on encryption, but instead they damaged the PC and offered to fix it upon payment for the application. After a couple more years, these scams gave way to attacks using fake antivirus applications. Whilst similar to earlier ransomware attempts, they went one step further and also tried to trick users into paying for multiple years of support.
Encryption-based ransomware first came into prominence in 2011, in the form of malware that prevented access to the computer system. As defenses and recovery methods improved, ransomware evolved into the crypto ransomware that is so prominent now. There are three variants that currently dominate the crypto ransomware landscape:
- CryptoWall:The oldest of the three, it also has the greatest share of worldwide ransomware infections, at 83.45%.
- Locky: The most recent of the top three, it is also the fastest growing and the most advanced ransomware found in the wild. It captured 16.47% of all ransomware attacks between February 17 and March 2, 2016.
- TeslaCrypt: This malware was spread primarily through hijacked WordPress and Joomla sites, and represents .08% of all infections. However, recent news that the master decryption key for TeslaCrypt has been released to the public by its developer spells the end of it for good.
What’s behind its growing popularity?
There are several reasons why ransomware attacks have been spreading so quickly over the last few years. One is the technical side. Developing effective ransomware has become easier, even to a point, where you can buy “Ransomware-as-a-service”. However, other, more sinister factors are also at play. With the digital transformation of crime, we’re now seeing ‘professional’ cybercriminals whose sole focus is to collect ransoms and launder money. The development of international payment systems like bitcoin have made it even easier to transfer money anonymously, making it less complex for criminals to extort money without being traced.
As a result we are seeing a trend where it’s now easier for technically skilled people to become successful criminals, and professional criminals are using digital methods very effectively. Ransomware attacks have also been added to most exploit kits, which attack PCs through drive-by downloads, without any human intervention at all.
How does it catch users out?
While using cleverly-worded emails has been the tool-of-choice for would-be attackers for some time, there are other ways to infect users that are equally effective.
Nearly all strategies rely on user behaviour. Either a phishing email convinces them to open an attached file, they are directed to a seemingly legitimate site, or the user is surfing the web for news or subject of interest and clicks on the wrong thing. Advanced Threat Detection software can help to protect against some of these attack vectors, but it won’t help you when the infection lives on the internet.
When it comes to email, attackers are getting smarter, and instead of asking you to open an attachment that is too easily blocked or interrogated, they instead send users to a fake website where the infection is delivered. Email security programs go to great lengths to authenticate websites, ensuring the URL “matches” the domain of the sender, comparing the site against known spurious websites, checking for valid certificates, and so on. But sites can contain redirects, and in most cases, the problem isn’t the security software, it’s the user. The reason to open is compelling, and they click on the link.
What can users do to protect themselves?
The growth in ransomware attacks is expected to expand to other platforms such as Macs, smartphones, and IoT endpoints and the most successful iterations of ransomware will evolve to stay ahead of defenses. Users should deploy multiple layers of protection to give them the best chance of keeping their networks secure. These include the so-called secure trinity: Next Generation Firewalls, Email Security, Backup providing:
- Advanced Threat Detection: that executes suspicious or unknown files in a sandbox environment prior to being forwarded to the user.
- Web filtering: to prevent drive-by downloads and “phone home” activity with a web security gateway or other secure web filtering solution.
- Email protection on premise and in the Cloud (e.g. O365): to identify and stop email messages that carry ransomware and other attacks before they get to the inbox.
- Security policies: disable Office macros and other potential means of attack.Data backups: keeping good backups of all data, and having a disaster recovery plan in place to recover from ransomware.
Cybercriminals don’t care who they target with ransomware, as long as the victim is willing to pay. All sizes of organisations have been targeted, with the health care and public sectors taking an especially heavy hit recently. However, while ransomware continues to evolve, it doesn’t mean users can’t protect themselves effectively. A combination of a layered security approach and educating users/employees offers the best approach to remaining ransomware free.
[su_box title=”About Wieland Alge” style=”noise” box_color=”#336588″][short_info id=’59481′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.