Ransomware: Insight into the rise of an illicit industry€¦ · Kaspersky Security Bulletin 2016...

Ransomware: Insight into the rise of an illicit industry

Ready?The future is exciting.

Executive SummaryRansomware is widely recognised as one of the biggest cyber security threats facing business today1. We only need consider the WannaCry and Petya attacks in May and June 2017, which affected nearly 100 countries and threw the UK health service into chaos, to understand how extensive, how damaging and how costly an attack can be.

Unfortunately, new delivery methods and unbreakable encryption have transformed ransomware into a booming business ecosystem, resulting in a 400% spike2 in the number of new ransomware families and impacting business to the tune of around $75bn3.

In fact, it’s become such an efficient form of cyberattack that hacking groups are offering ransomware-as-a-service and developing do-it-yourself exploit kits.

While consumers and large enterprises have been hardest-hit in terms of volume, a disturbing trend has emerged – small and medium-sized enterprises (SMEs) are a target. In less than a nine-month period, the rate of ransomware attacks against businesses of any size rose from one every two minutes to one every 40 seconds4. The same report revealed that of those, small and medium-sized businesses were hardest hit, with 42% of them falling victim.

Yet only 4% of businesses consider themselves ready to deal with an attack5. And, in today’s world, if you can’t get to your data, your business stops.

This article gives a practical overview of how ransomware works and provides information on the options and actions you can take to defend against it.

Ransomware is an issue but it can be controlled – businesses (of any size) just need to take the right measures to protect themselves.

‘Only 4% of businesses consider themselves ready to deal with an attack. And, in today’s world, if you can’t get to your data, your business stops. ’

1. Trend Micro: Security Predictions for 20172. Trend Micro: The Next Tier 8 Security Predictions for 20173. The Atlantic4. Kaspersky Security Bulletin 20165. Malwarebytes ‘State of Ransomware’ Report

2 3Ransomware: Insight into the rise of an illicit industry Ransomware: Insight into the rise of an illicit industry

1Attackers send spam email

Malware bypasses spam filter

Lands in user’s inbox

INBOX

1

234 User clicks on

malicious link

5Malware is delivered

click on the link

6 Attack moves across network

7 Data is encrypted

8 Ransom note delivered


What is ransomware?Ransomware is a type of malware (malicious software) that prevents or limits users from accessing their data unless a ransom is paid. Modern ransomware families, collectively called crypto-ransomware, encrypt files on infected systems and force users to pay a ransom, usually through an anonymous digital currency like Bitcoin. Only then will the data be decrypted.

At least that’s what attackers promise. Unfortunately, paying the ransom does not guarantee that users will get their data back – nearly half of those who pay the ransom never retrieve their data6.

Ransomware gets into systems in many different ways – most commonly when unwitting users visit malicious or compromised websites or open attachments from spammed email. It can also be downloaded from malicious pages through ‘malvertisements’ or, as WannaCry demonstrated, it can even replicate itself from system to system, taking advantage vulnerabilities in system software.

The ransomware landscape todayRansomware attacks have caused unprecedented levels of disruption in recent years – the WannaCry attack in May 2017 was widely considered to be the biggest and most disruptive in history. Attacks are frequently launched by using very simple, yet effective, tactics such as phishing (sending email which fools users into installing malware). Ransomware attacks can be built using widely available open-source (free) tools and can also target network administration software and use operating system features as a means of infecting systems.

Attackers have honed and perfected ransomware into a highly effective business model, using strong encryption techniques, delivery via vast email campaigns and secure ransom payment methods.

The ransomware business model• Sophisticated malware designed to

outwit users

• A modest ransom that makes rapid payment appear to be the most attractive resolution (though ransom values increased dramatically in 2016)

• Ease of payment – underground call centres and email response groups walk victims through the payment process and how to retrieve data

• Some attackers employ graphic artists and translators to craft clear demands and instructions in multiple languages

• Geolocation makes sure right versions go to the right people

While consumers remain particularly at risk (69% of attacks in 20167) there is evidence of increasingly sophisticated and targeted attacks on businesses, using an initial single compromise that spreads across the network to infect multiple machines.

Phishing attacks via email are still the most favoured channel – 80% of successful ransomware used email as the first step8. This popularity is due to several factors: it’s a proven attack method and it doesn’t rely on technical vulnerabilities, just simple deception to lure victims into opening attachments or following links.

Phishing attacks via email are still the most favoured channel – 80% of successful ransomware used email as the first step7

‘

’

Bitcoin a type of digital currency that uses encryption techniques to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank.

6. Norton Cyber Security Insights Report 20167. Symantec

8. SentinelOne Ransomware Report 2016

CRIMINALCRIMINAL

CRIMINALCRIMINAL

CRIMINALCRIMINAL


Phishing An attack where a criminal attempts to learn information, such as login credentials and account information, or persuade a user to take an action, such as downloading malware, by masquerading as a reputable entity or person, in an electronic communication.

Spear Phishing A phishing attack that targets a specific organisation or individual, using information about the target to make the attack more credible.

Whaling A phishing attack that targets high-profile individuals, such as C-suite executives, politicians and celebrities, who have high-value information and access.

Phishing attacks are becoming more sophisticated too. They no longer promise large sums of money from exiled royalty if you will just provide your bank details. Instead, they are disguised as routine correspondence like invoices, delivery notifications, or even security warnings.

Financial emails disguised as invoices,

orders, payments

Alternative attack pointsAlthough spam emails remain the favourite entry point, there are other ways in:

Exploit kits –a software kit designed to run on web servers with the purpose of identifying software vulnerabilities in machines communicating with it.

The exploit kit gathers information on the victim’s machine, finds vulnerabilities, delivers the exploit and executes malware. Kits are becoming ever more sophisticated – they are neatly packaged, require little understanding of exploits and very little computer proficiency.

Secondary infections – often, the first malware on an infected computer is used only to download more malware (secondary infection). This allows attackers to infect a range of machines with different variants of malware which are harder to detect, or to use one infection method to perform a range of malicious acts, such as installing ransomware.

Exploitation of software vulnerabilities – targets software that has not been updated or patched to spread malware through a network, such as the attack on the NHS in the UK in May 2017.

Self-propagation – malware that can move from system to system independently of any user activity, often using unpatched software vulnerabilities or poorly-configured systems. These malware are known as worms.

Messaging Platforms – as businesses move to new messaging platforms, criminals are seeking to attack via those as well as email. Businesses are increasingly using collaborative tools like Slack, WeChat and Facebook Messenger. Employees often use these services without the knowledge of their IT organisation. This use of “Shadow IT” can provide an easy route in, bypassing any security mechanisms protecting email systems.

Business – the big target for 2017Holding businesses rather than consumers to ransom can significantly increase an attacker’s ROI, which explains the steady rise in attacks over the last two years. These are mostly indiscriminate attacks where an employee has opened a spam email or visited a malicious website.

But there is a more disturbing trend emerging: targeted campaigns. SMEs are particularly at risk as the economics of ransomware are well-suited to attacking SMEs, and they do not necessarily have the knowledge, skills or systems in place to protect themselves.

Ransomware attacks aimed at organisations are becoming much more tailored and specific. Using code made freely available on the internet (open-source), attackers create software that can identify vulnerable systems and efficiently target attacks to different victims. Often these attacks take place in stages over a period of time, and the ransomware may:

• Delay the locking of a system (sometimes for months) to ensure that backups are also encrypted before a ransom demand is made

• Employ fake ransomware to divert attention away from the real attack

The 3 Fs favourite email scams

Failure 10% of major scam campaigns had

some form of delivery failure message in the subject line

Source: Symantec Internet Security Threat Report 2017

Functional – emails pretending to be from

a scanner or printer

X

X

X


To pay or not to payResearch indicates that on average 37% of victims pay the ransom (58% in the UK, rising to 64% in the US9). This willingness to pay is considered a major reason for the increase in the amount of ransom demanded, which shot up by 266% in 201610.

Some organisations have a corporate policy that forbids negotiating with criminals or breaking the law – which is what you can be doing if you pay the ransom.

Nor does payment ensure decryption – in 2016 only 47% of victims who paid the ransom got their files back. And since it’s estimated that only 1 in 4 attacks are reported the actual figures could be far worse11.

Even the ransom demands themselves are becoming more sophisticated, with some increasing after a set period if the ransom remains unpaid. Alternatively, demands can be customised to reflect the type and volume of data encrypted – the more vital the data, the higher the demand.

Paying the ransom should always be a last resort, not least because those that do are simply added to a list of payers and are therefore more likely to be attacked again. So those that pay must ensure they take the necessary precautions to protect themselves from another attack.

Instead, in the event of an attack, businesses should first seek expert advice and see if data can be retrieved by other means.

Nomoreransom.org, for example, is a project set up jointly by law enforcement and security companies, including Europol, Kaspersky Labs and Intel Security to help victims of ransomware retrieve their data without having to pay the ransom.

We all have a part to play in resisting ransom demands – the fewer people who pay ransoms, the less attractive ransomware becomes as a criminal endeavour.

The true cost of attackThe ransom is just the beginning. That itself can be high, depending on how many machines are affected, but there are other costs to consider, not all of them financial:

• Downtime – the financial cost (and ongoing business impact) of loss of service to customers

• Incident response – the costs involved in dealing with an attack, including potential legal bills and fines around data breach

• Loss of data

• Loss of reputation with customers

• Loss of life (for those in critical sectors such as healthcare and transportation)

How to protect your businessRansomware is undoubtedly a problem that isn’t going to go away. But there are steps that can be taken to defend against a ransomware attack.

User awareness is critical. It’s vital that everyone in an organisation understands the threat, what they need to look out for and how to act. For example, users should be trained to:

• Delete suspicious looking emails, especially those with links and attachments – above all, don’t click on the link!

• Be wary of email attachments that advise enabling macros to view the content

• Reply to a sender’s email using an address copied directly from the corporate address book rather than using the reply button

• Never use links in an email to connect to a website unless certain they are genuine – type URLs directly into the address bar

Organisations themselves need to:

• Keep security software up-to-date to protect against new ransomware variants

• Keep operating systems and software updated, as updates frequently include patches for newly discovered security vulnerabilities

• Enforce an effective password policy for all employees to ensure passwords are strong and changed regularly. Enable two-step verification where possible for an extra layer of security

• Back up, back up, back up and back up again – back up is the single most effective way of combatting ransomware infection as it allows victims to restore files once the infection is cleared. Multi-generational backup offers the best protection as it does the best job of guarding against the backups themselves, becoming encrypted

• Consider cloud services – they can help mitigate ransomware infections as many retain previous versions of files, allowing a return to the unencrypted form

• Only install apps on mobile devices from trusted sources and pay close attention to permissions requested by apps

Loss of life (for those in critical sectors such as healthcare and transportation)

‘’

9. Malwarebytes610. Symantec Internet Security Threat Report 2017

11. Norton Cyber Security Insights Report 2016


43%recognise need for more effective protection19

Ransomware in numbers

SMEs attacked experienced at least 2 days of downtime12

37%Globally,

of those hit pay the ransom14

42-49%SMEs consider ransomware one of the top 3 digital threats16

average cost of a single ransomware attack in ransom and related costs17

$99,000

28% lose data files after not paying the ransom20

4%number of businesses confident in their ability to deal with a ransomware attact21

12. Norton Cyber Security Insights Report 201613. Intermedia 2016 Crypto-Ransomware Report14. Malwarebytes ‘State of Ransomware’ Report15. Malwarebytes ‘State of Ransomware’ Report16. Kaspersky Security Bulletin 2016

17. KasperskyLabs and B2B International Survey18 Kaspersky Security Bulletin 201619. Kaspersky Security Bulletin 201620. Kaspersky Security Bulletin 201621. Malwarebytes ‘State of Ransomware’ Reports

22. Symantec Internet Security Threat Report 201723. Symantec Internet Security Threat Report 201724. Symantec Internet Security Threat Report 201725. Symantec Internet Security Threat Report 2017

44%of entrepreneurs admit they don’t know enough about ransomware18

71%defend by data backup rather than protection but increasing sophistication of ransomware means this is not enough15

And in 2016…• Average ransom values increased

dramatically – up 266% from $294 in 2015 to $1,07722

• The US led the top ten in attacks per country followed by Japan, Italy, Canada, India, Netherlands, Russia, Germany, Australia and the UK23

• New ransomware families rose from 30 each month in 2014 and 2015 to 101 in 2016 (rise suggests attackers are creating entire new families rather than variants of existing ones)24

• Detections of ransomware increased by 36% from 340k in 2015 to 463k in 201625

1 in 4Fewer than

ransomware attacks are reported to the authorities12


Predictions for the futureRansomware operations will continue to spread and become more sophisticated. There will be:

• More variants

• Better-planned, deeper and targeted attacks

• More threats affecting non-desktop targets like mobile and smart devices

Ransomware will also become an increasingly commonplace component of data breaches, with attackers stealing data to sell and then installing ransomware to hold data servers hostage, doubling their profits.

We are also likely to see an increase in threats against IoT, in particular targeting industrial control systems like production lines or facility temperature safety ranges.

A last wordRansomware is not going away any time soon. It’s going to become more sophisticated – and an even greater threat. So, the better prepared we are, the safer we will be. Cyber security should be at the top of every organisation’s agenda – but at the very least, make sure of these things:

With these basic measures in place, the risk from ransomware is greatly reduced. Remember – don’t be a soft target.

Patch your software to keep it current

and protected from recently discovered

vulnerabilities

Back up, back up, back up. And back up again

Protect your networks and your devices – use email security,

properly configured network protection, and threat-defence

or anti-virus software on all your endpoints,

including servers

Promote user awareness – don’t click on the link!

Don’t click on the linkDon’t click on the link

Don’t click on the linkDon’t click on the link

Don’t click on the link

14Ransomware: Insight into the rise of an illicit industry

Vodafone has vast experience in securing the data of 480m global customers, so we’ve learned a thing or two about data management and protection across both mobile and fixed networks.

Vodafone enterprise security servicesCyber security is a key concern for organisations of all sizes. Protecting devices, networks, data and apps is an essential component of doing business. Vodafone provides security products and services to businesses of all sizes, helping you secure your business anywhere because we are everywhere. We are trusted by organisations globally, including utilities, financial institutions and government agencies.

Some of the ways we can help:We can implement effective controls to secure your environment – across all devices, networks, apps and data. For example, our Secure Network Gateway provides protection to help maintain the privacy of your data plus the levels of reporting and audit trails needed to simplify compliance.

Our Enterprise Mobility Management solutions provide visibility and control of mobile devices accessing corporate resources, including app and content management.

We can also offer support through our Mobility Consulting Practice to help determine appropriate policies, controls and tools to secure your network.

Why Vodafone

Want to talk about cyber security? Contact your Account Manager, or Phone +44-1635-813615Email [email protected]

www.vodafone.com/business/security

vodafone.com/businessVodafone Group 2017. This document is issued by Vodafone in confidence and is not to be reproduced in whole or in part without the express, prior written permission of Vodafone. Vodafone and the Vodafone logos are trademarks of the Vodafone Group. Other product and company names mentioned herein may be the trademark of their respective owners. The information contained in this publication is correct at the time of going to print. Any reliance on the information shall be at the recipient’s risk. No member of the Vodafone Group shall have any liability in respect of the use made of the information. The information may be subject to change. Services may be modified, supplemented or withdrawn by Vodafone without prior notice. All services are subject to terms and conditions, copies of which may be provided on request.

Ransomware: Insight into the rise of an illicit industry€¦ · Kaspersky Security Bulletin 2016...

Documents

Transcript of Ransomware: Insight into the rise of an illicit industry€¦ · Kaspersky Security Bulletin 2016...