One of the fastest growing industries in the world is fueled by Bitcoin, unscrupulous actors, and the likelihood that you’ll click on emails with intriguing subject lines. Recent ransomware attacks have extorted millions from individuals and businesses all around the world to the tune of $1 billion globally in 2016.
Ransomware pays big, and that’s why it’s only expected to grow faster in 2017.
Cybercriminals target businesses of every size in every industry and there’s very little the FBI can do about it. It’s tempting to assume that if you’re not an enterprise business with deep pockets, then your ransomware risk is low. Unfortunately, recent ransomware attacks prove that any business is at risk—big or small.
“[Ransomware attacks] increased about 750 percent last year, and we expect more this year,” says Erich Kron, a ransomware expert with security awareness training firm KnowBe4. “You can pretty much expect sooner or later, if you run a business, you’re going to get hit by ransomware. You need to be ready for it.”
Comprehending the scale of ransomware risk
Ransomware can affect an entire organization’s data including its local backups, or it can target a small, but crucial, data set. In either case, the cost to restore the data is always much more than just the ransom cost, which is usually paid through Bitcoin.
A recent ransomware attack in Austria showed how crippling even the smallest of attacks can be. In 2017, a hotel chain was attacked and its door system was disabled during its busiest month. It was forced to pay a ransom of approximately $1,500 to reactivate its doors, not to mention the cost of lost business from frustrated guests.
Where does Bitcoin come into all of this? When used by professional criminals, Bitcoin transactions can be set up to be completely untraceable, leaving the FBI powerless to track down attackers.
In many of the latest ransomware attacks reported in a survey by KnowBe4, targets lost access to all of their data, had their backups deleted and were forced to pay up to five Bitcoins — a value of more than $7,000 at Bitcoin’s current value — to the attackers.
Ransomware trends prove network security isn’t enough
Cybercriminals are clever, and unfortunately, they read the same industry reports as those working to prevent them. New variants on attack methods and encryption keys come out faster than security software can keep up, making even the most heavily protected servers vulnerable to a new form of attack.
As of early 2017, there were 276 known ransomware strains — and attackers don’t limit themselves to stealing your laptop or desktop data. There were more than 132,000 ransomware attacks to cellphones in 2016. Businesses that do get hit and don’t have sufficient external backups in place lose, on average, 33 man-hours per machine attacked. That accounts for both the IT employee working to restore the system and the person who can’t work until his or her machine is restored.
You can’t underestimate your ransomware risk, says Kelvin Murray, a ransomware risk researcher with Webroot. The encryption methods used by professional cybercriminals are so sophisticated that they are impossible to decrypt.
“It would take one machine 1×10^27 years to decrypt AES ransomware by brute force — which is longer than the universe is expected to last,” Murray says. “So it’s not going to happen any time soon. Even if you had every computer on Earth, it’s just not going to happen.”
The worst news of all may be that in about half of the most recent ransomware attacks, targets didn’t get their data back even after paying the ransom.
Myths about ransomware risk give a false sense of security
Ransomware attackers tend to go for the lowest hanging fruit and while every industry is vulnerable, some industries attract more attention because they’re obligated to restore the data.
“I think ransomware sometimes targets, or at least in the past has targeted certain industries where, for example, healthcare, you can’t really play with people’s lives and patients,” says Kron.
A few myths about ransomware risks leave some organizations more vulnerable to attack than they realize, Kron continues. First, organizations who use Linux software on their computers were at one point thought to be less susceptible to ransomware but the criminals have become so sophisticated in their attacks that this is no longer the case. Second, some antivirus software claims to be able to detect and provide an early warning about an attack. But in the case of ransomware, these warnings are effectively useless, Kron says.
“The minute you start seeing encryption or systems locking up, you know it’s too late,” Kron says. “It’s already executed.”
What you should do to lower your ransomware risk:
- Create a human firewall: Train your employees at every level to recognize phishing scams.
- Outlaw password123: Make sure everyone, especially system administrators and those with access to sensitive files and backup systems, uses adequately secure passwords.
- Take a top-down approach: “How many times have we had executives that don’t want this software or that software on their laptop or their machine because it bothers them, right?” Kron says. “We need to make sure that we’re educating them.”
- Segment your network: Make sure that one attack could never affect all of your data by separating access points and providing access rights to different servers to different users.
- Use the “principle of least privilege:” Only give employees the minimum level of access needed to do their job. “Not everybody should be an admin — Not everybody should have the keys to the kingdom,” Kron says. “That’s how things go from inconvenient to horribly wrong: when people like your receptionist can access all of the files in accounting.”
Of course, the ultimate line of defense against ransomware is investing in a complete virtual and physical backup solution. If your data is backed up frequently to redundant virtual and physical servers that can’t be accessed through a user account in your system, your ransomware risk is lowered to almost zero, since you’ll be able to restore all of your data without paying the ransom.