Euro Security Watch with Mathew J. Schwartz

Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations

Can't Stop the Ransomware

Bitcoin-Hungry Attackers Target Enterprises
Can't Stop the Ransomware
Photo: BTC Keychain (Flickr/CC)

In their quest for easy ways to extort victims into giving them bitcoins, cybercriminals continue to double down on crypto-ransomware attacks.

For the criminally inclined, what's not to love?

"The [ransomware] driver is financial," Rik Ferguson, vice president of security research for Trend Micro, tells me. "It's something that is very easy for criminals to monetize, and it's something which is very easy for them to recruit in terms of networks, affiliates, distribution. And it's something which is morphing into another one of those crime-as-a-service offerings."

Online gangs can remotely encrypt and lock PCs, leaving them incapable of doing anything more than displaying a ransom note that tells victims how to obtain and transfer bitcoins to the attacker. Behind the scenes, some ransomware-as-a-service offerings automatically log incoming payments and generate decryption keys, enabling attackers to dispense with more mundane administrative tasks and maximize the time devoted to infecting more victims.

Such attacks are so lucrative that some crooks even run "customer service" centers to provide technical advice to their victims and occasionally allow them to negotiate lower ransom payments or deadline extensions, according to Finnish security firm F-Secure.

Call of the Cryptocurrency

Evidence of attackers' thirst for cashing in on ransomware continues to mount. Ferguson reports that whereas Trend Micro counted a total of 29 new ransomware families in 2015, in the first half of 2016 it had already seen 79 new ransomware families. New entrants have included horror-movie-themed Jigsaw, which dismembers files while victims watch; Powerware, which targets tax-return files; and DetoxCrypto, sporting a Pokémon Go theme.

Shakedowns Evolve

Ransom demands vary widely, and they continue to evolve. Widely used Cerber ransomware, for example, used to demand 1.24 bitcoins ($715) from victims, according to research published by Trend Micro fraud researcher Joseph C. Chen. But Cerber version 3 - the latest version - offers a "discount" price of 1 bitcoin ($575) if users pay quickly. "But if the user waits more than five days the ransom doubles to 2 bitcoins," he says, which is currently worth $1,150.

Enterprises Under Fire

In attackers' quests to generate more proceeds via ransomware, they're increasingly targeting enterprises, says Trend Micro's Ferguson, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.

"Now what we're seeing are ransomware attacks expanding into the enterprise environment - developing 'wormable' behavior, so they can actually expand through the network and infect multiple machines. So that's very much not consumer-focused, it's enterprise-focused," he says. Such ransomware may search out network shares, cloud drives or other mapped drives, so attackers can encrypt those too - especially because they may contain an organization's offsite backups.

"The attackers know that if they can infect, for example, ... medical data within a healthcare facility, then the pressure on the victim to pay the ransom is going to be exponentially larger than on an individual consumer, and the ransom that can be demanded and successfully extorted is potentially much, much higher," Ferguson says.

Healthcare Sector Targeted

In fact, the healthcare sector has been particularly hard hit by ransomware attacks this year. In the most high-profile incident in this sector, Hollywood Presbyterian Medical Center in Los Angeles paid a bitcoin ransom worth $17,000 to regain control of its ransomware-infected systems

While giving in to extortion demands raises ethical concerns, for organizations with time-sensitive records, lives may literally hang in the balance, thus inducing them to pay (see Ransomware Extortion: A Question of Time).

After the Hollywood Presbyterian Medical Center attack State Sen. Robert Hertzberg introduced legislation, S.B. 1137, that would amend California's laws to treat ransomware as extortion, allowing prosecutors to seek jail terms of up to four years. The state's legislature has approved the bill, which could soon be signed into law by Gov. Jerry Brown, Statescoop reports.

"Nearly every day, we read in the news about ransomware attacks stifling government agencies or private companies," Hertzberg says in a statement. "This is essentially an electronic stickup, and we need to treat it with the same seriousness and severity we would treat any stickup."

But the new law likely will have a negligible effect. That's because law enforcement agencies say the majority of cybercrime originates in Eastern Europe, including Russia, which doesn't extradite its citizens and hasn't prosecuted many domestic cybercrime-related cases (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

3-2-1 Backup

Researchers have managed to crack the crypto used in some types of ransomware, allowing some victims to decrypt their files for free. But that's not a strategy anyone should rely on, because ransomware developers often quickly push updates to fix their mistakes.

Instead, security experts recommend that organizations strip out suspicious attachments at the email gateway level, warn employees to avoid known-bad sites that might distribute malware and keep reminding them to never open suspicious emails or documents.

But above all, "the most fundamental defense against ransomware is still backing up," Trend Micro's Chen says. Because many types of ransomware will encrypt backups, however, he recommends keeping them in multiple locations. "Practice the 3-2-1 rule," he says, "wherein three copies are stored in two different devices, and another one to a safe location."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.