Ransomware is often referred to as scareware as it forces a system user to pay a fee (or ransom) to regain access to their system. By capturing infected system components or encrypted files, ransomware can place a serious damper on automated data processing. Ransomware is arguably one of the most dangerous types of computer malware because of how it works and how it affects its victims, but despite all the warnings, many users still fall victim to this type of threat.
Ransomware costs businesses more than $75 billion per year. According to data from Kraft Business, the projected 2018 ransom costs for an individual firm will average $1,077 with no access to data for two days or more. Technology sources estimate that 1.5 businesses per minute fall victim to some degree of ransomware attack. In 2017, global cyber security leader Symantec recorded an average of 1,242 ransomware detections per day, a slight increase over the number of detections in 2016. Technology news company CIO Dive states 81 percent of cybersecurity experts believe there will be more ransomware attacks in 2018 than in any prior year. Cybersecurity Ventures expects ransomware damage costs will rise to $11.5 billion in 2019 and that a business will fall victim to a ransomware attack every 14 seconds.
It is important to note that statistics from Kraft Business indicate that 1 in 5 small- to medium-sized businesses paid the ransom requested and never got their data back! According to experts at the Massachusetts Institute of Technology, cloud computing, with its ability to store large amounts of data, will become a major target for ransomware activity.
Ransomware
Ransomware is a type of malicious software (malware) designed to block access to a computer file or system until a sum of money is paid. Ransomware prevents or limits users from accessing a system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. Modern ransomware versions, collectively categorized as cryptoransomware, encrypt certain file types on infected systems and force users to pay the ransom through online payment methods using an embedded decryption key.
Ransom prices vary depending on the ransomware variation applied and the price or exchange rate of digital currencies. Given the anonymity offered by cryptocurrencies, ransomware operators may require ransom payments to be paid in bitcoins; recent alternative payment options may include iTunes and/or Amazon gift cards. Paying the ransom does not always guarantee that the victim will receive the decryption key or unlocking tool required to regain access to the infected system or files.
How it works
Ransomware often relies on social engineering tricks to lure or scare users into clicking on links or giving proprietary account credentials to unauthorized users. A person may unwittingly download and install ransomware by opening an infected file from a malicious email or website. The nature of a ransomware attack largely depends on the motives of the attacker. Essentially, the attacker creates a code designed to take over a computer and hijack files. Once executed in the system, the ransomware can either lock the computer screen or encrypt predetermined files.
Upon attack, the infected system will display a full-screen image or notification that prevents victims from using the computer system unless a ransom is paid. The message also includes instructions on how the user can and should pay. Typically the attacker also provides the victim a time limit to pay for access to the locked files, documents, and/or spreadsheets. Unfortunately, history has proven that paying the ransom does not always guarantee access to the infected files. Moreover, infected systems run the risk of being rendered unusable because once files are encrypted anti-malware tools may only be able to remove the malware variant from the system, without rendering all previously encrypted files usable.
Security experts claim ransom amounts vary widely, ranging from a minimal number of dollars to several hundred dollars, to be paid via an online payment method. If a user fails to pay on time, the attacker could apply additional malware to further harm the files until the ransom is paid. In essence, ransomware attackers rely on fear, which ultimately forces victims to do something irrational such as paying the cybercriminals. Fear of losing important documents and being locked out of a proprietary system is a scary thought that requires serious consideration.
Encountering Ransomware
In a recent ControlScan Inc. study, researchers found that 62 percent of cybersecurity professionals claim detecting advanced ransomware threats is a major challenge. Increasing concerns over new attacks impacting the convenience services industry have operators concerned given limited knowledge, skill level and budgetary constraints. Industry leaders appear less confident in detecting and eliminating system intrusions than other cyber-crimes. Vending operators, for example, been encountering ransomware for the past few years and unfortunately, the sense of embarrassment outweighs the desire to share these experiences with industry peers.
Vending and micro market operators are a logical target for ransomware attacks given the following characteristics:
- They rely on computer systems and files for day-to-day operations.
- They generally do not support sophisticated IT infrastructure.
- They are threatened by $1,500 to $10,000 ransom payments.
The most unfortunate component of a ransomware attack is the feeling that “WE LET THEM IN!” Hackers tend to feed on operator emotions by sending spoof e-mails that excite, invoke fear and insecurity, or imply uninvited stress from an authority figure or a boss. Once an emotion is triggered, the victim’s guard is lowered and there is an effort to lessen the impact of the item causing the emotion.
Industry scenarios
An example of a recent ransomware attack in the convenience services industry involved an office manager who clicked on a link embedded in an e-mail message that appeared to have been sent by the company’s local bank. As a result, the link caused malware infected files to be downloaded into the company’s networked system. As a result, the ransomware locked down files on shared folders and the database server, thereby rendering the network non-operational and critical files inaccessible. Once the attack was identified, the operator contacted the security company it had on retainer to reverse the attack. Unfortunately, the IT security firm was unable to eliminate the virus. Additional IT companies were contacted, and none were found capable of removing the malware. The ransomware carried a fee of approximately $2500 in bitcoin, which was paid after three days of system lockdown (downtime). What allowed this breach to occur? Well, there were several contributing factors beyond the simple clicking of a bogus link in an email, including:
- An insufficient amount of security in the network failed to properly protect the network from a ransomware attack. The ransomware was allowed to penetrate further into the network than just the terminal that was used to open the file.
- Unfortunately, too often outof-the-box settings on network equipment make it easier for ransomware to penetrate networks than initially thought possible.
- Additionally, a lack of endpoint protection allowed computers and devices connected to the network to act as paths for the security threat to quickly attack the entire network.
- Ineffective staff communications and network training aimed at identification of suspicious files, documents and messages that look remarkably similar to legitimate communications from trusted institutions was lacking.
The primary concern for an operator under the stress of an attack is reestablishing network functionality and restoring data file access. Having paid the ransom, this operator received system access, reprimanded the IT support firm and fell victim to a similar attack about 90 days later. Why? Because they had not implemented the security measures needed to prevent a similar event from occurring.
A second example involves an operator’s files being encrypted by ransomware. Critical files affected included spreadsheets used for forecasting micro market fresh food orders, tools for data analytics and financial analysis documents. Fortunately, prior to the attack, the corrupted shared file drive was properly backed up and thereby only required the operator to contract IT consultants to restore the afflicted computer, disable the affected network drive and create a new file share with access to the previously backed-up files. In this case, the operator only suffered short-term access to select files and was able to recover without paying the ransom.
There is also the example of an operator who paid the ransom and still did not receive access to the company’s files. In this case, which involved a large industry operator, the firm’s entire ERP and accounting system was encrypted by ransomware. After realizing that the network’s current period backup files were not functioning properly, the operator realized the best she could do was restore a backup from one week prior; this would mean loss of a complete week’s transactional and operational data. The firm restored the legacy files and replaced the system server, upgraded the network firewall and paid staff overtime to enter as much of the missing week’s information as could manually be captured. This was in addition to the four work days of downtime while the situation was assessed and revised.
Lessons learned
An operating company may encounter a ransomware threat through a variety of means. Basically, ransomware can be downloaded onto a network in four ways:
- Visiting a maliciously compromised website.
- Opening a spammed email attachment.
- Accessing an infected advertisement (malvertisement).
- Encountering downloads from an exploit pack (malicious toolkit).
Once executed in an automated system, ransomware can lock computer screens, encrypt data files or both. A full-screen image or notification may be displayed on an infected system’s terminal screen, thereby preventing a victim from using the system. This screen will likely contain instructions on how the user can pay the ransom and regain system access.
Ransomware avoidance
While there are varieties of strategies leading to ransomware avoidance, best practices suggest the following considerations to minimize the threat of ransomware.
Communicate: Discuss ransomware and general data security topics with staff members during business meetings and system updates. Encourage staff to share information any time they suspect something questionable. As an operator, be mindful of potential threats. Be careful to restrict the amount of personal activity an employee can perform on a company system and/ or network. Most of these activities should be performed on personal smartphones.
Secure the Network: Similar to buying locks to secure doors and gates for parking areas, steps need to be taken to adequately protect data by investing in reliable network security, especially firewalls programmed by an experienced professional.
Invest in Protection: Purchase and install endpoint protection software to prevent external security threats from entering the network from connected devices or systems that may not meet current security standards.
Don’t Assume Security: Cloudbased applications such as Office 365, Dropbox, and others, while more secure than other network applications, are also susceptible to ransomware attacks. Any application can be a target of spoof e-mails, or other means, designed to encourage a user to enter proprietary login credentials for hackers to steal. If your network is hosted on Amazon AWS, Microsoft Azure or other popular hosting provider, be aware the host may also require the implementation of additional security for endpoint protection.
Scrutinize email: It is wise to train staff to carefully scrutinize emails and email attachments prior to opening. Special attention needs to be directed at verifying email sourcing, especially for uninvited communications. Confirming origin of the purported sender and avoiding clicking embedded links is important. This approach also applies to instant messages, social media and related electronic communications.
Suspicious websites: Beware of unfamiliar embedded links in familiar and unfamiliar websites alike; be wary of sites that prompt the entry of a challenge-response to verify a user is human (CAPTCHA photos) as this can be a link to malware downloading. This approach also applies to social media networks. When downloading files from a website, always be certain there is display of a Secure icon (closed padlock) and that the url is prefaced with https://.
Update versions: Regularly update software, programs and applications, as the latest often provides a more current, added layer of protection against cyber threats. Also, be aware of current service packs and all security patches. Consider replacing older terminals running unsupported operating systems, such as Windows XP and Windows Server 2003.
Create backup files: Important files need to be regularly backed up (copied) to lessen the potential damage that can result from a ransomware attack; being locked out of a system can be less stressful and disastrous if there are backup files. The 3-2-1 backup rule applies. It states that an operator should create three backup copies of data on two different media with one copy stored in a separate (off premises) location. Cloud-storage and file synchronization applications may make this more challenging. File sharing applications like Dropbox, Microsoft OneDrive and Google Drive have version revision histories that allow a user to revert to a recent version.
These practices can help block dangerous links found in emails, instant messages, websites and social media while safeguarding the system against viruses, phishing and related threats.
New Variants
New variations of ransomware continue to emerge as cybersecurity experts become adept at identifying and preventing existing forms of ransomware. Early forms of ransomware appeared on floppy disks containing free software that after 90 days locked a computer and demanded payment for the software freeze by calling an international phone exchange. As users become more aware of the threat of ransomware, the effectiveness of current social engineering methods will decline and criminals will continue to reinvent new methods. Current variants of ransomware encrypt either a user’s sensitive files or network files, thereby rendering the system useless until a ransom is paid. Kraft Business estimates there were 4.3 times more new ransomware variants in 2017 than in 2016. Ransomware variants have also adopted a variety of new tactics to compel users to pay as soon as possible. For example, malware Jigsaw, originally titled “BitcoinBlackmailer,” threatens to gradually delete an increasing number of files for each hour of nonpayment beyond a stated deadline.
Summary
Ransomware is a type of malware that locks a network and prevents a user from accessing files or applications until a fee or ransom is paid to an anonymous attacker. The ransomware threat is a serious concern for the convenience services industry. Operators need to be knowledgeable about protective strategies and know that paying a ransom does not guarantee the network will be regained or that access will be reestablished. Be mindful of the five Ps of cyber security.
