pixel_dreams - Fotolia

Paying ransomware attackers perpetuates attacks, says researcher

Continually evolving ransomware is among the threats organisations need to factor into their cyber defences in 2017, but only once they have taken care of the basics, says Kaspersky Lab researcher

Ransomware is a proven business model that will remain popular with attackers as long as victims continue to pay, according to David Emm, principal security researcher at Kaspersky Lab.

“Ransomware bucks the trend towards stealthier, less visible attacks because it is as in your face as a mugging,” he told Computer Weekly.

Ransomware typically encrypts critical data and then demands payment of a ransom, usually in bitcoin, to restore the data to its unencrypted form.

Five years ago, said Emm, it would have seemed unlikely that ransomware attacks would become as successful and common as they have.

“At first, ransomware was targeted more at individuals and small businesses, but they have since become massively successful in generating income by targeting large and small organisations alike, especially in sectors such as healthcare, telecoms and media,” he said. 

According to Emm, ransomware has seen the biggest growth in the past two years, with 62 new families of ransomware being identified in 2016 alone.

“In that period, we have seen ransomware evolve from being purely speculative to being more effective, more targeted and more polished, with fewer errors in the encryption,” he said.

Kaspersky Lab has also warned that ransomware is likely to become a growing threat to virtual desktops and particularly virtual desktop infrastructure (VDI).

Ransomware attacks have also been boosted by the advent of cloud-based services that enable cyber criminals with little or no technical skills to make money in this way.

“Like we saw with banking Trojans such as Zeus before the code was eventally open sourced, ransomware creators are renting out the malware for use by others,” said Emm.

Having tried-and-tested data backup and restoration processes in place is widely seen as an effective way to mitigate the effects of a ransomware attack.

Read more about ransomware

  • Businesses still get caught by ransomware even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

However, Emm concedes that an effective backup regime can be difficult to achieve for some organisations. Typical challenges include budget, time, storage and logistical constraints.

While some companies are looking to solve these challenges by using cheaper, easily accessible, cloud-based backup services, others are simply setting aside funds to pay ransoms and taking out cyber insurance.

Like many of his peers in the security industry, Emm believes paying the cyber criminals who are behind ransomware attacks merely entrenches the business model.

“Organisations that look to cyber insurance to either cover the cost of lost data and lost business or even to pay ransoms should read the fine print to ensure they have appropriate cover,” he said.

Turning to new and emerging cyber security threats, Emm said he expected to see more threats related to the internet of things (IoT), non-traditional financial services companies and mobile devices.

“For most IoT device makers and financial service providers such as Tesco Bank, security is not part of their core business, nor is it as ingrained as it is in the traditional banking sector,” he said.

Both industries are examples of companies looking to exploit information technology without properly understanding the security implications and how to mitigate them, said Emm.

The proliferation and adoption of mobile financial service apps is also an area of concern, he said. “Failure to pay more attention in this area could result in many people being blindsided.”

Customised malware attacks

Emm also expects to see an increase in customised malware attacks, particularly against industrial control systems and critical national infrastructure.

“In Project Sauron, for example, we saw the creation of bespoke malware modules for each victim,” he said, adding that this approach calls into question the usefulness of indicators of compromise as a means of identifying malicious activity.

In terms of targeted attacks, researchers have seen attackers favour stealth over persistence in the past 18 months, said Emm.

This is evidenced in the emergence and growth of file-less malware – malicious code that exists only within computer memory – and the hijacking of legitimate administration tools, such as PowerShell.  

Finally, Emm said he thought attackers were likely to start mimicking the code of others in order to hide responsibility and shift blame.

The newly released documents that WikiLeaks claims were taken from an internal server at the US’s Central Intelligence Agency (CIA) and detail an arsenal of hacking tools appear to confirm this belief.

The documents reveal that a CIA programme called Umbrage is aimed at collecting malware from other nation states, such as Russia, to help hide the origin of the hacking tools developed by the CIA.

WikiLeaks’ Julian Assange has claimed that a malware expert told the organisation that he suspected that malware previously attributed to Iran, Russian and China could have been developed by the CIA.

In the face of these new and emerging threats, Emm says it is important for organisations to first ensure they are following good practices for basic cyber security and that they are not “leaving the front door wide open” to attackers by failing to put basic protections in place.

This includes measures such as ensuring all software has the latest security updates applied and that there is a security policy that specifically covers mobile devices.

Once an organisation is confident it is covering the basics properly, Emm advises developing a security strategy that takes into account what data assets the company has, who is likely to target them and how they are likely to do so.

Read more on Hackers and cybercrime prevention