Skip to main content

Pay up: An examination of ransomware’s ascension and propagation

(Image credit: Image Credit: WK1003Mike / Shutterstock )

Though the WannaCry ransomware attack in the spring of 2017 is notorious, it was the Locky attack one year earlier that first captured the collective anxiety of experts when it ransomed the Hollywood Presbyterian Medical Center. 

Locky continued to collect victims throughout 2016 before seeming to go dormant. For reasons that no one could explain but that everyone could endorse, the Locky threat seemed to be slowly embracing its own demise.

Then, in August 2017, Locky roared back onto the scene. Millions of phishing emails infected with the ransomware were distributed, some containing newer and stronger strains. Since then, the frequency and scale of the attacks have repeatedly and chaotically spiked and fallen. Experts think the peculiar strategy employed by the Locky creators has to do with the sophistication of the underlying code — the application architecture rivals that of major software solutions. 

Still, researchers haven't cracked the cryptography that it relies on. And during those periods when the attack frequency lulls, many believe that it's likely because the developers are working on the code and refining attack strategies, making Locky stronger, sneakier, and more sophisticated. 

Why ransomware is such a persistent threat 

For ransomware attacks, the size of the average payout has increased, as has the total number of ransomware families and the tenacity of the attackers. This rapid growth boils down to simple economics: Unlike other cyberattack forms, ransomware is inexpensive to develop, easy to distribute, and consistently lucrative. 

In fact, a ransomware ecosystem has been created that makes it even more brutal and effective. The process is simple: One group locates security flaws, another develops the tools to exploit them, and a third deploys the ransomware through malware delivery systems — all of them profiting along the way with little concern about being punished. While some of these groups, like the Locky group, operate hermetically and treat their ransomware just as they would any other intellectual property, others are happy to produce the tools and then sell them on the open market to the highest bidder. 

How ransomware is evolving 

As ransomware becomes more lucrative, the product, capabilities, and business model behind ransomware cyberattacks will become more evolved and produce deeper damage. 

Beyond the sophistication of the ransomware itself, though, these cyberattacks ultimately succeed for two reasons: They are difficult to spot, and they are relentless. Identifying an email containing tomorrow's (or yesterday's) ransomware is not easy. The average inbox can be bombarded by attacks, wearing down the attention or the resolve of even the most suspicious users.

For example, when people used to receive malware from another country, they might recognize the choppy syntax or the incorrect diction in the English message, which nearly everyone knows is a red flag for suspect email. Fast-foward to today where ransomware attackers utilize sophisticated writers who spend their time creating a believable story with an embedded link, and the victim is far more likely to be baited into clicking on that link and initiating the malware. This shift toward a more realistic delivery mechanism is part of what makes ransomware so dangerous. 

Ultimately, all of this is bad news, with attacks becoming more common and costly in the years to come. 

The best protection practices 

The fundamental problem with ransomware and cyberattacks in general is that no one can predict how the next one will occur. Nevertheless, information security leaders can follow some best practices to ensure that their organizations attain the highest levels of protection possible. 

To begin with, leaders should understand that a general IT security strategy is not enough. Organizations must develop a plan that focuses on the right vulnerabilities and deals with ransomware specifically. Though ransomware can be downloaded from a website, uploaded from a flash drive, or delivered through an unpatched flaw in the system, email is by far the most common point of attack. Thus, this plan should devote and outline cybersecurity resources to target the point of greatest impact (email) and identify the policies to follow if ransomware is detected. Not only does a systematic approach save time, but it also guides decision-making in crisis moments when good judgment may be clouded by stress.

With a plan in place, leaders should then take several security steps, including relying on frequent multigenerational offline backups, installing patches and updates, and using an email security solution that relies on multilayer filtering. Even though data backups are essential to mitigating a ransomware attack, ransomware strains are now able to navigate a network and seek out backup depositories, making consistent multigenerational offline storage practices one of the only ways to help protect your organization from this threat. 

As far as installing patches go, this can be a daunting process. But ransomware can't exploit vulnerabilities that don't exist, and teams that rely on cloud infrastructure with automatic updating can be relieved of a lot of this burden. With inbox filters, teams should look toward a next-generation email defense solution that includes multilayered filtering that automatically removes suspect emails from the regular email flow. Additional protection using attachment sandboxing and time-of-click URL inspection should be implemented as part of the email threat protection solutions. That way, the threat is isolated before distracted users are tempted to open malicious emails. 

While many of the security protections IT security leaders can take happen behind closed doors, the front end of the cybersecurity process — your people — present a great opportunity for enhanced protection. Training users to spot ransomware emails and to generally practice sound email security significantly reduces incident rates. Users should also be encouraged to report anything suspicious messages or any break from protocol to the IT department. 

As ransomware threats continue to evolve, previous prevention strategies will become less effective. Staying ahead of the curve requires vigilance and a willingness to update and reinvest in security measures, and leaders who ensure their teams follow these best practices help foster a comprehensive approach to protection that can combat the dynamic cyber landscape. If and when a ransomware attack takes hold, preparing today can prevent perishing tomorrow.  

Dena Bauckman, Senior Technology Strategist at Zix (opens in new tab) 

Image Credit:  WK1003Mike / Shutterstock 

Dena Bauckman has 20 years of IT security experience. She is a senior technology strategist at Zix, an email security leader, and has held CISSP certification for 10 years.