Ransomware Could Become Mainstream, More Destructive to Businesses

Ransomware is emerging as the go-to tool that cyber criminals are arming themselves with by encrypting files and holding the encryption key hostage until a ransom is paid.

Obtaining files with the threat of destroying it or attempting to disrupt an organization's operations will be a harmful tool and could become more mainstream and widespread in the near term. This strategy is setting a dangerous precedent, because some of these criminals or activists are no longer motivated by money and could seek even more damaging outcomes because they are driven by political or ideological issues.

The possibility that ransomware could stop the operations of a company is now a real fear, especially when Hollywood Presbyterian Medical Center in Los Angeles became a victim this year and was unable to function for over a week.

Ransomware is the "perfect digital weapon for a saboteur" since it is extremely destructive and difficult to remove, however hackers can deploy it easily and an entire network can be compromised from merely one mistake by an employee, said Michael Gregg, CEO of Superior Solutions, a Houston-based ethical hacking firm.

"The bottom line is that this is going to happen; it's just a matter of when," he said.

The current environment in the U.S. and globally consists of immense political and societal tension. In the U.S., there are community protests against law enforcement agencies and an increase in hacker groups which have affiliated themselves with political causes, such as supporting a nation-state like Syria or Iran or anarchist views, Gregg said. There is also a rise in online criminal services for activities such as hacking-for-hire and crimeware kits.

"It's a perfect confluence of motive and opportunity," he said. "We've already seen a wide range of 'hacktivist' attacks against corporations, law enforcement and government agencies over the past five or six years. Those have mostly been limited to website defacements, social media account takeovers, low-level doxing, but it would not be a stretch for future hacktivists to leverage a widely available and easy to use digital weapon like ransomware."

The problem is extensive enough that the Federal Trade Commission is hosting a free ransomware event on September 7 in Washington, D.C. where security experts, law enforcement officials will discuss how consumers and businesses can protect themselves from becoming victims.

When Money Is a Motivator

Ransomware has increased significantly over the past year and is on pace to continue because the impact to a company is significant and the attacks are relatively simple to generate, said Steve Durbin, managing director of Information Security Forum, a London-based authority on cyber, information security and risk management.

"It is effective as a cash generator and takes advantage of the traditional weaknesses in most corporations - people," he said.

While losing access to your data is vexing and extremely inconvenient, the potential for the attack to be "much more sinister" occurs when it is directed towards critical infrastructure or used for destructive purposes, Durbin said.

"The bottom line is that the impact on the organization being attacked is significant, which is why it is so effective and why we continue to see ransoms being paid," he said.

The current spate of perpetrators is interested in seeking a quick financial gain and use malware to extract a ransom. Their method is seemingly straightforward and effective- target companies which have the ability and desire to pay large amounts of money and emerge as a damaging force.

"Pure data hostage takers have no interest in taking down a company because then they won't get paid," Durbin said. "So whilst the malware being used is increasingly sophisticated and hard to detect, the ransomware business model is all about cash generation."

Deletion of Files After Ransom is Paid

Another set of hackers is more interested in destructive malware such as the recent "Ranscam" attack which appears to masquerade like traditional ransomware, but the files can not be recovered and are already deleted, said Andrew McDonnell, vice president of security solutions at AsTech Consulting, a San Francisco-based independent security consulting company. This new malware is very destructive, because the files are deleted even after the ransom is paid.

"Using this technique would certainly be an option for strictly destructive actors," he said. "With the intent to simply destroy files and otherwise disrupt an organization's activity, an attacker could alter one of the many variants of ransomware to cut out delivery of a decryption key should any ransom be paid."

Ransomware is a tangible threat, because its products are not only becoming more pervasive on the dark market underground, but they are "bound to become more widely deployed against businesses," said Joram Borenstein, a vice president of marketing of NICE Actimize, a New York-based financial crimes software solutions provider. More victims such as small businesses and consumers will fall prey to this method.

"There is little reason to think this will stop occurring in the next 12 to 18 months," he said. "While so far the focus has been on getting businesses and consumers to pay up to release and decrypt the information, it could eventually be used by others that simply want to stop a given activity from taking place."

Defense Against Ransomware

The occurrence of a weaponized ransomware attack would devastate many businesses because this kind of encryption will deny access to financial, health and even tax records as well as incapacitating the actual computers and servers themselves.

"We're talking about a potentially large scale and indefinite disruption of services," Gregg said.

Organizations can prevent the effects of an attack by backing up and securing data and systems, but the majority of them are failing to do so and are simply "sitting ducks for this type of attack," he said.

Organizations that are most susceptible to ransomware have a key digital asset which can be held hostage and lack adequate investments in IT security, said Carl Herberger, vice president of security solutions at Radware, a Tel Aviv, Israel-based cybersecurity company. A company with a risk averse culture is a prime target because they will not want to face public scrutiny and is more likely to capitulate and meet the demands.

"A culture which that is not confrontational would be likely to pay and then fight or rectify the situation," he said. 

Ransomware will increase as criminals become more sophisticated and develop other methods.

"Companies need to reinforce boundaries: people are the key defense, but also the weakest link, so focus on training and awareness, keep software updated including spam and web filters, back up critical data and store in an air gapped environment so that you are able to restore come the day," Durbin said.