There's a new kind of Grinch wreaking havoc this holiday season, lurking online to harass and extort hapless victims. While these digital scofflaws may be familiar to those who track goings-on in the dark corners of the digital world, their deeds are a growing scourge that requires vigilance and awareness of everyone online.
In just the past few weeks, cybersecurity experts have charted a surge in attacks involving so-called ransomware – malware that infects computers with code designed to encrypt files until victims pay ransom. It has become such a problem that Sen. Ron Wyden (D) of Oregon sent a letter to the FBI this month urging the agency to "explore all legal options" to stop the spread of ransomeware. Senator Wyden noted that the FBI has received some 1,000 complaints in 14 months regarding a popular strain of the malware that caused $18 million in losses for victims.
The trouble is that it doesn't seem like the ransomware problem is going away anytime soon. In fact, with the rise in sales of ransomware toolkits and malware on the Dark Web – and even hackers advertising their services to hijack computers – cybersecurity experts say these types of malicious attacks will increase throughout the next year.
In the first quarter of 2015, McAfee Labs reported a 165 percent surge in ransomware. In the second quarter, it logged more than 4 million samples of ransomware, including 1.2 million that were new variants. Today, ransomware payloads are even delivered via vulnerabilities in popular websites. It's clear that ransomware is rapidly evolving. It's big money for cybercriminals, as payments range from a few hundred dollars to as much as hundreds of thousands of dollars.
While ransomware was initially aimed at individual computers, over the past six months we've seen ransomware attacks on more and more businesses and banks. And whereas ransomware was initially spread through spam and spear phishing attacks, newly developed variants might steal files, data and passwords (which presumably would be returned upon payment of a ransom) or conduct distributed denial of service, or DDoS, attacks upon the victim.
Though there are no foolproof measures to defeat a ransomware attack, there are counter-measures that businesses and individuals can take to avoid having to pay the ransom to get their files back. In our recent book, “Navigating the Cybersecurity Storm, a Guide for Directors and Officers,” we expanded upon a couple of solutions that relate to ransomware and the delivery vectors that are used infect computers.
First, employee training is paramount. At its most basic, ransomware is delivered through directed e-mail attacks to individual computers. These e-mails are socially engineered so that, to the recipient, they look like they came from their employer, their bank, or even from a colleague. We exhort clients, "Don’t click on the link."
Second, we urge cyber-resiliency. Companies need to be able to withstand a cyber roundhouse hook to the chin and to be able to get off the canvas and back into the game. A battle-tested incident response plan can help identify a problem at the earliest possible second and eradicate a potential problem before it becomes a real crisis.
A tested "business continuity plan," that includes a regimented backup policy and procedure (where the backup media is divorced from the network system, like the cloud) will allow the under-attack company to just say no, and backup their network or computer after deleting infected files.
For individuals whose home computer is affected with ransomware, the choice to pay the ransom might be tougher to resist. Often times, the price to reclaim your files might be minimal as opposed to the hours it might take to restore your files with the back up you made the week before. The key here is to ensure your computers have updated software and regularly backup files to external hard drives.
You might not have been very diligent in backing up your home computer to the point where you might be able to say "bugger off" to the attacker. There are no hard and fast rules here other than if you pay the ransom once, who is to say that the attacker might not come back for a second bite at the apple.
Unfortunately, ransomware is here to stay despite efforts by security companies to identify and locate encryption keys. It is a relatively cheap, effective way to steal money from companies and individuals. Many organizations simply pay the ransom and never report the crime to the authorities. And given the ability of cyberattackers to quickly engineer new variants of ransomware, these attacks are may be difficult to defend against.
But with some preparation and vigilance on the part of consumers and businesses, we can ward of these digital Grinches using ransomware to swipe our loot.
Paul A. Ferrillo is counsel in the New York office of Weil, Gotshal & Manges LLP. He is a member of the firm’s litigation department and the cybersecurity, data privacy, and information management practice.
Austin Berglas is senior managing director and head of US cyber investigations and incident response at K2 Intelligence and is based in New York.