Ransomware attacks are becoming more brazen if the November 25 assault on the San Francisco Municipal Transportation Agency’s (SFMTA) is any indication. And cybersecurity experts project a surge in these types of digital assault as new players get into the act.
“Unfortunately, this is a trend,” said Comodo Senior Research Scientist, Kenneth Geers. “And it works.”
“They seize your data virtually, encrypt it, and then they make you pay for this private key that is the only thing, according to the laws of mathematics, that will unencrypt your data and allow you to access it,” he said in an interview.
Different types of hacker groups are doing ransomware. Some go after any vulnerable target they find so long as they can make money. Increasingly, though, “the criminals who are doing ransomware are organized and sophisticated, said Dan Hubbard, Cisco Systems’ Chief Technology Officer for Cloud Security. These groups deliberately target different, possibly major entities or businesses that have a higher potential for profit.
“The trends we’re seeing are that there are larger groups doing it,” he told Techtonics. “Before, there was a narrow number of attacker groups that were actually doing ransomware, and that has broadened pretty considerably.”
Hubbard believes one of the key reasons ransomware attacks are becoming more pervasive is ransomware-as-a-service – a business model available to criminals online, complete with tech support. “They don’t necessarily have to be technical. They pay someone else who has the technical capabilities to do this.”
“Over the last maybe year and a half,” he added, “it has escalated and become quite more sophisticated and pervasive,” with various groups finding better and more sophisticated techniques to evade security products and deceive users into installing and running malicious software.
Where these criminals are is anybody’s guess, though many cybersecurity experts suspect Russian hackers. But Comodo’s research puts Albania at the top of the list of countries with the highest ratio of ransomware.
“Albania, South Korea, Finland, China, Denmark – those are our top five,” said Geers.
While it’s hard to predict where ransomware might hit next, Geers said sometimes, language and culture play a role, particularly if the hackers are using social engineering to manipulate people and trick them into divulging personal information.
“I suspect one of these organization might well be Albanian if they’re able to so effectively infiltrate [the] state,” he said. “But Russia is on … the top of everybody’s list – it’s number six on ours – by ratio.”
Old tricks still work
Ransomware attacks – or variations of them – are not new. Lockers, as they were called, were used as early as 1989 to block data access on browsers or desktops. In some cases, the hackers would grab a picture of the owner or the IP address of the computer and claim to be law enforcement agents. They then would tell the victim he has done something illegal and must pay a fine.
“This still happens all the time around the world,” said Geers. “… And a lot of people pay. And it’s lucrative for criminals.”
The scheme has netted criminals millions of dollars in “fines.” But over time, ransomware evolved into strong encryption. “They’ve gone a step further, essentially from 2013, in particular, on,” he said. “And they don’t need to threaten you as much.”
Once a cryptovirus has been loaded on a targeted device, hackers can access all sorts of documents, emails and system privileges. And while businesses, regardless of their size, are preferred targets, the lines between consumers and workers are becoming increasingly blurry as people use their own devices to work from home or in their car, or follow up on personal things at work.
“That means that, as an individual, you’ve got to take some level of shared responsibility to be educated around the types of attacks and to understand that these things could happen to you as an individual and could potentially affect your company,” said Hubbard. “So obviously education is always an important thing … certainly awareness of this problem.”
Ironically, some companies believe this is something that can never happen to them. Hubbard cautioned, however, that anyone “can be a target at any time” – even individuals who suddenly cannot access their documents or find themselves looking at a ransom note on the screen.
It’s a good thing then SFMTA was prepared – sort of.
The hacker who compromised the agency’s data systems demanded a ransom of $73,000 in Bitcoin to release the files. But a viable data backup saved the day, so paying the ransom was not necessary. And as poetic justice would have it, a security researcher hacked the email the hacker provided for the ransom and obtained valuable clues on his identity and whereabouts.
Paying the ransom is a bad idea. Those that decide to go that route are often marked as a potential repeat target. And unless your hackers are business-minded enough to return your files, be prepared for the consequences.
“It really doesn’t guarantee anything if you pay,” said Geers. “A lot of times, law firms or hospitals – they’ll just pay the 50 euros, 100 euros or dollars in order to get their data back, but from a criminal syndicate perspective, that puts you in a category of someone who can and will pay, which is also dangerous.”
Even if you pay the ransom, hackers plan ahead, often leaving backdoors that allow them to get back in. And that makes it more difficult for the user to completely reinstall the compromised system or network from the ground up, a time-consuming and expensive process.
This is why a viable backup is crucial for recovery. And both Geers and Hubbard stress the importance of having a data backup offline on a separate device.
“Back up your data in what is called ‘cold storage’ – so offline,” said Geers. “… But … computer security goes back to best practices, which start with people.”
Keep your software up to date and remain vigilant for malicious apps and email payloads. Develop a response strategy, and if ransomware strikes, know what to do and who to call.