Ransomware is on the increase as hackers become more sophisticated, audacious and professional. While the majority of traditional attacks involve seizing data and then finding ways to cash that data in, with ransomware cyber criminals can earn money at once. It is a type of malware in which hackers lock the victims’ computer or encrypt their data and demand a ransom in order to allow the victim to regain control over the affected device or files.
This summer the Dutch National Police, Europol, Intel Security and Kaspersky Lab, one of the four biggest endpoint security vendors in the world (IDC rating, 2015i), joined forces to launch a new weapon in the battle to combat this type of cyber crime.
No More Ransom – www.nomoreransom.org – is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay the cyber criminals. The website allows victims to report a crime, directly connecting with Europol’s overview of national reporting mechanisms.
Kaspersky Lab research, based on Kaspersky Security Network statistics, shows an almost six-fold increase in ransomware attacks on businesses, from 27,000 in 2014-15 to 158,600 in 2015-16. Shade, for example, is a ransomware-type Trojan that emerged in late-2014. Spread via malicious websites and infected e-mail attachments, after getting into the user’s system, Shade encrypts files stored on the machine and creates a text document containing the ransom note and instructions from cyber criminals on what the user should do to get their personal files back. It’s just one of many examples of ransomware.
“This form of attack, which first appeared around 2005, became less common for a while, but then about three years ago it came back with a vengeance,” says David Emm, Kaspersky Lab’s principal security researcher. “It’s grown massively since then. Hackers make far fewer mistakes these days and those who fall victim to it are often unable to get their data back unless they have a backup. In a few cases it can be decrypted.”
Worryingly, ransomware hackers are becoming more professional. “Over the last decade attacks have become more organised and less speculative because criminals are realising they can make serious money from it,” says Kirill Slavin, Kaspersky Lab’s general manager for the UK and Ireland. The company has identified 26,000 encryptor modifications, which is ransomware code that encrypts data.
“Moving forward, we expect it to reach the same sort of proportions as we’ve seen for banking malware,” he says. “These people are entrepreneurs and this underground market is a reflection of legitimate markets. There are individual contractors, small and medium-sized enterprises, and large businesses. You find people who manage networks and those who write code. There are value-added resellers and affiliate programmes where criminals receive commission on malware that they distribute.”
Ransomware hackers are going after smartphones – in 2015, 17 per cent of attacks were on the Android platform
A ransom can cost the victim an average of £230, he points out, but one big hack could reach a ransom of hundreds of thousands of pounds. Attackers will scale their ransom demands depending on who they think they’re dealing with. In some cases, every day the victim delays payment, the demand is increased.
Smaller businesses are particularly at risk. According to Kaspersky Lab’s IT Security Risks 2016 survey, nearly 42 per cent of small and medium-sized businesses fell victim to ransomware in the last 12 months. Over a third (34 per cent) paid the ransom, but one in five weren’t able to recover their data, even after the demands of cyber criminals were met. Those that pay, warns Kaspersky Lab, may well find themselves targeted again.
There is plenty of scope for ransomware to develop and diversify. “Ransomware hackers are going after smartphones – in 2015, 17 per cent of attacks were on the Android platform,” says Mr Emm. There are also concerns about the fast-growing internet of things, the system that connects machines to each other via the internet. “Your office’s central heating system could be controlled through an app, so what happens if it’s suddenly switched off during the middle of winter? Major machinery might not work and even cars with their increasing computer technology could be affected. We’ve already seen proof of concept of this,” he says.
Decryption is one of the most effective tools for rescuing a victim and Kaspersky Lab has the ability to decrypt about 30 per cent of ransomware, but prevention is better than cure. Patch, protect and backup is the advice from the company. Organisations should ensure they install updates and keep in regular contact with their vendor.
“People don’t routinely backup their data or they do so with a device which is left connected to the computer and this can be vulnerable to a ransomware attack. Make use of the cloud and have an offline backup,” says Mr Emm, “or backup to a local storage device and then disconnect it.” Staff behaviour can also be an issue. “Don’t give everyone administrative rights over the system – only the rights they need to do their job,” he says.
In 2015 Kaspersky Lab’s solutions protected 443,920 users and corporate customers worldwide from crypto-ransomware, depriving cyber criminals of nearly $53million in illegal earnings. In August it launched the Kaspersky Anti-Ransomware Tool for Business, free software that offers complementary security to protect corporate users from ransomware.
To identify ransomware behaviour patterns and protect Windows-based endpoints, Kaspersky Anti-Ransomware Tool for Business leverages two innovative technologies, Kaspersky Security Network and System Watcher. System Watcher’s unique capabilities include the ability to block and rollback harmful changes.
While experts advise businesses to use a variety of additional protection technologies and approaches to protect themselves, Kaspersky Anti-Ransomware Tool for Business provides complementary security to those companies that do not have advanced Kaspersky Lab security solutions. Kaspersky Anti-Ransomware Tool for Business is able to protect against crypto-malware, a form of ransomware that can infiltrate and encrypt an entire network, including its backups, within minutes.
As the ransomware criminals become more innovative and well resourced than ever before, the challenge for organisations is to ensure they too keep ahead of the curve. “Everyone has a responsibility and a role to play in combating this fast-growing and devastating form of cyber crime,” says Mr Emm. “We’re proud to be leading that fight.”