The growing threat of ransomware

Recent headlines are testament to the growing popularity of ransomware attacks on businesses and consumers alike. In January, for example, Lincolnshire County Council saw its computer systems shut down for four days after it received demands for a £1 million ransom. An attack on Hollywood Presbyterian Medical Centre in the United States the following month netted at least $17,000 in Bitcoin for the “data kidnappers” responsible, while, just recently, millions of Microsoft Office 365 users were exposed to a massive ransomware attack.

Indeed, during the first three months of 2016, the Infoblox DNS Threat Index, which tracks the creation of malicious domains worldwide, recorded a 3,500 per cent increase in observations of domains that either hosted malicious ransomware downloads or communicated with them once installed.

Low risk to reward ratio

According to independent researchers, there are now over 120 families of ransomware which, like most malware, will often establish itself through phishing or spear-phishing, leading to a user downloading an email attachment or clicking through to a malicious domain. Increasingly nowadays, it can also spread through infected online advertising networks, affecting users of “clean” sites.

First documented in 1989, ransomware is by no means a new technique. But its popularity has risen significantly recently, particularly in the first three months of this year, where the 35-fold increase in ransomware-related domains accounted for 60 per cent of all malware observed.

A major factor in this growth is undoubtedly the size of reward available to attackers using ransomware. Where once it was used to target consumers for a few pounds here and there, it is now regularly used to carry out more lucrative attacks on businesses, as illustrated by the earlier examples. And, as these increasingly profitable attacks continue to hit the headlines, so other criminals are inspired to carry out similar activity themselves.

The low risk to reward ratio is also an attraction. In the past, the use of real-world transfer mechanisms such as PayPal were fairly straightforward for law enforcement agencies to track. Today though, the ubiquitous nature of crypto currency such as Bitcoin means that criminals can reliably receive payments from their victims in complete anonymity.

Creating a perfect storm

In addition to increased profitability and lower risk, it is now far simpler for more people to participate in launching ransomware attacks. The commoditisation of online crime toolkits, for example, which offer services such as hosting, spamming and targeting, has created an industrial-scale marketplace for “crimeware as a service”.

Furthermore, with the wealth of data widely available on potential targets online, it has become easy for criminals to hit a lot of potential victims simultaneously. Indeed, the crypto malware itself will typically provide the criminal with some sort of information on their potential victim, allowing them to pick and choose who to hit. They are therefore able to easily target high-risk victims such as SMBs, hospitals, or accountants, where the value of the data held on the targeted computers is so high the attackers can demand a substantial ransom.

Attacks will be more likely to continue over a long period of time, as they become simpler to carry out at scale, even with occasional inevitable setbacks. Indeed, the relative cost of malicious infrastructure is now so low that it makes complete sense, from the criminal’s point of view, to scale up those activities that prove to have a return on their investment.

Taking defensive steps

In common with any malware, there are relatively straightforward defensive steps that businesses need to put in place to protect themselves against ransomware. They need to ensure that their security measures are as tight as they can be, for instance, that all their software is up to date, that their users observe best practice, and that their data is clean, protected, and backed-up as often as possible. After all, without a clean back-up copy available, data is perpetually at risk.

Ransomware is clearly working. Lucrative, low-risk and easy to use, it’s highly likely that it will continue to grow in popularity. There’s no doubt we’ll see more instances of successful attacks hitting the headlines over the coming months and this, in itself, will continue to fan the flames.

If they hope to stem this growth, businesses must now take the steps necessary to prevent against attacks and, more importantly, avoid rewarding the attackers.

Dr Malcolm Murphy, Technology Director, Western Europe, Infoblox