After the unprecedented WannaCry cyber attack in May, ransomware has moved from an issue primarily discussed by information security professionals to a persistent topic discussed in newsrooms and boardrooms across the country. It’s safe to say that no information security concern has demanded more attention from organizations than ransomware.
As a result, most members of the C-Suite are trying to understand how ransomware started and the implications it has on their business. In this post, you’ll find a brief overview of the history of ransomware and highlight a few important actions an organization should take in order to protect themselves from possible future attacks.
A Brief History of Ransomware
The evolution of ransomware from an ineffective nuisance to a sophisticated, lucrative business tool for criminals has been impressive, to say the least.
1. Ransomware 1.0 (2008-2014)
The early incarnations of ransomware were little more than a nuisance for most organizations. Upon infecting a system, the malware attempted to simply “lock” the computer screen, indicating that law enforcement would act if payment was not provided within a defined time period. Computers infected with this early type of ransomware weren’t really disabled, and law enforcement would not be arriving anytime soon.
Most anti-virus platforms could remove any issues that may have occurred and eradicated the infection. In addition, the payment options were very complex for most people, if they chose to attempt to comply. As a result of these limitations, ransomware’s “scareware” tactic was pretty much a failure.
While the first version of this threat produced a very low return on investment, it was obvious that the concept had potential. However, for this attack vector to bear fruit, the attackers needed to create a sense of urgency that forced action by those infected.
2. Ransomware 2.0 (2014-Present)
Since its initial iteration, ransomware has certainly overcome those initial shortfalls! The current ransomware families (there are many different variants) have exceeded even the most motivated fraudster’s expectations.
Ransomware has quickly established itself as the predominant malware threatening most organizations. In addition, PhishMe reported that 93 percent of phishing emails were infected with ransomware in Q1 of 20161.
The ransomware attacks cybersecurity pros are currently combatting involve encrypting everything possible with an unbreakable code: local user-created files, local system backups (volume shadow copies), network shares to which the infected user account has modified rights (often causing major devastation), and any locally-attached USB drives.
Ransomware in the Age of Cloud-Computing
In addition, an undocumented “feature” of most current ransomware variants is that cloud-based storage is also at risk.
Here’s how: Cloud storage solutions often synchronize the local user files to the cloud provider. If the ransomware encrypted the local files that are to be synchronized, and there are not multiple versions in the “cloud”, the cloud-synchronized files will also be encrypted. By performing a detailed analysis of ransomware samples, we have been able to determine that these attacks are currently geographically focused on only certain countries, while others are excluded, based on the location of the computer.
Additionally, due to the price tolerance (and likelihood of payment) of different countries, the ransom fee demanded will actually vary based on the location of the machine that is infected.
Further, the attackers’ “market analysis” has identified which file types infected users are most likely to pay a ransom to recover.
How to Protect Your Organization from Ransomware Attacks
Ransomware has become a big business, indeed. While there is no single control you can deploy to ensure you are protected, here are three tactics you can implement together to help prevent or detect future ransomware attacks:
- Ensure you have a mature and tested data backup process.
- Develop a vulnerability and patch management process for your assets.
- Limit the number of network file shares that users can access.
Over the past few months, LBMC IS has partnered with leading law firms to discuss the technical and legal issues revolving around ransomware. Earlier this year, we developed a comprehensive ransomware protection checklist that outlines these ideas in detail and provides additional security recommendations.
If you want to ensure your organization is protected from ransomware cyber attacks, both today and in the future, you can download the checklist for free here.