Ransomware is without doubt the malware-du-jour, hitting the headlines nearly as often as it hits businesses, and there's plenty of rumour, conjecture and downright FUD around in consequence.
Although it’s been around as a concept for years, criminals have intensively refined their plan of attack. Both the malware itself and the methods by which it is spread have been refined, and therefore most businesses are at risk. Most tellingly, hackers have engineered the post-infection path for businesses meticulously, providing 24/7/365 support desks and detailed FAQs to ensure their conversion rate is high.
We got the opportunity to quiz Datto EMEA MD Andrew Stuart about this ongoing threat, and most importantly, what to do to mitigate it.
Why are we hearing so much about ransomware recently? What's the latest?
Well, ransomware has really hit the headlines recently, with a string of enterprises and institutions lining up to confess they’ve been infected. Hosted desktop and cloud provider VESK said it paid 29 Bitcoins (£18,600) to hackers in late September, while nearly 30 NHS trusts have become victims of ransomware attacks in the past 12 months, according to a FOI request.
Children’s charity Comic Relief have also been targeted, while the Indian Forest Department suffered an attack and were forced to delete the encrypted data rather than pay out.
How has ransomware developed as a threat in the last 6 months?
Obviously ransomware isn’t a new threat, it really became prominent in 2013 with CryptoLocker, but there have been considerable ‘improvements’ since then, making it a real threat for enterprise as a whole. The early strains of ransom malware weren’t particularly well engineered, cyber criminals often shared encryption keys between different variants or left the key in the code itself, so the security industry could easily reverse-engineer these and share the mitigation tactics.
However, the newer variants are much more robust, and these types of elementary error aren’t present anymore. In parallel, we’ve seen a decreasing tolerance for business downtime, so enterprises that previously would have been unconcerned by several hours of data unavailability are now the opposite. Even small enterprises have become much more aware of the value of data, whether that’s actual customer information, or more incidental, transactional information which can be leveraged and segmented to increase effectiveness.
The threat of losing this is now a significant business risk for a far wider range of companies than ever before.
What are the major themes in terms of business risk? How have these changed recently?
We’ve seen a vast increase in enterprises and individuals paying out as a result of a ransomware attack. This has encouraged criminals to pursue ransomware as a revenue stream, and has led to some of the technical improvements I’ve mentioned already. Criminals have really zeroed in on the requirement to ensure the highest success possible post-infection, so have created impressively detailed support systems to ensure non-technical victims are guided through the process.
For example, researchers found that the hackers behind the ‘Cerber’ malware had created a convenient support form, which provides individual responses to victims’ queries within 24hours. Of course, given the success of ransomware, it’s no surprise that ‘ransomware as a service’ is booming. Now criminals with very little technical skill can simply buy a malware kit and associated support packages on the dark web. This has lowered barriers to entry, so now pretty much anyone with criminal intent can get established in the ransomware business for a few pounds.
This is one of the reasons that email Spam volumes are currently at their highest volumes since mid-2010 - ransomware is mostly spread via email.
What specific industry verticals and businesses are most at risk, and why?
It’s fairly certain that no sector or vertical is immune, but the major trends are in attacks against healthcare and education institutions. For example, one study found that out of of 58 UK universities, 23 said they had been attacked in the last year - Bournemouth University had been hit 21 times in the last 12 months alone. In a separate study, twenty-eight NHS Trusts said they had been affected.
Meanwhile, across the pond, ransomware attacks in America have increased in frequency by 300 per cent year on year in 2016, with 4,000 incidents a day now being reported.
What can enterprises do to mitigate ransomware attacks?
A layered approach is the best defence against ransomware, and should consist of a series of security best practices. Firstly, ensure that all software is up to date, and stays that way. Use a reputable anti-virus programme, and ensure it’s set to auto-update with new signatures as they’re issued. Educate your staff about the dangers of clicking links or opening attachments in unexpected emails, even from internal addresses or known contacts, for example.
Finally, and perhaps most importantly, ensure that there is a robust backup and recovery system in place. This latter will ensure that you can restore to a point-in-time before the ransomware infected your systems, so you can be certain everything is clean and the malware cannot be triggered again. The cost and scale of this will vary depending on the industry vertical in question, but basic systems are very keenly priced.
Are there specifics in terms of backup technology or practices that are necessary to achieve this?
Perhaps most importantly your backup system needs to suit your business architecture and needs, so if your business is entirely dependent on real-time data - say a trading exchange - then your recovery time needs to be very short indeed. Some data protection products today allow users to run applications from image-based backups of virtual machines, commonly called “recovery-in-place” or “instant recovery.”
This is particularly useful, because your business operations can continue while your primary systems are being restored and with little to no downtime.
Image source: Shutterstock/Carlos Amarillo