The rapid rise of ransomware

Ransomware is on the rise, increasing three-fold in 2015 at 1000 attacks a day to 4000 attacks a day in 2017. As WannaCry and Petya have highlighted, ransomware is without doubt one of the top three malicious, most visible cyberattacks impacting every industry sector and society. The right security measures must be put into place in order to ensure businesses, their employees, customers and the general public are kept safe.

The proliferation of ransomware comes as a direct result of its high monetary return on investment. With more valuable information readily available on the web, hackers are using this as a means to steal, lock out users and then ransomware back access – all with the goal of a sizable pay packet at the end. Hacktivists target organisations around the world, representing myriad industry segments and businesses of virtually every size.

This tactic continues to play on human and technical weaknesses, leveraging increased device usage and the invariable amount of both known and unknown vulnerabilities to corporate networks to latch on to. SMEs as well as big corporates are more and more specifically targeted by ransomware type malware, including Locky, Cryptolocker, CoinVault or CTB-Locker.

This increasing headache is being felt across sectors, with healthcare and industrial networks in the firing line due to their vast datasets and personal identifiable information, which is priceless online. Serious damage, up to and including loss of life in the most extreme case, could be a direct consequence of ransomware if hackers can get their hands on, and lock down, critical infrastructure.

Indeed, as the recent NHS attack proved, hospitals are probably the perfect target for Ransomware. Without quick access to drug histories, surgery directives and other information, patient care can be delayed or halted, which quickly leads hospitals to find themselves in the critical ‘state of emergency’ and makes them more likely to pay the ransom rather than risk delays that could result in death and lawsuits.

Medical information can also be worth 10 times more than credit card numbers on the deep web. Fraudsters can use this data to create fake IDs to buy medical equipment or drugs, or combine a patient number with a false provider number and file fictional claims with insurers. Consumers often discover their credentials have been stolen a long time after fraudsters have used their personal medical ID to impersonate them and obtain health services. This means medical identity theft is not immediately identified by a patient or their provider, giving criminals ample time to maximise the use of such credentials – which is the opposite of credit card data, which tend to be quickly flagged and cancelled by banks. 

The Petya and WannaCry attacks also made another thing clear – organisations are continuing to rely on aging computer systems that do not use the latest security features. NHS hospitals, for example, are using legacy systems – often Windows systems over 10 years old that have not seen any patches. Early reports suggest that the the Petya ransomware uses the same software exploit in Microsoft products that WannaCry was able to exploit, further highlighting the need to update old systems vulnerable to attack.

Protecting an organisation

So how can organisations protect themselves? The industry consensus is that there is no silver bullet when it comes to ransomware. However, there are a number of golden rules to consider.

Every organisation must implement good cyber hygiene across devices and servers: patching and updating systems is one of the most important cyber security procedures to implement. Updates address software vulnerabilities and held maintain security against hackers. Once vulnerabilities are publicly announced, the information is available to anyone, including cyber threat actors and must be acted upon immediately.

Then, organisations must back up all data in a robust manner and continuously so. If this is done correctly and regularly, businesses will be at less of a risk should they fall victim and be locked out of their files. This includes maintaining offsite backups so any ransomware-infected systems can be wipes and restored, and continually testing all backups, so no information can be lost. 

And finally, never pay. There has been much debate in recent years as to whether businesses should cough up the money for right of access or not. Simply put, payment should never be considered for ransomware or DDoS attack disruptions. Once payment is met, there is no guarantee that such valuable data will be released and organisations will most probably be out of pocket and without the lost data. By paying, victims are also fuelling their assailant, enabling them to continue their extortion and hitting other victims using even more malicious ingenuity.

When considering the right cybersecurity measures and technology solutions, it is critical to understand that technology alone cannot solve or entirely remove cybersecurity risks. Traditional security approaches are no longer sufficient to thwart ransomware attacks. Advanced models using next-generation firewalls, layered security and proactive threat intelligence are a requisite. For large organisations, a 24/7 security operations centre run by highly skilled technical engineers is now a necessity. These security teams must deploy wide spectrum anti-malware and cloud-based threat protection services, ensure every device has up-to-date malware tools to block attacks, use threat intelligence services in order to track polymorphic attacks and use carrier grade DDoS mitigation services to protect your IT as close to the source as possible. Whether in-house or out-sourced, it is critical to have the right personnel in place who are familiar with how to approach, implement and execute the right security solutions to protect businesses.

Jean-Frederic Karcher, Head of Security, Maintel
Image source: Shutterstock/Martial Red