Held hostage: the rise of ransomware

Ransomware has climbed the malware ranks since it first appeared in 1989. Back then the AIDS Trojan horse was released, but it was largely unsuccessful because not many people had a computer.

Now, however, with the rise of the internet and the immeasurable popularity of desktops, laptops and smartphones, the cyber threat landscape has changed with ransomware at its fore. Indeed, within the last two years a report from Trend Micro found that 44% of businesses have suffered a ransomware attack. Of these, 65% payed the ransom.

The majority of ransomware attacks involve an unsuspecting individual clicking a malicious link. If this individual has a privileged account within an organisation then the damaging effects within the network are multiplied.

>See also: The evolution of ransomware: what lies ahead?

The malware-type is unforgiving and since it’s rise has infected Windows, Android and Mac systems. With 41% of ransomware attacks aimed at SMEs, it does not discriminate between large and small organisations: the result is the same. The increasing use of largely unprotected mobile devices – and their applications – has also contributed to the escalation of this hostage-style malware.

The growing success of this strain of the ransomware virus has lead to its democratisation and commercialisation by cyber criminals: ransomware-as-a-service (RaaS). For example, one cryptoware programme called Stampado was being sold on the darknet for $39, while there are YouTube videos promoting the RaaS model. With anything concerning criminality, money is at its heart.

This is why ransomware is so popular, and to implement it does not require hugely experienced IT skills either. Laurance Dine, Managing Principal, Investigative Response, at Verizon Enterprise Solutions explains the rise of this malicious phenomenon can be attributed to the fact it can ‘be easily monetised, executed very fast and represents a low risk – so it’s a great tool for hackers and one they will continue to invest in. In the past year we have seen more technical and process innovation in ransomware than we have seen since the invention of Bitcoin-enabled anonymous payments.’

Following on from the success of ransomware attacks when it reemerged masquerading as legitimate software in around 2005, the ransomware business is again booming.

According to the FBI, ransomware criminals in the US were paid out $209 million USD in just the first three months of 2016, while this extended to around $1 billion for the whole year.

>See also: How to protect your organisation from ransomware

The number of variants has continued to rise and, according to Verizon’s Data Breach Investigations Report 2017 (DBIR) – released last month – the number of ransomware cases has risen by 50% since this time last year.

In this ransomware renaissance period there has been a shift in hackers’ targets: individuals to businesses. ‘As attackers shift from targeting individuals to targeting organisations,’ says Matt Middleton-Leal, Regional Vice-President UK, Ireland and Northern Europe at CyberArk, ‘they’re generating larger profits from ransomware attacks’.

Providing a specific example of one of these attacks, Middleton-Leal suggests the aftermath of a ransomware attack goes beyond the initial ransom. ‘The cost of an attack,’ he explains, ‘can be far greater than the ransom. A small city-owned utility in Michigan suffered a ransomware attack in April 2016 that effectively shut down its e-mail and phone systems. The article indicates it cost about $2 million to clean up after the attack. The utility had to recover control of its communications systems, identify digital vulnerabilities and apply security upgrades that would prevent or severely limit the impact of another ransomware attack.’

Indeed, in addition to paying the ransom, victims will most likely suffer costly business downtime as was the case with the example above. At the same time, paying the ransom does not solve the problem of data recovery by any stretch.

Many victims of ransomware, even if they pay, never recover the encrypted data. As a result, most cyber security experts advise organisations to not pay the ransom and instead have a strong backup and recovery system.

>See also: The year of the ransomware shakedown

The initial exploitation caused by ransomware is only the beginning of a journey fraught with reputational damage and financial loss. It is imperative, therefore to defend appropriately, and where defence fails, incorporate an effective backup response plan.

Defending the nest

Backup. Backup. Backup. An automated backup solution is essential in mitigating the risks posed by ransomware. In the event of an attack, data stored off-site with a cloud provider – such as Microsoft Azure or AWS – will be recoverable, while meeting regional data protection laws. On top of this, Druva recommends that businesses backup data every four hours and recommends a long, flexible data retention policy.

As the reader will know, the increasing amount of malicious traffic aimed at organisations is likely to get through at one time or another. As a result, a cloud-based backup and recovery is the only way to guarantee data protection.

‘Besides supplementing their perimeter defences with internal monitoring, businesses must ensure they backup, says Matt Walmsley, EMEA director of Vectra Networks. ‘As long as your backup is recent enough, or where recovery of the up-to-date data is not crucial, ransomware can be disregarded to a degree.

Yet, modern ransomware has become highly effective at locating shared drives, with the danger that these backups may become encrypted as well. To guard against this, businesses should consider cloud backup as opposed to simply saving the data to another disk.’

>See also: How to minimise the impact of ransomware

Aside from backing up an organisation’s data, what can they do to prevent an attack in the first place? As mentioned, this is incredibly hard to do, based on the amount of malicious traffic knocking on the cyber door.

In terms of defence, endpoint protection that doesn’t rely on signatures is a good approach to take. Often these security systems will detect and prevent attacks based on unusual system behaviour.

These security protocols instigated by the IT department should implement stringent email and web monitoring tools, which analyse ‘email attachments, websites, and files for malware, and can block potentially compromised advertisements and social media sites that have no business relevance,’ explains Mark Weir, Regional Director, UK & Ireland at Fortinet. ‘These tools should include sandbox functionality, so that new or unrecognised files can be executed and analysed in a safe environment.’

As explored earlier, one of the most common reasons for a ransomware attack lies at the feet of the employee. The Cyber Security Breaches Survey commissioned by the Department for Culture, Media and Sport revealed that fraudulent emails accounted for 72% of all breaches to UK businesses in the last year.

>See also: The ransomware business model

Better and more consistent employee education, therefore, ‘is a critical step in defeating the threat of ransomware’, according to Andrew Avanessian, vice president at Avecto. In terms of security tools, ‘application whitelisting,’ says Weir, ‘which prevents unauthorised applications to be downloaded or run’ is a another way to mitigate the risks of employees inadvertently downloading ransomware in email attachments.

This is not where it ends, however. Avanessian suggests that getting the very basic security protocols right is an essential requirement of a strong defence. On top of this, ‘an over reliance on reactive technologies will only hinder’ an organisation rather than help. Instead, continues Avanessian, ‘it’s essential that proactive measures are in place to minimise the damage caused by a ransomware attack’.

In fashion

The cyber threat landscape is constantly evolving, with different strains of familiar viruses arising at an alarming rate. ‘Threats change and evolve as organisations become better at mitigating the risks from each unique threat, and once an attack method stops being financially rewarding for criminals, they will move onto the next,’ says Weir. Last year, distributed denial of service (DDoS) attacks was the main threat on the scene.

>See also: 6 steps to protect your company from crypto-ransomware attacks

Now, it is ransomware. It is evidence, concludes Wieland Age – General Manager EMEA at Barracuda – ‘of the successful digital transformation of organised crime. Its practical execution will change over time, but the basic business model has existed for hundreds of years. It is the good old fashioned criminal model now available in digital format.’

As long as the threat continues to generate money, cybercriminals and ransomware will remain. For the time being, the rise of ransomware can’t be stopped in its tracks, but through stern security methods and a rigorous backup solution its success can be limited.


Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...