From small and midsize businesses (SMBs) to large enterprises, data is at the heart of most organizations today. While 90% of the world’s data was created in the last two years, in that same time span, data breaches were up 54%. Recognizing the value of data, cyber criminals are increasingly turning to ransomware as a means of monetization. They infiltrate IT systems and access data through various hacks, encrypting, locking, and exfiltrating files. Unable to access information that is critical to their businesses, hacked organizations are forced to pay for the information to be released by the cyber criminals.
Ransomware Attacks Skyrocket
Ransomware attacks more than doubled last year, with hackers modifying attack methods for more lucrative payouts. Yet at the same time, only one in three organizations say they are confident they can track and remediate attacks.
The financial repercussions of ransomware skyrocketed as well. Ransomware is expected to have a global impact of $20 billion by 2021. Ransomware demands commonly reach six-figure sums, and because the transfer is often made by bitcoin, it is relatively simple for cyber criminals to launder it without it being traced.
The indirect costs are those of business interruption that are associated with a ransomware attack. In the public sector, 42% of organizations have suffered a ransomware incident in the last 12 months, with 73% of those experiencing two or more days of downtime as a result.
Business Impact of Ransomware
The cost in system downtime and the inability to access information due to ransomware attacks equates to billions of dollars today, a number that could rise into the tens of billions as ransomware hacktivists go after Internet-of-Things (IoT) devices.
Cyber criminals are an innovative bunch. Rather than threatening to delete locked data, some cyber criminals are beginning to threaten to release it (as known as “doxxing”). For organizations that deal with private and sensitive customer data, like financial services, hospitals, law firms, and others, this can have deleterious consequences. In addition to the impact to brand reputation, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require customer notifications and other painstaking activities that can quickly tally into hundreds of thousands—or even millions—of dollars.
- Storing Up Bitcoin for a “Ransom” Day
The impact of ransomware reaches beyond those organizations that are hacked. Take banking as an example. As the potential impact resulting from lost data or the inability to access data is measured in minutes or even seconds, businesses cannot wait several days for cyber criminals to grant them access to their hacked data.
- Real-life attacks
Nearly every industry sector and organization size is affected by ransomware. During 2019, ransomware attacks affected 113 government agencies, municipalities and state governments, 764 healthcare providers, and 89 universities, colleges, and school districts with up to 1,233 individual schools potentially impacted.
Healthcare is a sector where there is much cause for concern regarding ransomware. This makes a lot of sense, considering that many IT systems and data in healthcare are connected to patient care. Any system downtime or inability to access information could put lives at risk. Even if the ransomware attack doesn’t affect system and data used for patient care, the loss of patient records can incur tangible fines and time remediating the damage.
With doxxing, whereby cyber criminals threaten to release rather than delete private information, becoming a tactic that ransomware cyber criminals employ, the repercussions are even more serious. Add ransomware attacks on IoT devices used to deliver patient care, and the implications become life-threatening.
Ransomware attacks dominated healthcare headlines during the latter part of 2019, increasing by 350% in Q4, with attacks on IT vendors disrupting services on hundreds of dental and nursing facilities, while many hospitals, health systems, and other covered entities reported business disruptions from these targeted attacks.
There are many examples from recent years, including how hacktivists gained access to a MongoDB database containing protected health information for 200,000 patients of a major health center. The database was wiped clean and replaced with a ransom demand for $180,000 in bitcoin for its safe return.
Another major medical center in Hollywood, California, declared a state of internal emergency after its systems were infected with Locky ransomware. Physicians and other caregivers were locked out of electronic health records, forcing staff to use pen and paper for logging patient data, and fax—instead of email—for communicating with each other. The hacktivist demanded 40 bitcoin (or about $17,000) in exchange for a key to decrypt the locked files, which the hospital paid. But cyber criminals do not always grant victims access to their information. In the case of a hospital system in Kansas, the hospital paid the initial ransom, but the hacktivists did not fully unlock the files and demanded more money to do so. It was at that juncture that the hospital elected to decline the additional ransom.
How Ransomware Happens
So, how does ransomware happen? Let’s begin by addressing how it is distributed. Any digital means can be used: email, website attachments, business applications, social media, and USB drivers, among other digital delivery mechanisms. Emails remain the number one delivery vector, with cyber criminals preferring to use links first and attachments second.
- Email Links, 31%
- Email Attachments, 28%
- Website Attachments, 24%
- Unknown Sources, 9%
- Social Media, 4%
- Business Applications, 1%
In the case of email, phishing emails are sent as delivery notifications or fake requests for software updates. Once a user clicks on the link or the attachment, there is often (but less so recently) a transparent download of additional malicious components that then encrypt files with RSA 2048-bit private-key encryption, leaving it nearly impossible for the user to decrypt the files. In other instances, ransomware is embedded as a file on a website, which when downloaded and installed, activates the attack.
Different Types of Ransomware
Ransomware attacks come in different forms. This past year has seen a substantial evolution in ransomware attacks. Traditional ransomware goes after your data, locking files until the ransom is paid. But with the rapid growth in IoT devices, a new strain of ransomware emerged. It doesn’t go after an organization’s data, but rather it targets control systems (e.g., vehicles, manufacturing assembly lines, power systems) and shuts
them down until the ransom is paid.
Let’s take a quick look at some of the most prevalent types of ransomware that exist today:
- Off-the-Shelf Ransomware. Some ransomware exists as off-the-shelf software that cyber criminals can purchase from darknet marketplaces and install on their own nefarious servers. The hacking and encryption of data and systems are managed directly by the software running on the servers of the cyber criminal. Examples of off-the-shelf ransomware include Stampado and Cerber.
- Ransomware-as-a-Service. CryptoLocker is perhaps the most well-known Ransomware-as-a-Service (RaaS) model. Since its servers were taken down, CTBLocker emerged as the most common RaaS attack method. Another RaaS that is rapidly growing is Tox, a kit that cyber criminals can download. The result produces a dedicated executable file that can be installed or distributed by the cyber criminal, with 20% of gross ransoms being paid to Tox in bitcoin.
- Ransomware Affiliate Programs. The RaaS model uses affiliate hackers with a proven track record to spread the malware.
- Attacks on IoT Devices. Ransomware infiltrates IoT devices that control systems critical to a business. It shuts down those systems until a ransom is paid to unlock them.
Ransomware families and variants exploded in 2016, growing tenfold. FortiGuard Labs saw multiple new variants every day throughout 2016. This rapid growth and constant evolution makes it even more difficult for organizations that rely on traditional signature-based antivirus solutions to keep pace. By the time one strain has been identified and blacklisted, cyber criminals have already moved to a new variation. The Ryuk and Sodinokibi ransomware families, for example, both contributed to an increase in the ransom amounts demanded by attackers in Q1 of 2020.
End-to-End Protection From Fortinet
- Prevent phishing with FortiMail
FortiMail brings powerful antispam and anti-malware capabilities complemented by advanced techniques like outbreak protection, content disarm and reconstruction, sandbox analysis, and impersonation detection.
- Stop users from traveling to malicious URLs with FortiGuard Web Filtering
The FortiGuard Web Filtering Service enhances the core web filtering capabilities of FortiGate NGFWs by sorting billions of webpages into a wide range of categories that users can allow or block.
- Detect and respond to malware before it can launch with FortiEDR
FortiEDR real-time endpoint security solutions proactively reduce the attack surface, and protect endpoint devices using machine learning anti-malware and behavior-based detection technology. Customizable playbooks automate responses and remediation procedures.
- Identify unknown threats and prevent advanced attacks with FortiSandbox
FortiSandbox leverages two machine learning models that enhance static and dynamic analysis of threats and easily integrates across both Fortinet and non-Fortinet products to provide real-time threat intelligence and speed threat response.
- Thwart credential theft with two-factor authentication with FortiToken
With two-factor authentication, a password is used along with a security token and authentication server to provide far better security. Authorized employees can access company resources safely using a variety of devices—ranging from laptops to mobile phones.
- Halt lateral movement and worming across your network with FortiGate Intent-Based Segmentation
Fortinet intent-based segmentation provides end-to-end protection across the network. It intelligently segments network and infrastructure assets, whether on-premises or across multiple clouds. Analytics and automation capabilities ensure quick detection and neutralization of threats.
Chanvith Iddhivadhana, Fortinet’s Thailand Country Manager advises that, “Organizations will do well to heed the following takeaways as ransomware evolves and mutates into an ever-increasing threat to organizations of virtually every shape and size:
- Stop Known Threats. Seek out a cybersecurity solution that stops known ransomware threats across all attack vectors. This requires a layered security model that includes network, endpoint, application, and data-center controls powered by proactive global threat intelligence.
- Detect New Threats. As existing ransomware is constantly morphing and new ransomware is being released, it is important to institute the right sandbox and other advanced detection techniques to pinpoint the variants across those same vectors.
- Mitigate the Unseen. Real-time actionable intelligence must be shared between the different security layers (and generally vendor products) and even extended to the broader cybersecurity community outside of your organization such as Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centers (ISACs), and industry coalitions like the Cyber Threat Alliance. This rapid sharing is the best way to respond quickly to attacks and break the kill chain before it mutates or spreads to other systems or organizations.
- Prepare for the Unexpected. Segmentation of network security helps protect against ransomware wormlike behavior such as that of SamSam and ZCryptor. Data backup and recovery is just as important. Organizations that have recent data backups are able to spurn demands for a ransom and quickly and easily recover their systems.
- Back Up Critical Systems and Data. Although it can be a time-consuming process to restore an encrypted system, as well as an interruption to business operations and a drain on productivity, restoring a backup is a far better option than being held hostage with no guarantee that your ransom payment will result in your data and systems being unlocked and restored. In this case, you need the right technology, processes, and even business partner to ensure your data backups meet business requirements and their recovery can be done expeditiously.”