How is ransomware causing threats to organizations?

Paul van Kessel,
EY Global Advisory Cybersecurity Leader

Ransomware attacks are a reality, and they are happening more and more often: the FBI estimate 4.000 ransom attacks per day!Organizations of all kinds are becoming targets for this form of cyber threat. So what are the risks, and how can CIOs mitigate and respond to them? And what even are the demands of ransomware hackers?

Ransomware is exactly what it sounds like: Malware used by cyber attackers who demand a ransom for the restoration of the data or service it threatens. Some ransomware is capable to encrypt 100.000 files in under 2 minutes.

Over the last year, attackers have targeted the industries that have been more likely to pay up. These are primarily health care, education, government organizations, critical infrastructure and small businesses.

That said, all industries are under attack, with the mechanical and industrial engineering industry suffering, on average, 15% of ransomware hits, pharmaceutical and financial services 13%, and real estate 12%.*

“Locky” was the most deployed ransomware in 2016. The malware is distributed using spam emails in which an invoice is presented. If the file is opened, the reader is asked to enable macros which then encrypts files and locks up the system. A bitcoin ransom amount is then demanded to decrypt the data. Locky alone was responsible for more than US$500m in losses in 2016.*

How could it evolve?
Ransomware attacks have increased 170 times year-on-year in the period from 2014 to 2016. This growth trajectory will lead to an estimated US$1b in global losses in 2017.*

Since it is easy to remain anonymous and buy ransomware services, it requires little effort and presents a very low risk for attackers to conduct operations — vastly increasing the risk of the frequency and number of attacks.

These attacks can have a devastating impact on businesses. EY research indicates that only 42% of companies are able to recover their data fully from their backup systems. The actual ransom money paid is only a small portion of the total costs companies have to incur to overcome the damage that is done. One also has to factor in other costs, such as the response team, stabilization and restoration efforts, and enhancements to the cybersecurity framework to prevent future attacks.

The execution model of ransomware attacks is evolving and has now reached a level of maturity. Over time, the model has incorporated innovations such as digital currencies — for example, ransom money can now be paid in bitcoin — and the introduction of ransomware-as-a-service (RaaS), which offers unlimited access to ransomware on the dark web for one bitcoin a year. New innovations are expected, especially related to attacks on internet of things (IoT) devices.

How can organizations strengthen their defenses?
We expect that companies will respond by putting more emphasis on backups that are isolated from the network and increasing user awareness around phishing emails and the use of USB sticks.

Equally important are training in good practices, building awareness around the threat and establishing a process to monitor, detect and report any suspicious activity that is noticed. Phishing emails are typically the primary attack vector, so deploying solutions that block these malicious emails and attachments is essential. Once on the network, an endpoint and network solution that detects ransomware behavior can limit the spread.

Recovery is equally important. Unfortunately, recovery policies are rarely tested. Restoring data is a very sensitive process, and a minor omission can have a far-reaching impact. And yes, user awareness and education programs are essential in making a difference.

How can organizations respond to ransomware demands?
Much depends on whether the organization has a recent backup of the affected data or not. It also depends on whether the backup itself has also been encrypted or deleted by the malware, and the thoroughness of that backup. Additionally, it depends on which part of the organization has been impacted by the attack — for example, whether it is in operations or in an area that includes sensitive data that requires reporting.

If it has no backup or the quality of backup is poor, an organization may consider paying the ransom. But, if it does decide to pay, it is definitely a case of “buyer beware.” Another aspect to consider is the fact that negotiations with attackers generally have mixed results. There is absolutely no guarantee that the data will then be “returned” — also, by paying once, an organization may become a more likely target for a follow-up attack.

Also, potential violation of sanctions established by the Office of Foreign Assets Control — such as inadvertently contributing to terrorist organizations — may present another unexpected risk.

If a reliable backup is in place, the organization needs to look immediately at how to refresh the systems, assess what needs to be replaced completely — whether that is hardware or software — and determine which stakeholders may have been affected by the attack. Appropriate communication with those stakeholders is then required, including any relevant regulators.

A cyber attack can happen to any organization in any industry. An organization’s network system can be infected with ransomware through even the slightest breach in security. As attackers find newer, foolproof ways to infiltrate systems, organizations can be prepared with the best defense: secure backup systems and strong malware detectors.

Protecting the organization from cyber attacks is crucial for the business. It can prevent financial damage and, most importantly, data loss.

*Source: 2017 SonicWall Annual Threat Report

Legal disclaimer: The views expressed are those of the author only and do not represent the views of any of the member firms of Ernst & Young Global Limited.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s