Ransomware: A grim future

A Symantec report found a 250% increase in ransomware families between 2013 and 2014 alone; what can we expect from this type of malware in the years to come?

Fig.1: Silobreaker’s Time Series displaying mentions of ransomware over the past year.

Services: Essential vs. Optional
News this week has focused on Hollywood’s Presbyterian Medical Center, which paid ransomware authors $17,000 to decrypt compromised systems. With the average ransomware fee set at around $300, two implications can be drawn from this unusually high price. The first is that the hospital was deliberately chosen, rather than becoming merely another casualty of a wider campaign. The second is that essential and emergency services are ideal targets for ransomware authors.

The threat to important services should not be taken lightly – a recent US Homeland Security report predicted that cyber threats against the emergency service sector are set to increase. And if this is true, the repercussions could be disastrous. An individual or a company can choose whether or not to pay a ransom, depending on the value they place on their data. When a hospital can’t use its network for 10 days, or medical equipment is disabled, the result is a genuine threat to patients’ lives.

Targeting organisations that prioritise system availability gives ransomware authors incredible leverage, to the extent that paying the ransom becomes almost a no-brainer. As the CEO of Hollywood’s Presbyterian Medical Center stated: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”

Bugs, glitches and coding quality
Ransomware is just as susceptible to human error as any other piece of software, and sometimes this can work out in favour of its victims. Linux.Encoder.1, for example, was supposed to work like the infamous CryptoWall on Linux boxes, but a design flaw meant that the decryption key could be acquired without payment.

The Cryptear.B and Power Worm ransomware variants, on the other hand, exemplify what happens when malware authors make coding mistakes – but not the ones you want. Cryptear.B encrypted user’s data and the decryption key, while Power Worm simply discarded the key altogether, leaving its author with no money and users with no prospect of recovering their data.

So what’s the worst case scenario? If the spread of ransomware continues at its present rate, it’s perfectly possible that one of the latter badly coded versions will manage to infect tens of thousands of computers. If that happened, all the money in the world wouldn’t change a thing.

Fig 2: Silobreaker’s Time Series displaying the most reported ransomware variants over the past year.

Mobile vs. PC
ESET recently published a report addressing the risk that ransomware poses to mobile devices, and specifically those running the Android OS. With users switching from PC to mobile for all sorts of daily activities, there is certainly greater risk in this direction than ever before. Mobile ransomware is also beginning to mature. Lock-screen types that deny access to applications are being supplanted by the more problematic encryption-type ransomware (AKA crypto-ransomware) that’s already the scourge of careless PC users.

Fundamentally, crypto-ransomware is only effective if a) your data is very important and b) there aren’t any backups available. This means that there are clear limits on the vulnerability of mobile users. Few people run companies from their tablets or mobiles and propriety data is usually stored on-site rather than on the CEO’s phone. Many companies have also abolished their BYOD policies, meaning that work-related information is even less likely to make it onto employees’ phones.

Even if you do forget to regularly save your pictures or contacts onto an external drive, the previous limitations mean that mobile specific ransomware will probably remain a major inconvenience rather than a crippling financial burden. Banking trojans and hybrid ransomware, however, are another story.

Fig 3: Silobreaker displays ransomware news from the last week.

Investing in protection
Despite that fact that the CryptoWall ransomware alone cost users around $325 million last year, it seems that individuals and businesses still aren’t taking adequate precautions. There are victims all over the world, from Israel’s Electricity Authority and Lincolnshire County Council to Oxford School in Mississippi, but protection is easier than it may seem.

Regularly backing up your data on an external drive (and keeping the drive unplugged), not downloading attachments without double-checking who they come from, and keeping your systems patched are basic ways of preventing ransomware infection.

Yet backing up your data is a reparative measure – it’s always better to avoid exposure in the first place. And the unfortunate truth is that even the best AV products take time to recognise new threats, by which point the damage is done.

As malware evolves, it only makes sense to keep abreast of emerging threats and brief your employees on what to look out for this week or the next. Human error is the leading cause of infection for all forms of malware, and the difference between security and compromise will often rest on that single second it takes to click a link.

The Silobreaker Team

This website uses cookies.
See our privacy policy at www.silobreaker.com/legal