Ransomware, with the help of crypto currency, is big business, and everyone is susceptible

Pay now or lose it all attacks cost businesses, individuals millions; fight back with awareness, training

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As senior secu­ri­ty research engi­neer at secu­ri­ty and com­pli­ance automa­tion ven­dor Trip­wire, Travis Smith spends his days study­ing the chess moves made by cyber crim­i­nals on the cut­ting edge.

The hottest, most lucra­tive crim­i­nal activ­i­ty of the moment is ran­somware, the cyber detec­tive says. The most com­mon vari­ant revolves around get­ting a vic­tim to click on a cor­rupt­ed attach­ment or web link that arrives in a legit­i­mate-look­ing email mes­sage.

If the mal­ware suc­cess­ful­ly down­loads to the victim’s machine, it’s game over. In mere moments, the mal­ware will locate and encrypt sen­si­tive files, then launch a shop­ping cart rou­tine that guides the vic­tim on how to use cryp­to cur­ren­cy, most com­mon­ly Bit­coin, to pay for deliv­ery of a decryp­tion key.

Indi­vid­ual vic­tims usu­al­ly are required to pay a ran­som of a few hun­dred dol­lars; busi­ness enti­ties are rou­tine­ly pay­ing five-fig­ure, and some­times six-fig­ure, ran­soms.

Relat­ed info­graph­ic: Ran­somware attacks shift to busi­ness­es

How bad is it? A recent report from Arc­tic Wolf Net­works esti­mates a 433 per­cent spike in ran­somware attacks over the past year. And the FBI says ran­somware attack vic­tims paid up $209 mil­lion in the first three months of 2016, up from $24 mil­lion in all of 2015. And that only counts com­plaints received by the bureau.

I found this some­what sur­pris­ing: Typ­i­cal­ly, the bad guys actu­al­ly do deliv­er a work­ing decryp­tion key in exchange for the ran­som pay­ment, Smith says. Here is some oth­er use­ful intel Smith shared in our recent video inter­view. Text edit­ed for clar­i­ty and length.

3C: Why have health care orga­ni­za­tions been so heav­i­ly tar­get­ed by ran­somware gangs?

Smith: Health care has a life or death con­nec­tion to data. So it’s not a finan­cial respon­si­bil­i­ty. Restor­ing lost data from data backed up and or revert­ing to some kind of paper trail takes time. And it’s not some­thing that they’re real­ly well-equipped to do.

3C: Any indi­ca­tion what sec­tors the bad guys are going to focus on next?

Smith: We have been see­ing that ran­somware has been tar­get­ing IoT devices for con­sumers, as well, so they’re look­ing at ther­mostats and TVs and things like that as far as being able to encrypt those. And not only just encrypt them, but pre­vent access from the device.

As far as busi­ness­es, the ener­gy sec­tor is def­i­nite­ly a big one, as far as crit­i­cal com­po­nents, and finan­cial. Those are prob­a­bly the next two mar­kets that are going to see heavy ran­somware attacks.

3C: Do you expect the bad guys to sin­gle out SMBs, because they’re less pro­tect­ed?

Smith: Everybody’s going to be tar­get­ed even­tu­al­ly. Ran­somware is just too prof­itable a busi­ness mod­el for crim­i­nals. It’s a 1,400 per­cent return on invest­ment, so the aver­age crim­i­nal spends about $10,000 to invest in a ran­somware cam­paign, and they get just under $500,000 back. So it’s very prof­itable for them. Every sector’s going to get tar­get­ed even­tu­al­ly.

3C: How has the avail­abil­i­ty of cryp­to cur­ren­cy come into play?

Smith: Bit­coin pro­vides the crim­i­nals with a com­plete­ly anony­mous way to get paid and get out. If you get hit with ran­somware, they’ll usu­al­ly change your desk­top back­ground and direct you to browse to a cer­tain web­site. Then they’ll give you detailed instruc­tions show­ing you how to pay to get access to your data again.

They want to have a seam­less tran­si­tion for get­ting their pay­ment, and they want to build a rep­u­ta­tion for actu­al­ly let­ting peo­ple access their data again. They want to instill con­fi­dence that if you pay the ran­som, you are going to get access to your data.

3C: So they do sup­ply work­ing decryp­tion keys if you use their cryp­to cur­ren­cy shop­ping cart tool?

Smith: In every instance that I’ve seen, yes. I haven’t seen one instance where they haven’t tried to give access to the data.

3C: Couldn’t they just come after you again?

Smith: Exact­ly. A lot of these things are com­plete­ly autonomous; they don’t require action from the cyber crim­i­nal, espe­cial­ly these huge cam­paigns. If the busi­ness does not under­stand how they got infect­ed, then that same email could still be sit­ting in the secretary’s inbox. If she opens up the attach­ment again, then she’s encrypt­ed again with a dif­fer­ent decryp­tion key.

3C: What can busi­ness­es do before­hand to deter this?

Smith: Ran­somware can only encrypt files it can access. It only has the same access priv­i­leges as the per­son who opened the attach­ment or clicked on the web link. So mon­i­tor­ing employ­ee access and grant­i­ng the least priv­i­leges is vital. You want to give peo­ple enough access so they can get their job done, but not give them so much access that they have the keys to the king­dom, so to speak.

3C: What about train­ing?

Smith: Employ­ee aware­ness train­ing is an impor­tant best prac­tice. You want your employ­ees to be aware these types of cam­paigns are out there. Don’t click on every link or every attach­ment, espe­cial­ly if you’re not expect­ing it. Always have your guard up, and try to ver­i­fy from the sender before you open up any attach­ments. That’s usu­al­ly how the ran­somware is going to get in.

3C: Sounds like we can’t trust email?

Smith: You can’t trust email from any­body. You can get an attach­ment and it’s ‘paystub.pdf.’ It looks like a PDF, it smells like a PDF, you say, ‘Oh, some­one sent me my paystub.’ So you dou­ble click it to see what it is, and you get encrypt­ed.

More sto­ries about ran­somware:
Under­stand­ing ran­somware helps orga­ni­za­tions devise solu­tions
Cyber crim­i­nals use ran­somware to hook big fish
With rise of ran­somware, keep­ing intrud­ers out of net­work is cru­cial