CEB Blogs


Risk Management

Makes You WannaCry? The Rise of Ransomware, and What to Do About It

The ransomware attacks over the weekend are one example of the millions now happening every year; it should remind all managers to be vigilant, to train employees properly, and to have a mitigation plan in place

The past few days have seen a lot of attention paid to the latest bout of ransomware attacks to wreak havoc on the world’s IT infrastructure. This is almost certainly because of the high-profile and globally dispersed targets – including FedEx, Nissan, the UK’s National Health Service, and German and Russian rail networks – and so the very real problems it caused people, including cancelled operations and stranded passengers.

But although this might have been a particularly noticeable attack, it certainly wasn’t the only one asking computer users to hand over $300 worth of bitcoin to recover their files. The US Department of Justice estimates that these types of attacks occurred a staggering 4,000 times a day in 2016 (pdf). While experts continue to argue over who’s at fault for the spread of the WannaCry ransomware – both Microsoft and Vladimir Putin have accused the US government today – it seems like the attacks are now slowing.

Although that’s undoubted good news, this let-up should only serve to remind managers in the private and public sector alike that one click by an employee on the wrong link can infect a whole system in half a second. And for businesses the price to unlock “kidnapped” data can of be a lot higher — at tens of thousands of dollars every time. It’s no wonder that risk and compliance professionals rank ransomeware as one of the highest velocity threats facing firms in the past few editions of CEB’s quarterly emerging risk survey.

Cybercrime’s New Business Model

Ransomware is the new business model for cybercrimes. Hacking systems to steal data and sell on the black market is just not as profitable anymore. Breaking into an organization often requires weeks of planning with no guarantee of success, and even with victory, no guarantee of reward. On average, “traditional” hackers make far less than an IT professional, according to a Ponemon Institute report.

Meanwhile, ransomware starter kits are sold on the Dark Web for as little as $39 and the authors of such kits can make close to $1 million in a year.

Ransomware also owes its rise to two other factors. The emergence of Bitcoin as an untraceable internet currency has made it easier to demand ransoms. At the same time, phishing schemes have become more sophisticated. It’s true that e-mail providers have got better at filtering out spam and malicious messages, and those that do get past are easily spotted by the average user. But much of ransomware’s success is predicated on formal, polished e-mails that look legitimate yet contain a malicious link or attachment.

But it’s ransomware’s ability to mutate that really sets it apart from other malware. Infections in the form of Trojans and other malware contain a fingerprint, which, once mapped, can be incorporated into anti-virus software and easily scanned for. Ransomware, on the other hand, changes its fingerprint almost hourly, making traditional malware protection nearly useless at detecting it.

Three Simple Mitigation Strategies

All the above might make ransomware seem scary, but anti-virus companies are constantly cracking popular ransomware infections and developing new tools to stop their encryption process. In the meantime, organizations can take three basic steps to lower the risk of their data being spirited away, and recovering quickly if it is (this post has more).

  1. Regularly back up data: Even when a company is attacked with ransomware, many choose not to pay because they have backups of their data. These backups must be offline though, as ransomware attacks often search for backups of targeted data.

  2. Train employees and promote awareness: As mentioned above, much of ransomware’s success comes from taking advantage of a knowledge gap before the public wises up to this new threat. Therefore, simply educating employees of the risks can prevent many attacks.

    People should be aware that these risks exist and, as with all phishing attempts, they should be instructed not to click on links or to open attachments in unsolicited e-mails. And it’s not just lower level employees that need this training. A survey by Malwarebytes, an anti-malware firm, showed that a quarter of ransomware attacks in the United States affected corporate-level executives.

  3. Have a response plan: If your company does get hit, a business continuity plan can help lessen the losses. Organizations may also wish to invest in Bitcoins if they decide to pay the ransom.

    The FBI discourages companies from paying the ransom to recover data, yet an individual agent has admitted that they often recommend it when all other options are exhausted.

Three Counter-Strategies Employed by Attackers

Following the above steps can help prevent many attacks, yet attackers will not give up so easily. Some of their counter-strategies include:

  1. Attacking cloud providers: IT professionals used to advise backing-up data to the cloud as a viable mitigation strategy. Not any more, as attacks on cloud providers are becoming increasingly common.

    In late September last year, VESK, a cloud provider was attacked and chose to pay an £18,600 ransom to retrieve its data.

  2. Self-propagating ransomware: For the most part, ransomware requires a user to run an executable file (often disguised as a link or attachment in e-mail). Over 60% of attacks occur this way.

    But this year, newer versions of ransomware emerged that are able to spread themselves from computer to computer, requiring little to no action on the part of the end-user.

  3. Encouraging companies to pay: Ransomware attackers often do their research on levels of income, value of assets, and the ability of someone to pay. They will price the ransom accordingly to make payment seem like a reasonable option. Even with nightly backups, a day’s worth of productivity might be worth more to a company than the ransom being demanded.

    Furthermore, attackers have even been known to negotiate with their victims to reach a lower ransom payment. Attackers have also started attaching time limits to their demands to prevent victims from seeking outside help or simply waiting for an anti-virus firm to crack the code.


More On…

  • ERM's Role in Information Security

    Download this white paper to learn more about how risk teams should work with others around a company to keep information as safe as possible.

  • Risk Assessment & Audit Planning

    The size and complexity of many organizations, and the constantly changing risk environment, means there is now often insufficient information to make good decisions. Learn how to change that with these resources.

  • Information Risk Management

    The rising importance of information risk has dramatically changed the opportunities for CISOs. Information Security budget and headcount have increased more than 200% in the past four years. Learn how to make the most of all those resources.

Leave a Reply



Recommended For You

Risk Management: Why and How Boards Should be Involved

All board members are required to have a deeper understanding of the risks facing their...