If you don’t pay a certain amount of money by the time the clock runs out, you’ll lose your data forever. You check your email on your smartphone and discover the entire executive team is being held to ransom after someone opened an infected file attachment.
76 per cent of Australian businesses experienced a ransomware attack in 2017Telstra Security Report 2018.
Ransomware is malicious software that encrypts the data on your computers. The only way to recover the data is to break the encryption (typically a difficult and time-consuming course of action); recover from a backup that has not been infected; or to pay a ransom to the hacker that encrypted the data – and even if you pay there are no guarantees you will get your data back.
According to the Telstra Cyber Security Report 2018, 31 per cent of Australian businesses who stated they had a security breach in the last year were experiencing ransomware attacks on at least a monthly basis. The report also highlighted that 47 per cent of Australian businesses paid the ransom, with 86 per cent of these successfully retrieving their data. This indicates that around 14 per cent don’t get their data back.
Australian companies and private citizens are significant targets. This is because Australia is perceived as a relatively wealthy country with the capacity to pay. Our research suggests ransomware that specifically targets businesses tends to be more sophisticated, with attackers having the ability to release files, typically through central command and control systems, once the amount has been paid.
Like much malicious software, ransomware enters organisations through targeted attacks on individuals. Hackers can use tools such as the social media profiles of executives to carefully craft email messages that either deliver malicious software directly to an individual – usually in the form of a new game to try or some other supposedly non-threatening file attachment – or direct them to a fake website that exploits a specific personal interest.
A maturing market
The growth in ransomware is being greatly assisted by the emerging Ransomware as a Service (RaaS) market, where malware authors create user-friendly versions for distribution.
This sophisticated market is situated on the dark web, with Carbon Black estimating that there are approximately 6,300 marketplaces with more than 45,000 products listed. These range from DIY kits priced as low as US$0.50, up to custom malware.
Some firms even provide their software for free on a profit-sharing agreement, offering PDF reports and charts tracking the success of their clients’ attacks.
This suggests ransomware is profitable and becoming mainstream. New strains of ransomware in 2018 will also focus on exfiltration of data prior to the system’s encryption to reap additional commercial rewards for stealing corporate intellectual property.
What can you do about it?
Keeping systems up to date with the latest security patches for operating systems and applications is a good first step. This is particularly important for Java, Adobe Reader, Flash, Silverlight and other applications regularly targeted by exploit kits.
A regularly tested backup regime will also help minimise the damage should a ransomware infection occur. It’s important to note a ransomware payload may infect a machine many weeks or months before it is triggered so that the impact, and therefore the likelihood of a ransom being paid, is increased.
Some variants of ransomware are also targeting backup systems, therefore these should also be encrypted so that data does not fall into the wrong hands.
Given the prevalence of ransomware attacks, it’s imperative to have incident response and business continuity plans in place. These need to include regular disaster recovery drills to ensure that backup data can be used to return the business back to normal operation within acceptable time frames.