Technologies are fast changing the way we interact with every aspect in our everyday lives, and with these changes there is a need for assurance and security. However, as Sullivan (n.d) noted that just as pollution was a side effect of the industrial revolution, so are the many security vulnerabilities that come with increased internet connectivity. Cyber security experts keep creating new defense methods, and counter measures to defend users and organizations in cyber space. Similarly, attackers introduce new threats and penetration methods that affect end users. One of those cyber-attacks that seeks to exploit end node vulnerabilities is ransomware. Trend Micro (n.d) defines ransomware as a type of malicious software that prevents or limits users from accessing their system, either by locking the system’s screen or by locking user’s files unless a ransom is paid. More modern types of ransomware are categorized as crypto-ransomware because they use strong encryption methods to intentionally encrypt end user or organization system files. In order to attain the decryption key the ransom is demanded. Ransomware has quickly emerged as one of the most dangerous threats in cyber security, losses from both individuals and organizations are in millions due to this type of attack. We’re no longer only vulnerable to only human hostage situations, but even our technological gadgets can be put into the same situation.
While attacks of ransomware are fully swinging in most recent years causing losses in millions of dollars, it is to be noted that the first ransomware attack occurred in 1989. Palo Alto Networks (2016) reports that a PhD AIDS researcher Dr. Joseph Popp distributed over 20,000 floppy disks to other fellow researchers in a variety of other countries. This was done with the excuse of having a questionnaire in the floppy disks that would pertain to AIDS research. However, Dr. Popp infected the disks with a malware. It would count the number of times a PC was booted and when the counter reached 90 it would encrypt the directories and hide file names on the C drive. At that point it would display a ransom note demanding cash payment to be paid to a post box office in Panama in order to attain a “software lease” that would later give access to the files. This later became known as the digital version of the AIDS virus.
Today’s Security Issues
While the AIDS virus may have seemed trivial at the time, this is what laid out the foundation for the current sophisticated ransomware malicious software. Today’s cyber criminals are more sophisticated than ever, these are next generation attacks which require next generation solutions. They are now using sophisticated encryption methods that are impossible in most cases to decrypt. TrendMicro (2016) reported that the year of 2016 would be the year of online extortion. The AIDS virus with its initial concept has given rise to powerful ransomware software such as the following:
Jigsaw – This deletes the files whenever the victim fails to pay the ransom in the given amount of time as the deadline.
Surprise – Instead of deleting the files the ransom increases after each initial payment deadline is not met.
Keyranger – Take the form of Mac OSX applications, but behind it lies the power of ransomware.
Tesla Crypt – Use AES encryption algorithms to encrypt the files.
ZCryptor – Self propagating malware strain exhibiting worm like behavior that has the capabilities to encrypt external drives in order to replicate in other machines to which they are connected.
Intermedia (2016) states that this threat is going nowhere, instead it is only bound to get more dangerous as the years go by. This is in part because of two main reasons, firstly due to the increase of processing powers of computers today. Our computers are so powerful now that they can encrypt their own files in a matter of hours, and as such any well written piece of code that is there to do harm will ensure to accomplish it in a matter of hours or less. Secondly, it is a growth industry that is on the rise due to anonymous payment systems such as that of bitcoin. Payments are no longer demanded as it was in the case of the AIDS virus through a PO Box address. Instead these anonymous online payment systems allow criminals to accept payments without the hurdles or fears of being traced. The market for holding hostage one’s technologies along with important data are here to stay.
Why be Concerned?
In 2016 alone ransomware can be seen as becoming more prevalent (see Appendix A for growth of encryption ransomware). One of the main reasons that ransomware has become so prevalent and effective is because of the extortions and the cost of time being lost by victims. Once an end user is targeted, their files, documents and even complete systems are compromised until they are able to pay a ransom or miraculously find a way out. Attackers normally dig rigorously and find valuable data on these systems and then further initiate their intended attacks. If global giants such as Microsoft can be attacked as in the case of this year by the Cerber ransomware then we should all be concerned (Olenick,2016). Attacks on a networked system such as Microsoft’s should concern us because it can simply jump from system to system and potentially take out entire networks.
Stanfield (2016) depicts a very important statistic: New research from Trend Micro in the UK has revealed some alarming figures. According to the report, 44 percent of UK businesses have been hit with a ransomware attack in the last two years, with some and nearly two-thirds of those businesses end up paying the ransom to try and reclaim their data. However, the report also claims that of those businesses that paid ransom money to their attackers, 1 in 5 never got the data back. Another worrying statistic from the report is that businesses lost on average 33 man hours dealing with and resolving the effects of a ransomware attack.
Implications & Observations
Based upon the severity that ransomware has upon individual users and organizations the following can be said:
The true cost of ransomware is employee downtime. Intermedia (2016) conducted a survey of about 300 It experts in regards to the cyber security threat ransomware. These included experts who deal on a day to day basis with different organization types, sizes, locations and more. Despite what one would believe that the true nature of attack is the severity of payment, their survey proved otherwise. Many of these organizations try to fix the problem with their IT personnel, only to later find out that the ransom has increased due to time. Additionally, the time lost is never recoverable costing the organizations in many cases millions of dollars due to employee downtime. The same can be said for individual users who rely on their technological devices to produce an output for their earnings.
The downtime for employees last for days. In the event of an attack there’s always the need to immediately take action on the infected machine. However, while many await directions of whether to pay or not the ransom this typically goes for hours if not days. Even in the event that they do decide to make payments then the IT personnel are tasked to create new counter measures on their systems, inspections of files, restoration of files, and cleaning up of systems. This usually lasts for days which again results in losses. Intermedia (2016) reports that 52% of the experts took two or more days for restorations, another 19% who paid the ransom still did not get their files which is even worse.
Ransomware is targeting bigger businesses and spreading within corporate networks. Realizing that bigger business has higher potential for profits, these cyber criminals are now targeting bigger businesses and launching attacks on corporate networks. These involve high level technical experiences by the attackers, and cyber espionage like attacks which is more time consuming but once successful they know that a very suitable profitable return is most likely in the works. This is the current trend that will overtake the future target markets of ransomware attackers. A prime example is explained in the section below, if an entity which such crucial data such as that of a hospital can be extorted, then businesses are without a doubt the next markettrend.
Mogg (2016) indicates that the Hollywood Presbyterian Medical Center is a perfect example of what ransomware can do. February 5 th of 2016 they were attacked by ransomware due to their level of importance and high data integrity that they contain. Their original idea was to take their computers offline to perform data restoration and cleaning on their systems. Eventually the hospital was now working simply on data charts, pen and paper, and fax machines for over a week while the IT personnel tried their best. At the same time there was severe employee downtime, and in critical cases patients had to be rushed to other nearby hospitals due to the non operational level of the hospital. Additional, patient records and important data were non accessible. BBC news, New York Times covered the story as it progressed and eventually their IT personnel had to give up. The hospital was forced to pay $17,000 in bitcoins to the attackers to avoid more down time and financial losses. Even after that, they still ended up inspecting the data integrity and spending fortunes on security systems up to today. This shows the true nature of the severity of what ransomware can do. No one is safe when it comes to cyber security threats, we can all be victims on cyberspace no matter how important we think we are. That is why there is a need for prevention techniques, informational training for employees in order for them to be aware, and a need for counter measures as a whole. Otherwise, the losses such as in the case of this hospital can even turn out to be fatal for patients that depend on the information systems.
In order to have counter measures we must first understand what are the penetrating points through which ransomware can take over our system devices. Like any other malware these can infect system devices through usb drives, malicious web pages, exploit kits, malvertising, brute forcing passwords and perhaps the most common malicious emails. They may all sound like just your regular infection end points for any virus or malware, and that is because they are so. Similarly, the same precautions that we take for other threats should be taken for ransomware.
Detect / Protect – System protection systems must be up to date and sophisticated enough to detect any phishing attempt. It’s more than just about scanning for viruses and malware, but going even deeper into file systems especially where there important data files. Additionally, big corporations should not look for the cheapest alternative, instead look at an overall system security software that blocks all forms of malicious attacks that has been tested rigorously by independent specialized companies.
Prevent / Educate – Even the most sophisticated defense systems or firewalls cannot help once there is a weak chain in the link. Most of the times these are the end users. One of the most common type of form of infection is through malicious emails. These are distributed using botnets, networks of infected computers which range from hundreds or thousands. The idea is that they use lots of social engineering behind the concept of attacks. Typically an uninformed users in never aware of what may happen if they click on links that contain these malicious codes in the backgrounds.
According to Intermedia (2016), in one of their recent studies 94% of those who were in the studies could not tell the difference between a real email and a phishing email. In fact, many of them were not aware of the term “phishing” or “ransomware”. When they were sent a fake email that said it was sent by UPS, 62% of the people in the studies trusted it enough to click on the links that were placed in the falsified emails.
In general, all staff should be educated especially those who work in places that have high data integrity value and are not familiar with computer science. A strong computer security system is nothing if an internal user takes the bait.
Respond / Preparation – While we may have strong enforcement security measure in place, and educated users we must remember that attackers must only succeed once. Once they are through, there must be a contingency plan in order to know what are the next steps to be taken. As computer security experts we must plan for the future, otherwise a scenario such as that of the Hollywood hospital may occur. There’s a strong need for important data backups and isolating the infection.
These are sets of processes that should be implemented by those in charge of security. Isolating the infected end point is crucial, because it helps understand the number of host machines and data that has been tampered with. Finally, the plan always involves locating the penetration point, otherwise future attack attempts may be successful and a reoccurrence of the problem is not wishful.
Ransomware is a truly mean crime business model that is here to stay, and will only continue to adapt to the new technologies that are coming out every year. These will include devices such as those entering new markets such as virtual reality, game consoles, smart watches, and even smart TV’s of which the latter has been proven to be able to be infected by ransomware this year (Symantec, 2016). There will be new ransomware families with newer and stronger capabilities that will fully test the toughness of security experts and their systems.
Good security systems need to be in place, especially in organizations or even users who have high valued data as a means to produce an output. Even when they are in place people need to follow good practices for security management to mitigate the risks of these types of attacks. Reducing risk exposure as much as possible by educating users is a key aspect that must never be overlooked, along with patching up system software and keeping the security systems up to date. The latter need to always be up to date because they are vulnerable to remote exploitation through which these attacks can enter. Additionally, installing and keeping software from verified and trusted sources is also important. Credentials must also not be overlooked, especially for remote access. There’s the need for good practices such as two factor authentication and login. Morever, we must not believe that we are invincible when using systems such as those of Linux, MAC, and other lesser known operating systems. There are already nasty ransomware that run on these systems and they are bound to get better. When all countermeasures fail, a good back up plan is an essential in getting things back running once more.
Brunau, C. (2016). Are You Familiar With these Type of Common Ransomware? Retrieved fromhttp://www.datto.com/blog/are-you-familiar-with-these-common-types-of-ransomware
Intermedia. (2016). Ransomware. A New Threat to Business Uptime. Retrieved fromhttps://www.intermedia.net/report/ransomware
Mogg, T. (2016). Hollywood Hospital Pays $17,000 to Ransomware Hackers. Retrieved fromhttp://www.digitaltrends.com/computing/hollywood-hospital-ransomware-attack/
Olenick, D. (2016). Microsoft Office 365 Hit with Massive Cerber Ransomware Attack. Retrieved fromhttp://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/
Palo Alto Networks.(2016). Unit 42 Report – Ransomware: Unlocking the Lucartive Criminal Business Model. Retrieved from https://www.paloaltonetworks.com/resources/research/ransomware-report
Stanfield, N. (2016). What are the effects of Ransomware? Retrieved fromhttp://www.stanfieldit.com/blog/what-are-the-effects-of-ransomware/
Sullivan, M. (n.d). 8 Types of Cyber Attacks your Business Needs to Avoid. Retrieved fromhttp://quickbooks.intuit.com/r/technology-and-security/8-types-of-cyber-attacks-your-business-needs-to-avoid/
Symantec. (2016). An ISTR Special Report Ransomware and Businesses. Retrieved fromhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
Trend Micro. (n.d). Ransomware. Retrieved from http://www.trendmicro.com/vinfo/us/security/definition/ransomware