Ransomware: Racing From the Risk

Ransomware has become one of the most – if not the most – prevalent, effective and successful forms of cybercrime. According to Verizon’s 2018 Data Breach Investigations Report, ransomware is criminals’ malware of choice with 39% of malware-related data breaches in 2017 involving ransomware.

It has created a notorious name for itself by being simple to construct and deploy, and offering an extremely low-risk, high-reward business model for monetizing malware. Couple this with most people’s ignorance in regard to cybersecurity, and it’s evident why ransomware has become the fastest-evolving cyber threat known to date.

Simple Code, Sophisticated e-Marketing

Ransomware propagates through the same channels of regular malware – mainly email, but also through compromised or malicious websites and pirated software. Ransomware code is often not sophisticated, but it doesn’t need to be. This is because unlike many types of traditional malware, in most cases ransomware does not need to remain undetected or persistent for long to achieve its goal. This relative ease of implementation and high profit potential attracts both sophisticated cybercrime actors, as well as novice ones. What is more sophisticated about ransomware is the e-marketing effort that drives its distribution.

Ransomware purveyors are often savvy e-marketers that know their targets. It is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region or age. While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom than to recreate or restore the compromised systems, especially when the victim has a sense of urgency.

Ransomware Uncovers Gaps in Cyber Insurance

The result of risk management gaps is a flourishing underground economy founded on cyber threats. One significant gap is that the cyber insurance industry is often useless when it comes to ransomware. Most policies have an “extortion” clause, but the deductibles are cost prohibitive – hundreds of thousands need to be extorted before the insurance will kick in. Plus, if you publicly disclose that you have a cyber extortion clause in your policy – in a press release or public report, for example – then you invalidate the policy.

Another key factor is that it can take a medium-sized business, such as a credit union, days to restore from backup, which incentivizes victims to pay the ransom. Think about what would happen if a small credit union was held at ransom. Not only would the money stored at the credit union be at risk, but all of its members’ personal data would be in the hands of hackers. It can cost hundreds of thousands of dollars to retrieve this information!

Some believe paying the ransom will mark them as an easy target and invite future attacks. However, generic ransomware is rarely individually targeted – it’s usually a “shotgun” approach. Attackers acquire email lists, compromise websites and blast out ransomware. Given the amount of attackers out there, if you get hit again, it will likely be by a different attacker.

How to Mitigate Credit Union Risk

Here are some tips you can follow to mitigate ransomware risk and limit the fallout of a ransomware attack:

• Maintain regular backups of important files.
• Be cognizant and filter potentially malicious web sites and emails.
• Ransomware is often delivered through the exact same channels as other types of malware. Sometimes it’s even bundled and downloaded together with other types of malware. Avoid common malware delivery tactics such as:
  • Downloading pirated software/paid software offered for “free.”
  • Downloading software from any non-trusted sources or websites.
  • Downloading key-gen/password cracking/license check removal software.
  • Opening email attachments from unknown /unexpected senders.

• Educate all employees on these best practices.
• Review cyber insurance plans. Make sure they are in line with the level of risk you want from ransomware, and help to innovate the industry by requesting a “ransomware clause” for cyber extortion that would eliminate the inability to publicly disclose and adjust the unrealistic high deductible to be more in line with current ransom demands.
• Whether you pay or not, keep in mind that attackers will always try and extract useful data off a compromised machine. Assume all sensitive data on the machine was compromised. This potentially includes: Usernames and passwords for internal or web resources, payment information and email addresses of contacts.
• Consider deployment of advanced anti-ransomware technology to prevent the execution of ransomware, either as a standalone tool or incorporated into the organizational anti-malware platform.

Israel Barak is chief information security officer for Cybereason. He can be reached at israel.barak@cybereason.com.