A nightmare scenario occurs: your computer system locks up, files are suddenly encrypted and inaccessible, and a menacing message demands a ransom payment to restore it. Ransomware has struck—and you’re the target.
According to Symantec’s ISTR Special Report: Ransomware and Business 2016, the past 12 months have seen ransomware reach a new level of maturation as cybercriminals target consumers and businesses. The report found new ransomware families discovered annually reached an all-time high of 100 in 2015; the average ransom demanded by attackers has jumped to $679.
And it’s not just consumers targeted by ransomware attackers; organizations need to be fully aware of the threat posted by ransomware.
“Organizations should certainly be concerned about ransomware. The most widely distributed forms of ransomware are spread through major spam campaigns which are completely indiscriminate, hitting both consumers and organizations,” said Dick O’Brien, co-author of the ISTR Special Report: Ransomware and Business 2016 and Senior Information Developer, Symantec. “Furthermore, a growing number of ransomware attack groups are specifically focusing on organizations with targeted attacks designed to infect multiple computers and cripple the organization.”
The rise of crypto-ransomware
The ISTR special report found the shift towards crypto-ransomware explained by the effectiveness of ransomware. The victim may remove the malware but the files will still be inaccessible due to unbreakable encryption. If no files are backed up, the victim must pay the ransom as the only way to recover the files. The report found that this crypto-ransomware model has been perfected over the past two years and is now one of the rising types ransomware.
“Virtually all of the new ransomware families emerging at present are crypto-ransomware. This trend isn’t surprising, since crypto-ransomware is the most dangerous form of ransomware. It’s capable of locking the victim’s files with unbreakable encryption. Unless they have backup copies, the only way to retrieve them would be through paying the ransom. It took a while for ransomware groups to perfect crypto-ransomware, but now that most have mastered effective encryption, it’s become ubiquitous,” explained O’Brien.
Which organizations are likely to be infected?
While almost all sectors have been hit by ransomware, some types of organizations appear to be harder hit than others. The report found that the Services sectors, with 38 percent of infected computers, was the most affected sector by ransomware between January 2015 and April 2016. Manufacturing, Finance, Insurance, Real Estate, and Publication Administration followed as top targeted sectors.
While it’s unclear why some sectors are more affected than others, one potential explanation is that organizations with high levels of integration and different internet services tend to have higher exposure to infection risks.
Ways ransomware can infect a computer
Malicious spam email is one of the most common methods to spread ransomware and malware in general. Botnets, or networks of compromised computers, distribute a large number of spam emails that use social-engineering tactics to trick victims. Ways to compromise computers and invite infection include opening malicious attachments or clicking on a link that points to an exploit kit.
Exploit-kit attackers comprise third-party web servers and inject iframes into web pages hosted on them. Malicious links in spam email or social media posts and malvertisments are other tactics criminals use.
Mobile ransomware leads the way as a top malware type in 2015, according to the Symantec/Blue Coat 2015 State of Mobile Malware report. With the increased performance capabilities of modern smartphones, it was only a matter of time before more advanced cryptographic ransomware, such as SimpleLocker, started showing up on mobile devices. These threats render music files, photographs, videos, and other document types unreadable—while typically demanding an untraceable form of payment such as Bitcoin—and employing a strict time limit for payment before the files become permanently inaccessible to the owner.
Businesses: the next big target
The Symantec ISTR Special Report: Ransomware and Business 2016 found that cyber criminals are increasingly targeting the business space for higher profits. The report found the following trends in attack campaigns:
- Business email contain scams that try to trick C-level executives into making large wire transfer payments.
- Bug-poaching attacks involve attackers compromising corporate servers, stealing data, and requesting a fee for information on how the attack was carried out.
- The Carbank Gang targets banks directly rather than bank customers.
While some organizations are hit in indiscriminate campaigns, where employees open a malicious email or visit a malicious website, some enterprises are becoming victims of more targeted ransomware attacks.
For more detailed information, “Case Study: Anatomy of an Advanced Ransomware Attack” and “Case Study: Ransomware as a Decoy” are included within the ISTR Special Report: Ransomware and Business 2016. The two case studies not only provide narratives of the attack campaign, but share insights on lessons learned.
Protection against ransomware
Whatever you do, don’t pay the ransom. There's no guarantee your files will be released, and if you succumb to the scam, you may make yourself vulnerable to more scams.
“The most common method of ransomware distribution is spam email and everyone needs to exercise extreme caution. We would advise people to immediately delete any suspicious emails they receive, especially those containing links and/or attachments. They should also be very wary of Microsoft Office attachments that prompt users to enable macros. Attackers often use malicious macros to deliver malware through Office documents,” said O’Brien.
But there are strategic/tactical ways you can protect yourself and your organization from falling victim to ransomware. Symantec recommends the following five steps to prevent ransomware:
- Back up your computers and servers regularly.
- Lock down mapped network drives.
- Deploy and enable all Symantec Endpoint Protection technologies.
- Download the latest patches and plug-ins.
- Use an email security product to handle email safely.
View the full Symantec ISTR Ransomware infographic.
“Adopting a multi-layered approach to security minimizes the chance of infection," said O’Brien. "Using an email security solution should remove the chance of you accidentally opening malicious email and malicious attachments in the first place. Symantec intrusion prevention system (IPS) technology can detect and block malicious traffic from exploit kit activity, preventing the installation of ransomware. Meanwhile Symantec Endpoint Protection technologies can detect and block known ransomware families, in addition to detecting suspicious behavior by new and previously unknown malicious files.”
Be sure to check out the following for more insights:
ISTR Special Report: Ransomware and Business 2016
“The Evolution of Ransomware” Symantec white paper
Also, don't miss the upcoming October 18th Symantec webcast,"Anatomy of a Ransomware Attack".