Ransomware attacks are becoming more frequent, more sophisticated and harder to detect. And unprepared victims are often all too willing to pay the ransom to expedite the return of their hijacked files, effectively extending an invitation to future extortionists.
Earlier this month, two German hospitals were targeted with ransomware attacks. That was around the same time California’s Hollywood Presbyterian Medical Center paid cybercriminals who encrypted its files a $17,000 bitcoin ransom to regain control of the hospital’s computer systems.
If You Pay Ransom
- There is no guarantee you will get your data back
- There is no guarantee the data will be restored
- There is no guarantee the data was not exported elsewhere
eSentire’s Eldon Sprickerhoff
Paying the ransom typically is not recommended, although victims often choose to pay. Unfortunately, it is probably the fastest, most efficient way to regain control of hijacked data. But it also adds “fuel to the fire,” said Eldon Sprickerhoff, Chief Security Strategist at eSentire.
That does not necessarily mean that a paying victim could be targeted twice, said Steve Wallace, VP Operations at ThreatSTOP. But paying the ransom could whet the criminals’ appetite for more money.
“I’m not so sure they would intentionally try to exploit the same victim,” he added, “but if the same victim fell into the same trap, I’m sure they’d take advantage. More likely, they’ll pass on a paying victim’s information as a qualified lead to another criminal for exploitation.”
In the absence of a good backup, the alternative is to pay up. In the hospital scenario, for example the disruption would have caused “severe performance delays for months [working with a paper system in the meantime], while critical patients cannot get immediate or quick treatment,” said Sprickerhoff.
The backup-and-restore function clearly failed in this particular case. And that should be “a wake-up call to improve policy, procedures, and employee training,” said Stu Sjouwerman, Founder & CEO of KnowBe4.
Your Options If Targeted?
- Format your computer, lose everything
- Restore your computer from a known good backup
- Pay the ransom
PC Pitstop’s Dodi Glenn
But there is no simple answer. And Sprickerhoff and Dodi Glenn, VP of Cyber Security at PC Pitstop, agree that there is no single defense method, particularly against attackers that use social engineering to trick computer users into giving up their credentials or installing malicious software on their systems.
In at least one of the targeted hospitals, the attack was triggered by an uninformed click on an infected email.
“The most effective ways to defend yourselves is to train users to exercise caution when opening Office documents from persons unknown and to use tools as appropriate [patching, read-only Word and Excel viewers],” said Sprickerhoff.
Users can protect themselves, said Wallace, although criminals are clever and will find new ways to extort money. But Sprickerhoff warned that failure to exercise “sufficient security rigor” means that it becomes “very easy to find yourself locked out of your own files.”
How to Protect Yourself
- Prevent a user/device from accessing malicious software
- If a device does become infected, prevent it from “phoning home” to the criminals
- Detect the infection as quickly as possible and eliminate the malware
ThreatSTOP’s Steve Wallace
The ransomware economy
Ransomware is effective, easy to obtain and can be widely disseminated via email. But paying the ransom, while expedient, fills the pockets of extortionists and fuels a thriving business that is now expanding to websites and increasingly favoring mobile devices.
The criminals’ modus operandi “is to get as much money from as many people as possible,” added Glenn. “If they get lucky, they will land on something valuable, like a hospital. However, they are really just trying to catch as many victims in the ‘cyber ocean’ as possible.”
A criminal ecosystem that supports these activities already exists, providing key attack components such as ransomware software kits and malware distribution systems. “It’s a great economic model with very low risk for the criminal,” said Wallace.
“There are even ransomware-as-a-service operations that take a cut of the take in a ransomware campaign,” he added. “The upfront investment is minimal. Payment to vendors and from victims is in Bitcoin, which is the closest thing we have to an untrackable currency. If you target your campaign in a foreign country, you are even less likely to be identified and prosecuted.”
It is practically impossible to identify who the crooks are, let alone identify their location, said Sprickerhoff. And when you do catch one, added Glenn, “three more criminals will take over.”
Glenn, who has participated in takedown events, said even when the criminals’ infrastructure was disrupted to the point where they move on, “at some point, someone new will crop up and take over.”
“It is a very successful criminal business model,” said Sjouwerman. “More and more cyber gangs are moving into this area.”
When ransom demands are made, negotiations can help lower the amount, as in the case of the California hospital where the initial ransom demand was $3 million.
Ransom amounts remain relatively small. But increasingly, extortionists are demanding more. “We’ve seen the cost go from $100 to over $1,000 in just a short period of time,” said Glenn. “And if you don’t have a known good backup, added Sprickerhoff, then “paying may be the only option.”
Glenn foresees a time when ransomware attacks will become more targeted. “And companies that have been identified as having more assets at their disposal will have higher ransoms made.”