It’s been a tough year so far for security professionals: A malware outbreak led to a record high for ransomware in the first quarter of 2016.
Eldon Sprickerhoff, founder and chief security strategist at eSentire, told Security Intelligence in an email that “malware evolution seems to be as rapid and cutthroat as any jungle environment, where survival and propagation go hand in hand. Authors have frequently co-opted functionality from different malware strains into the next generation of code — regularly sampling the efficacy and profitability of each generation.”
Security vendor Kaspersky Lab noted a 30 percent increase in ransomware victims this quarter compared to the one before. It even said the number of attacks may be higher than these statistics reflect since they only include signature-based and heuristic detections. Some ransomware exploits are blocked by software because of their profile and behaviors alone, and as a result are not included in the reported statistics.
Why this growth in ransomware specifically? What is it that makes it so attractive to cybercriminals? The simple answer, of course, is the money that it can produce and the direct path to profit it provides.
Let’s say a cyberattacker infiltrates a system and exfiltrates some sort of sensitive information, such as credit card numbers. The attacker is still faced with the task of monetizing that information. This involves identifying a market for it, gaining entry and then possibly offering information to unknown parties — some of whom may well be white-hat security workers. Sellers are possibly exposing themselves to authorities by the very act of participating in such a marketplace.
A ransomware exploit is a more direct way to payment. The victim uses a relatively anonymous digital currency to pay the ransom, as well as using a slightly less obvious Tor browser to connect to the criminal.
That is not to say this is a foolproof scheme by any means. Tor is not an anonymity panacea; it can be defeated by countermeasures, which can lead to the unveiling of the criminal’s identity.
The bitcoin payment avenue is also open to law enforcement efforts. For example, on May 7, the founder of an online underworld bank that had allegedly laundered billions of dollars for criminals from 2005 to 2013 was sentenced to 20 years in prison, SecurityWeek reported. Such banks may work for a time, but their continued operation often leads to prosecution.
While the current statistics show a rise in ransomware, it may be a surprise to learn that it is not yet the most common form of malware.
Enigma Software reported that after staying steady for the last six months of 2015, ransomware detection began to climb: February saw a 19 percent increase over January, while March had almost a 10 percent increase over February.
Then, in April, infections more than doubled — so the future Q2 report may not be much better than Q1. To add insult to injury, the percentage of overall infections attributed to ransomware was the highest of any other month in the last three years.
I spoke with Ryan Gerding of Enigma Software about this. “It’s still infinitesimal compared to the other infections out there. Good old-fashioned adware — the kind that messes with your toolbar — as well as rogue anti-spyware are by far more prevalent than ransomware with about a 40 percent detection rate,” he said.
“Ransomware makes up less than one percent — 0.75 [percent], actually — of all of the infections that were detected on our customers’ computers. Nuisance infections — the kind that make your computer run more slowly — are far more prevalent at a 20 percent detection. But because they don’t steal and extort, they get a lot less attention.”
Gerdling also offered advice on dealing with the malware:”Don’t ever pay the ransom, for a couple of reasons: First, it proves to the bad guys that this mode of tricking you works. Second, there is no guarantee that you will get your files back. The best defense is to regularly back up your data. The other advice we offer to anyone — individual users or businesses — is to think about that link before you click on it. It’s the main way that criminals are getting these infections onto your computer.”
Another characteristic of ransomware, as Gerling alluded to, is that it depends on the victim not having an effective backup strategy. Having one means the entire ransomware strategy can be easily defeated. Cybercriminals assume that the discipline needed for such a strategy is not there, and too many times they are right.
The crisis that is a ransomware attack is but one reason a backup and restoration policy has to be in place. Computers are machines, and therefore are subject to the hardware mishaps that inevitably occur. Without a way to respond to failure andprotect against threats, data will be lost — regardless if the cause is ransomware or a hard disk crash. Ransomware just highlights the perils of not having this effort present.
Ransomware is a dramatic attack, replete with splash screens flouting the skull-and-crossbones and ransom notes. But it can be defeated by any user who carries out what should be done in any case: by having a reliable backup and restore method active.