Elsevier

Network Security

Volume 2016, Issue 10, October 2016, Pages 8-17
Network Security

Ransomware Special
Ransomware: taking businesses hostage

https://doi.org/10.1016/S1353-4858(16)30096-4Get rights and content

Cybercrime has its fashions. As technologies evolve and defences improve, so hackers and cyber-criminals modify their methods of attack. We're currently seeing a burgeoning in the use of ransomware, the digital form of blackmail in which your computer is effectively taken hostage. And both the nature of the chief targets and the ways in which they are being attacked are changing quickly as criminals spot new opportunities for extorting money.

Europol recently declared ransomware to be the biggest cyber-threat facing European businesses and citizens. Both the nature of the chief targets and the ways in which they are being attacked are changing quickly as criminals spot new opportunities for extorting money.

A large proportion of organisations have been affected at some time, with cyber-criminals apparently turning their attentions to those that are most vulnerable, such as hospitals. The ransomware itself is evolving too, and while some of it is poorly executed, the most advanced strains show great sophistication. Steve Mansfield-Devine explores the nature of the threat and how businesses should respond.

Section snippets

The rise of ransomware

In its ‘Internet Organised Crime Threat Assessment’ (IOCTA 2016) report, Europol classed ransomware as the “dominant concern for EU law enforcement”.1 Other reports presented a similarly bleak outlook. In its ‘McAfee Labs Threats Report’ for Sept 2016, Intel Security said it had seen a 127% rise in ransomware malware samples over the past year.2

Meanwhile, Trend Micro found that 44% of businesses it surveyed had suffered at least one ransomware infection in the previous two years, with 27%

Targeting businesses

As well as growing, ransomware is also evolving, both technically and in terms of targets. “During recent years we have seen a shift in ransomware targets from individuals to businesses, which offer attackers larger monetary gains,” says the recent McAfee Threats report.

“Cyber-criminals go where the money is and 2016 has shown them that large organisations that aggregate valuable data including financial, HR and health records are too rich to ignore,” says Tom Patterson, VP for global security

Hitting healthcare

The McAfee report picks up on a trend that had already been noted by many in the industry. First there was a shift by ransomware operators towards targeting small businesses with reasonably large attack surfaces but with poor security and little in the way of resources (such as daily back-ups) that would help them recover from an attack. Then the attackers seemed to form a preference for one sector in particular – healthcare.

Without looking into the minds of ransomware operators we can only

Special attention

Local governments have also come in for special attention. The motivations may have been quite similar in that such organisations typically run on systems that aren't exactly at the leading edge – indeed, much of the infrastructure is old enough to be classed as ‘legacy’. Security skills are usually thin on the ground. And local governments run services that have significant impact on people's lives, making any interruption embarrassing and thus encouraging them to pay up.

In Sept 2016,

In the news

Cyber-criminals often exploit topical events to spread malware. Disasters, celebrities and major sporting events are effective ways of luring victims into visiting malicious websites or downloading dubious apps because curiosity so often trumps caution. It's not surprising then that researchers have found ransomware writers looking to cash in on current events.

On the day of the first US presidential debate, malware and computer forensics specialist Lawrence Abrams trawled the Internet looking

Technical evolution

In many ways, the technical developments in ransomware have been less marked than the switch in targets. The ‘typical’ piece of ransomware (if one can use that term) will encrypt the files in certain directories on the hard disk that normally hold a user's personal files, photographs (often more highly valued by victims than documents), videos, music and so on. Generally, the malware will leave the computer in an otherwise usable state – after all, it's important that you are able to log on to

Cost of an attack

“Ransomware is damaging to businesses because it can completely bring their operations to a halt,” says Wright at Duo Security. “Too often, we see reports of organisations getting infected with ransomware, not having tested back-ups in place, and being forced to pay the ransom in the hopes of getting their data back. The other aspect that makes ransomware so damaging is how widespread the attacks can be. Everyone is a target. Traditionally, attackers needed to find a buyer who would value the

Fighting back

No More Ransom (nomoreransom.org) is an initiative created by Kaspersky Lab and Intel Security in co-operation with Europol and the Dutch National Police to fight ransomware.12 It offers guidance on how to avoid malware infections and what to do if they happen. And it is acting as a central distribution point for those decryption keys that have been discovered by security companies and researchers. At the time of writing, four decryption tools – decryptors – were available that made use of such

Countermeasures

The standard protections – keeping all software fully patched and running an anti-malware package – will work against ransomware that relies on vulnerable software. However, a significant proportion of ransomware attacks use social engineering techniques, most commonly via phishing attacks. Guarding oneself against such methods requires a level of security awareness and vigilance that seems to be sorely lacking both in the general population and within businesses. And so we can be confident

Containing the problem

“The most effective defence to protect against any form of ransomware is to consider some form of containment strategy, such as micro-segmentation, which allows enterprise managers to effectively divide their physical networks into hundreds or thousands of logical micro networks, or microsegments,” says Patterson. “This limits the spread of ransomware within an organisation, as well as protects the known-good files from takeover. Micro-segmentation works at the Internet packet level,

Paying up

When you're faced with that screen demanding money with menaces, should you give in and pay? If you can't restore your systems – say, from back-ups – you may feel you have no option. But this isn't necessarily going to help.

In a public service announcement released by the FBI in September 2016, the agency urged victims to contact law enforcement and stated: “The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data;

Conclusion

So how is the ransomware issue likely to develop?

“As enterprises evolve toward hyper-connectivity we will see ransomware evolve to be utilised and distributed much more effectively through mobile and the cloud, with popular cloud-based applications being subject to the next wave of attacks,” reckons Patterson. “Hackers will transform their approach to affect a much more varied and unknowing user base that will find it increasingly difficult to react to breaches of this nature. This approach to

About the author

Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts on infosecurity issues at Contrarisk.com.

References (16)

  • ‘Internet Organised Crime Threat Assessment 2016’. Europol

  • ‘McAfee Labs Threats Report: September 2016’

    Intel Security

    (Sep 2016)
  • ‘The reign of ransomware’. Trend Micro

  • Ronghwa Chong

    ‘Locky ransomware distributed via DOCM attachments in latest email campaigns’

    FireEye

    (17 Aug 2016)
  • ‘New service to manage cyber-security threats in health and care’

    NHS Digital

    (3 Sep 2015)
  • MarsJoke ransomware mimics CTB-Locker’

    Proofpoint

    (23 Sep 2016)
  • Lawrence Abrams

    ‘The Donald Trump Ransomware Tries to Build Walls around your Files’

    Bleeping Computer

    (26 Sep 2016)
  • Paul Ducklin

    ‘New ransomware with an old trick: Petya parties like it's 1989’

    Naked Security, Sophos

    (4 Apr 2016)
There are more references available in the full text version of this article.

Cited by (72)

  • “MystifY”: A proactive Moving-Target Defense for a resilient SDN controller in Software Defined CPS

    2022, Computer Communications
    Citation Excerpt :

    However, the incremental development of such innovations are relying on conventional technologies, which were not designed to support such cyber–physical interaction. The recent overwhelming attack-waves targeting smart mission critical infrastructure assets [1–3] across the globe showed how vulnerable they can be against highly motivated adversaries. With the desperate need to scale, and to dynamically adapt Cyber–Physical Systems (CPSs), designers started to embrace the Software Defined (SD) everything concept to present a more evolved version of CPS.

  • On the Effectiveness of Ransomware Decryption Tools

    2021, Computers and Security
    Citation Excerpt :

    If they have no backup (or if the ransomware has encrypted it) then victims are frequently left with no choice but to pay the ransom. This decision is arguable (Mansfield-Devine, 2016). Several research papers, such as Cartwright et al. (2019), have looked into the game-theoretic aspects behind paying or not the ransom demand.

View all citing articles on Scopus

About the author

Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Network Security and its sister publication Computer Fraud & Security. He also blogs and podcasts on infosecurity issues at Contrarisk.com.

View full text