Although cybersecurity researchers determined that the recent “Petya” or ”Nyetya” global malware attack was not ransomware designed to encrypt then decrypt files in exchange for ransom payment, but instead “wiperware” aimed at erasing data from infected systems, the incident highlighted the increasing sophistication of ransomware.
Ransomware is being spread not only via emails but in malware hidden in advertising, too. Attackers are also downloading kits that let them easily deploy ransomware, a practice known as Ransomware as a Service. The growing complexity of ransomware means that users and IT leaders need to be on their toes and ensure they have their data backed up.
Dan Siebert, an inside sales engineer for security at CDW, detailed the ransomware threat landscape during a recent CDW webinar sponsored by TrendMicro. On the one hand, individuals are engaging in crimeware to encrypt users’ files and get money via ransoms. In the meantime, he said, “there is a little bit of confusion” within the industry about “what ransomware is, how it spreads, how to defend against it and what you can do” to guard against it.
“We are not recommending in any way, shape or form that you pay the ransom,” he said. “If you pay the ransom, you are encouraging them to keep the activity going. However, if you don’t put your security and blocks in place to stop what’s happening, and to stop that attack from coming in — if you lose your resources, lose your data — you really don’t have any other option at this point other than to pay.”
Ransomware Evolves and Grows More Sophisticated
Ransomware has been around for years, and it has evolved significantly in the last few years, Siebert said. In 2013 and 2014, hackers started moving away from data exfiltration, he said, because they started “realizing that they can make easier, better money and spend less time” by encrypting users’ files and making them pay a ransom in a short period of time to get them back.
In the first quarter of 2015 only four variants of ransomware existed in the market, but that number grew to 15 within a year, Siebert noted. Since then, ransomware has grown more numerous and complex.
“This problem isn’t really going to go away,” Siebert said. “It’s really definitely out there and just growing and getting worse.”
Criminals who use ransomware have the infrastructure in place to easily make money off of attacks and are doing so, Siebert said. Such attacks are a lot easier than tracking down and exfiltrating data.
There are three main variants of ransomware in the market today, Siebert said:
- Traditional lock screen. In this case, Siebert noted, users receive official-looking warnings that lock their screens and say they have done an illegal activity and must pay a ransom.
- Encrypting the master boot record. The original Petya ransomware was a good example of this type, Siebert said. Master boot records hold where a user’s files are located on a hard drive. Once the computer is infected, the ransomware will generate an error on Microsoft Windows machines and force them to reboot. Once that reboot happens the master boot record gets encrypted and users are usually forced into an MS-DOS window where they are asked to make a payment.
“The problem we’re seeing with those, and the reason I don’t think they’re as ingrained in the industry yet, is that you are locking the individual out of the computer, so then they need another computer to go pay the ransom and get the information and the keys back,” Siebert said. “So, we haven’t seen that one take off quite as much, but we are seeing those.
- Pure encryption. Ransomware like Locky and CryptoWall are pieces of software that get onto users’ computers or network drives, then encrypt data and lock users out of their files.
Ransomware attacks generated around $1 billion in 2016 according to the FBI. CryptoWall alone generated $100 million in payments in 2016, Siebert said, but in 2015 it caused $325 million in damages via the servers and infrastructure and research spent to defend against it.
For more information, check out, "The 3 Main Ways Ransomware Spreads in 2017." And for more on the evolving threat of ransomware, the damage these threats can cause and how you can stop them, check out this CDW webinar sponsored by Trend Micro.