Stay informed Subscribe to our Blog
By now, we’re no longer surprised when we hear about new and vicious ransomware attacks. Back in the day, CryptoWall and TeslaCrypt were real shockers; today ransomware outbreaks have turned into a monthly, if not weekly, news item.
From the spate of attacks aimed at hospital databases in 2016 to May 12th’s WannaCry rampage and the recent Petya/NotPetya outbreak that rocked European enterprises and is still spreading across the globe, it almost seems as if the problem is getting worse.
If we have learned anything, it’s that this is a threat that will not give up without a major fight. To get some perspective of what we're up against when it comes to ransomware, have a look at the following figures:
- In Q1 2017, 6 out of every 10 malware payloads was ransomware.
- Occurrences of ransomware increased 4X from Q1 2016 to Q1 2017.
- In Q3 2016, businesses were hit with ransomware every 40 seconds.
- 20% of businesses that paid the ransom fee never got their files decrypted, losing all data.
- 85% of businesses hit by ransomware will be offline for a week.
- In 2016, ransomware netted attackers over $1 billion UDS.
Considering those figures, how can we hope to address this serious threat to the normal functioning of business online and in the cloud?
This article will look back at the history of ransomware as a threat, what kind of systems they attack, and outline some of the practices that you can put in use to make sure that your deployment remains as safe and secure as possible.
How Did We Get Here? The Evolution of a Threat
Of course, ransomware as we know it today is a very different beast than it started out as almost 30 years ago.
The first documented case is attributed to Joseph Popp PhD, an AIDS researcher. For reasons still unknown, Popp included a strain of malware on a AIDS research diskette he distributed at an AIDS conference.
The payload was designed to become activated only once the host computer had been turned on 90 times after first loading the diskette. Then on the 90th time, it displayed a message stating that the computer had been locked with symmetric cryptography and the user would have to pay up to get the unlock key.
It's true that this pales in comparison with what we're up against today, but Popp’s new concept has become the archetype for all ransomware variants that have followed.
It took a good 17 years to resurface, but when the next strain of ransomware, called Archievus, was noted in 2006, it was clear that the threat was on its way to becoming serious threat. Archievus’s two major advancements were that it used RSA asymmetric encryption to lock files and it forced victims to make purchases on specific websites to decrypt files.
The next major boon to ransomware came in about 2011 with the rise of digital anonymous payment services.
Services like MoneyPak allowed attackers to collect money from their victims without the possibility of exposing their identity, clearing up a prime concern for attackers.
At the same time, a spate of police-based variants began to appear, including the now famous Reveton, which blocked access to files, rather than locking them with encryption.
This iteration was frustrating but the blockage could be removed easily with the right tools.
Any solace provided by less virulent threats like Reveton was quickly forgotten by 2013 with the rise of Cryptolocker, the first variant to spread via infected emails and downloads. This new, far scarier threat also employed very strong asymmetric encryption and deleted the data of anyone who didn't pay the fee within three days of infection.
Cryptolocker made over $30 million in just over 100 days of deployment, demanding payment be made in BitCoin, and its cousin CryptoWall has collected over $325 million since its inception in that same year.
The ransomware variants we are dealing with today are all similar in nature to Cryptolocker, though each one has its own unique properties;
- SimplLocker - only targets Android-based phones
- Chimera - spills victim’s data onto the internet if the fee isn't paid in time
- Ransom23 - can function on any operating system
- Locky - seems to have a thing for targeting the healthcare system.
- WannaCry - spreads globally in matter of hours thanks to worm-like properties.
- Petya/NotPetya variant - goes one step further than most other ransomware variants by encrypting the system
- Master Boot Record (MBR) and Master File Table - prevents any attempt to recover files with forensics.
What makes today's variants distinctive is that with each iteration they become harder to detect and less predictable. WannaCry, for example, used one of the oldest tricks in the book, spreading via a worm. But until now, this method had not been used in previous ransomware exploits.
The currently circulating Petya/NotPetya seems bent more on destruction rather than financial gain as there doesn't seem to be any way to retrieve information even once the fee has been paid.
Why Systems are Vulnerable in the First Place
Today, almost all enterprises are vulnerable to the threat of ransomware due to factors such as poor patching and updating processes, unwitting users, and targeted attacks.
Ransomware uses many techniques to make its way onto personal and enterprise networks in a number of ways but the two main vectors are phishing and infected webpages.
Phishing Emails Containing Infected Links or Attachments
Typically a far cry from the poorly-worded Nigerian Prince spam emails of the past, today's phishing attacks are often skillfully crafted masterpieces.
In the case of Petya/NotPetya, the email campaign that delivered the ransomware payload was cunning message from a seemingly prospective job applicant with a resume file attached. Sent specifically to HR employees, once they opened the attachment (a perfectly plausible thing to do if you work in HR) the malware began to encrypt the user’s computer and then spread onwards to entire corporate networks.
Legitimate Webpages Infected with Malicious Code Via Exploit Kits
Even more stealthy than payloads delivered via infected links is ransomware that doesn't require victims to click anything at all to become infected.
Using a tool called an exploit kit that is designed to scan software for vulnerabilities, attackers inject malicious code onto legitimate websites (often through infected advertisements, referred to as malvertisements) and wait for users with specific weaknesses in their software to visit that page.
When the user visits that page, the exploit kit leverages those vulnerabilities to deploy the ransomware. Angler is one such exploit kit, responsible for infecting vulnerable visitors to some of the most popular websites such as BBC.com, AOL.com and nytimes.com with the TeslaCrypt ransomware variant.
Considering that in 2016 one out of every four large enterprises was targeted and experts predict that the number will to continue to rise in 2017, it’s safe to say no one can afford to ignore the risks.
And if you're thinking “Hey no biggie, if we get hit, we’ll just pay up”, understand that giving into attackers demands proves their methods work. Moreover, showing them that you're willing to pay makes you even more susceptible to further attacks.
What Can You do to Remain Secured?
As frightening as ransomware is, there are preventative measures your business can take to ensure there is no loss of data. The right steps will help you avoid becoming another data point on the next round of ransomware statistics.
Educate your Employees
According to The Verizon 2016 Data Breach Investigations Report (DBIR), human error accounts for most breaches so it’s imperative to train your employees to recognize phishing attempts.
In some cases, it’s easier to recognize malicious emails than in others but your employees should know that every time they click links in emails, they may be opening up the entire organization to risks. Each link, download and website visited should be carefully considered.
Patch and Upgrade
Running older operating systems and failing to apply security patches as soon as they become available are major mistakes, ones that can cost your business dearly.
Case in point, WannaCry affected PCs running older operating systems like Windows 7 and XP, which should have been upgraded already, considering support ended for XP in 2014 and in 2015 for Windows 7.
Make sure your organization isn't “winging it” when it comes to patching. There should be an official patching and upgrading process in place, one that keeps employees informed of all upcoming changes and builds in accountability, and most importantly, one that gets the job done.
Create a Complete Disaster Recovery Solution
Ransomware is one threat that has no intentions of going away so make sure to build a comprehensive disaster recovery (dr) solution that will ensure that when the big one hits, your business can recover data rapidly and avoid downtime and loss of productivity and reputation.
A cloud based dr solution allows your team to respond flexibly in the face of an attack or any other loss of data by replicating data and facilitating quick fail over to your cloud site. It also ensures that your data is meeting RTO and RPO because it’s stored in a secure, remote online facility.
With a virtual disaster recovery site, your business can continue to perform optimally even if a ransomware attack has penetrated your business. These solutions are easy and fast to deploy and can save you lots of heartache if and when disaster strikes.
For existing NetApp users, for example, Cloud Volumes ONTAP (formerly ONTAP Cloud) and Cloud Sync offer the ability to migrate data in and out of the AWS and Azure clouds. In using these solutions, enterprises can align their data sync and migration to their cloud based dr sites making sure data update frequencies are inline with their SLA include their RTO and RPO, avoiding that terrible loss of data should someone open up a link in the wrong email.
What is blazingly clear by now is that ransomware isn't something to be ignored and it isn't something that's going to die a quiet death.
All organizations and individuals need to understand that everyone and everything is a target. And while it’s true that stopping ransomware from infiltrating your organization may be daunting, recovering from it shouldn't be if you're set up properly beforehand.