Ransomware is a type of malicious software that restricts or limits users of a targeted organization from accessing their IT systems (servers, workstations, mobile devices, etc.), until a ransom is paid.
Ransomware is considered a major and exponentially growing threat in 2016, based increasingly on anonymizing payment methods (ex: Bitcoin digital currency) and anonymous networks (ex: Tor anonymity network).
The Cyber Threat Alliance estimates that the group behind the CryptoWall ransomware attacks caused $325 million in damages, after infecting hundreds of thousands of computers across the world.
Figure 1: Example of the first mobile-only locker ransomware
Figure 2: Example of a pay note of CryptoWall ransomware
A ransomware attack is a multi-step process. If the proper defenses are in place at the various steps of the attack, the impact can be greatly reduced.
Crypto-ransomware now accounts for the majority of ransomware.
Figure 3: Two main types of ransomware
The popularity of ransomware among cybercriminals can be attributed to two main advantages:
The FBI has reported a 33% increase in the number of complaints filed involving ransomware:
The Computer Incident Response Center Luxembourg (CIRCL) receives 4 to 5 reports of ransomware infections per week in Luxembourg. CIRCL has reported, based on its operating Malware Information Sharing Platform (MISP), that Locky and TeslaCrypt* ransomware are the evolving ransomware varieties targeting the Grand Duchy of Luxembourg right now.
Furthermore, Cerber and Chimera ransomware campaigns are sometimes detected in Luxembourg. In particular, Chimera ransomware is considered quite hazardous, as it is not only doxing (i.e. blackmailing the victims to broadcast their personal information), but also searching people willingly to cooperate for franchising the business of ransomware.
According to CIRCL, the main ransomware delivery methods identified in Luxembourg are:
* In May 2016, the developers of TeslaCrypt released the master decryption key and shut down the ransomware, thus ending the ransomware.
Like all other cyber threats, any organization can be affected by ransomware and at any time.
Ransomware can harm an organization’s reputation especially if intellectual property or other relevant information are compromised. It can also affect an organization financially, especially if the business activities are disrupted and/or the ransom amount is paid. A typical risk might be an incident where data loss occurs, but one can also imagine a scenario where there is a major data breach if the ransom is not paid.
Initially, ransomware attacks have been non-targeted, e.g. they mostly spread via large e-mail phishing campaigns and demanded small payments (~1-5 Bitcoins) from individual users. However, threat actors have evolved to target specific organizations instead, hoping to land a bigger payday.
According to the latest cyber threat reports, the ransomware threat landscape is evolving in the following ways:
First versions were basic, and often used poor encryption, making it relatively simple to recover encrypted files. However, the threat agents behind ransomware are continuously learning from their mistakes, and have become more sophisticated in their latest variants.
Initially, ransomware have primarily plagued Windows platforms. However recently platform-agnostic capabilities have been developed and targets have expanded to Linux and Android.
Certainly, ransomware is not new to the world of crime-ware. However, newer more sophisticated methods of delivery, detection and monetarization, means ransomware continues to be a highly profitable business for cybercriminals. Ransomware promises to be more threatening, and organizations should be proactive in developing and maintaining their readiness and resilience against it.
Although the initial cost may be perceived as high, investing in cybersecurity can pay huge dividends in the long-term. The following proactive controls can help your organization be prepared for ransomware threats: