Ransomware, arguably the most efficient malware used by cybercrooks in recent years, continues to wreak havoc on a global scale, affecting everyone and everything, from regular Internet users to enterprises to critical infrastructures. So why do hackers still win?
Ransomware operators have learned in recent years that attacks tightly targeting large corporations and national infrastructures yield much more profit than the en masse attacks on random endpoints. At the same time, many of these large infrastructures still rely on unpatched, or even unpatchable, legacy systems that are highly vulnerable to cyber-attacks.
When victims are left without a choice
In the last couple of years, ransomware families like WannaCry, GoldenEye/NotPetya, GandCrab, Ryuk, SamSam and, more recently, LockerGoga, have inflicted tens of billions of dollars of damage worldwide, crippling businesses and critical infrastructures alike.
A recent example is the attack on Garfield County in Utah, where officials resorted to paying ransom in Bitcoin to regain access to their systems and data. The type of ransomware used in the attack is unknown and it is believed operators encrypted not just the county’s live data but also the backups, leaving them no choice but to pay and hope to get back what was theirs. In this instance, the attackers stuck to their end of the deal, so Garfield County was lucky. However, paying the ransom doesn’t always yield the decryption keys from the attacker, either because:
- the attack was only meant to disrupt (state-sponsored)
- the command & control server is under investigation by law enforcement or the attacker is in prison
- the communication channel between the victim and the attacker become severed
- the crypto-wallet address in the ransom note is incorrect
- coding errors in the encryption routine that irreversibly corrupts the encrypted file
…and the list could go on.
Big business and national infrastructures in the crosshairs
The Garfield County attack is just one example where a ransomware campaign leaves the victim with a hard choice, caving in to the attackers’ demands. Last year, GandCrab operators reportedly demanded as much as $700,000 per server to decrypt their victims’ data. Some paid, while others didn’t. However, the potential profits of a ransomware campaign so outweigh the costs that only a handful of victims need pay up for the operators to generate millions of dollars’ worth of cryptocurrency overnight.
Refusing to pay the ransom doesn’t deter attackers either. They know they stand a good chance of getting paid. If not, the damages are still high for the victim – as evidenced by the City of Atlanta last year, when it got struck by SamSam, or by Norsk Hydro this year, when LockerGoga operators crippled its aluminum smelting facilities and power plants. Both victims incurred losses in the tens of millions of dollars, making one wonder what the outcome would have been had they paid? These attacks make headlines that future victims will read and ponder, increasing their anxiety – and the likelihood that one or two will cave in and pay.
By targeting healthcare facilities – another emerging trend in recent years – attackers again press management and IT administrators hard to consider paying ransom. The reason is simple: freezing a medical center’s operations puts lives at risk and patient health history could be lost forever. The most recent example comes from the United States, in Battle Creek, Michigan, where a doctor’s office closed shop after a ransomware incident. A concerned mother was left scrambling for options to ensure her daughter got the necessary treatment, when it was discovered she required a follow-up intervention after an infection post-surgery. While this medical practice chose not to pay the ransom (for reasons still not entirely clear), many others have, to avoid further damages and maybe even bankruptcy.
How to thwart attacks (by avoiding infection in the first place)
At the end of the day, attackers know that systematically hitting big targets will yield some who pay. With their insatiable demands, ransomware operators are giving themselves a huge leg up in the business. This is why today, more than ever, it is important that organizations in the hackers’ crosshairs equip themselves with the knowledge and technology to detect and prevent a ransomware attack from unfolding. Sometimes all it takes is a good round of personnel training. Most cyber-attacks start with a phishing email, as was the case in Garfield County. The incident could have been entirely avoided had the employee known to spot the intentions behind the suspicious message in their inbox.
On the technology side, administrators must make it their top mission to ensure that data is regularly backed up and kept offline, away from prying eyes, in case a breach occurs. Next, administrators need a solid intrusion detection system that stops malicious traffic before it reaches endpoints. For enterprises, a layered security solution becomes a must. Modern security solutions integrate layered next-gen endpoint protection and endpoint detection & response (EDR) to accurately protect enterprises against even the most elusive cyber threats, including ransomware, advanced persistent threats (APTs) and fileless malware.