The bad guys on the dark side of the web have gotten bolder, nastier, and they couldn’t be happier. 2015 turned out to be a jackpot year for cyber thugs that saw over half a billion stolen records and over 100 new ransomware families being discovered.
A report released by Symantec revealed that the average ransom demand has more than doubled since 2015, and is now Rs 45,428, up from Rs 19, 670. What adds to the misery is that companies choosing not to report the number of records lost has increased by 85 percent.
They came, they saw, they ransomed
Ransomware has come a long way since 2005, when we had hackers installing misleading apps onto Windows PCs that made it look like there was some over-utilization of resources like CPU or memory, which needed fixing. So, you called up the call center which asked for money, and after you transferred the money, it was gone.
The second phase involved fake antiviruses being installed which scanned all folders and said ‘These files are corrupt. If you want to clean them up, please purchase an antivirus pack.’ The rest of the story is predictable enough.
Tarun Kaura, Director – Solution Product Management for Asia Pacific & Japan, Symantec discussed the manner in which ransom was collected, and how thugs got smarter and decided to make it more real, thus introducing ‘Locker Ransomware’, which abruptly locked down your system whilst browsing. “It looked like a regulatory organization or the local police ‘sniffed’ suspicious activity, and sent a message saying: You’re browsing content that you’re not supposed to, so we’ve blocked your usage. If you want to proceed, you need to pay up,” explained Kaura.
This modus operandi was extensively used till 2012-‘13, and this was the time hackers operated in a cloak-and-dagger mode, choosing not to reveal the hack.
Around 2014, the industry witnessed another evolution in the shady history of cybercrime: Crypto-Ransomware. Here the hacker owned up to hacking your data, and encrypting it. If you wanted it decrypted, you needed to...that’s right – cough up.
So, what started as a data exfiltration or denial-of-service attack can now pretty much bring a business to its knees. The head honchos have to first figure out how the attack happened; how to clean it up; how can it be decrypted; does ransom need to be paid or not; and finally – how can the whole thing be kept under wraps to avoid a PR disaster.
Hackers step on the pedal
Now, targeting individuals and small enterprises didn’t turn out to be a very scalable model for the bad guys. Picture standing in the corner of a street, robbing the lonesome stroller. How many people can you rip off? That’s when thugs realized that the best way was to target more people, and that started the trend of hacking large corporations. The hackers moved away from targeting consumers to large enterprises.
The amount that could be ransomed would be exponentially higher, and the data: way more valuable. Needless to say, the PR disaster that results from a hack reflects on the share prices of the targeted enterprise too.
What’s really working for the hackers is the new payment mechanism – Bitcoins, in addition to new payment gateways. They now know how to collect the ransom. This is what led to a disruption in the whole economics.
Trends in Ransomware attacks
Firstly, variants in ransomware: The number of variants being developed for ransomware is on the rise. “We’ve witnessed at least 100 variants of ransomware, which is significantly higher than what we’ve witnessed earlier,” revealed Kaura.
Secondly, the delivery model, and finally,the operating system they’re going after: "We’ve ransomware attacks moving from just Windows to Mac OS, and also to mobile devices on the Android platform," he said. Symantec believes that the next wave could also target smart devices, including smart watches and wearable devices.
Another interesting trend is the fact that hackers are going beyond merely deploying ransomware attacks. It could be an exfiltration, or a diversion technique. They’re using a combination of two to three attacks to go after the enterprise.
Ankit Anubhav, a Malware Researcher at FireEye Labs said, “You’d be surprised to hear that tier-two cities are really reeling under the attack. Though mature enterprises have started viewing ransomware threat and the damage associated seriously, the awareness level in the mid-market segment is still quite low.” He also highlighted that Word Macro documents are proving to be a major source of propagation.
Before hackers zero down on a particular organization, there are several factors that need to be considered. For instance, the economy of the country.
With 31 percent of global infections, the US continues to be the country most affected by ransomware. Italy and Japan come in second, with eight percent each, followed by Netherlands, Germany, and UK. India makes it to the dubious list, registering three percent.
On a global scale, the services sector, with 38 percent of organizational infections, was by far the most affected business sector. Manufacturing, at 17 percent comes in second, followed by finance, insurance, and real estate at 10 percent.
“You’ll also observe that a lot of times, the non-regulated sectors get more attacks, as there are no regulation guiding them,” said Kaura, sharing Symantec’s findings.
Bad guys go pro, aim for the stars
We have SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service), IaaS (Infrastructure-as-a-Service), and a whole lot more of ‘service models’ flooding the enterprise. So, why should ransomware be left behind? Enter: Ransomware-as-a-Service (RaaS).
Why RaaS is proving to be a disruptor in cybercrime is because now the bad guy doesn’t have to be a real expert at hacking. What’s worse – Ransomware-as-a-Service is being offered for as little as $39 (about Rs 2600) by an entity called Stampado on the dark web.
RaaS is a perfect example to demonstrate how organized cyber criminals have become. Instead of spreading the ransomware directly, RaaS enables bad guys all over the world to infect users in their demographic and ask for money.
Anubhav, a malware researcher, also pointed out that many digitally-signed malware make RaaS files difficult to get detected by a traditional security vendor. Moreover, recovering the system will not remove infection since RaaS tampers recovery settings.
ACPL, a noted security partner, identified ransomware to be the biggest threat faced by the enterprise today. What makes it a force to reckon with is the fact that these targeted attacks are aimed at senior management level. “We’ve witnessed data being compromised from laptops of CFOs, CEOs, and VPs, and their organizations have had to make huge payouts,” revealed Vishal Bindra, Founder & CEO, ACPL Systems.
Samarendra Kumar, Head of Group Information Security, InterGlobe Enterprises also shared the same observation saying “I feel that it’s mostly to do with the attack surface being the endpoints, and secondly: the target is more towards the audience, which is high profile.”
Although the plague of ransomware has spread across all verticals, BFSI has been able to put some control over it. “This is because they have some checks and information in terms of whom to pay, and how the money will be routed,” said Bindra. Verticals like manufacturing, services, and media, however, have had to pay through their nose.
Bindra emphasized on the need to build processes and technology to be able to recover from a ransomware attack. Considering there’s precious little an organization can do once it is hit with ransomware, his advice for CSOs was to invest in technologies which can help them quickly recover.
Now that we’ve a fair understanding of ransomware, should we treat it any differently from other forms of cyber attack?
The key to the castle lies in understanding how ransomware works. A lot of times, you don’t get to know you’ve been hacked, and that you’ve lost your data. This lays a greater priority on incident response.
So, how do you bolster your incident response?
“I still believe that a lot of organizations are still investing in detection and response. Incident response and recovery is highly dependent on the process, and more so, on the people,” said Kaura.
A fireproof way to go about it is to strengthen the endpoints. At InterGlobe, the network ATP and the endpoint ATP have been integrated to ensure that the attack surface is visible quickly. In addition to this, the company lays strong emphasis on creating awareness.
Sujoy Brahmachari, CISO & Sr. GM – Infosystems, at Hero Motocorp, seconded this by saying “People’s ignorance is the key cause. We’ve to educate corporate users and create awareness.”
The numero uno two-wheeler manufacturer in the country implements this by conducting periodic awareness programs and rolls out regular mailers to keep its employees well informed.
The interaction with CSOs, however, revealed that they differed on the manner in which ransomware can be best dealt with. While Interglobe swears by an integrated approach to ATP, Hero Motocorp lays the onus on its people.