Ransomware is a type of malicious software designed to attack a device through a corrupt email attachment or link. It locks or encrypts the user’s system or files and demands a ransom to undo it. Once the ransom is paid, often in cryptocurrencies like Bitcoin, the victims receive an encryption key to unlock their files.
Ransomware has been in use for more than a decade, and continues to be one of the most popular attack methods for two primary reasons – it is easy to execute and it has a high success rate. Experienced attackers have advanced their skills and found new ways to evade traditional defence against ransomware. Further, with the rise of the “ransomware-as-a-service” (RaaS) model, it has become easier for novice cybercriminals with the most basic technical knowledge to launch customised attacks. For example, Cerber, one of the most widely distributed RaaS packages, accounted for 25 per cent of ransomware activity from December 2016 to January 2017.
A key reason for the high success rate of ransomware attacks is that many organisations choose to pay the ransom to ensure the safe return of their valuable data and avoid any detrimental effects. Some even stockpile Bitcoin in anticipation of an attack. This may perpetuate the problem, giving attackers more power over organisations. Meeting the attacker’s demands, however, is only the first step in recovering from a ransomware attack. Even if the organisation decides to comply with the attacker’s demands, there is no guarantee that the files will be returned unharmed.
An organisation is mainly targeted through phishing or spear phishing attacks, with malicious and deceptive emails sent to one or more corporate email accounts, often disguised as billing, shipping and other invoice-related messages. Both phishing and spear phishing are popular methods of attack, but are distinctly different in their approach. A phishing attack is designed to trick someone into clicking on a malicious link or attachment, or visiting a malicious website. On the other hand, spear phishing is a more targeted form of phishing, wherein emails appear as if they are sent from someone the recipient knows and trusts, such as a colleague or a business partner, and can include content that is specifically tailored to the victim’s interests or industry.
How EFSS compounds the problem
Enterprise file sync and share (EFSS) solutions make it easy for organisations to share information securely and efficiently across an increasingly distributed and digital workplace. However, there are EFSS vulnerabilities that can be exploited by cyberattackers.
EFSS solutions have the potential to make a ransomware attack worse by syncing and sharing ransomware-affected files across multiple endpoints. Most EFSS solutions automatically sync the user’s files to the central (cloud) repository whenever a new version of the file is created or saved. If a file is shared with other users, the system will sync the newest version to their devices as well. When a file is encrypted by ransomware, a new version is created and synced to the central repository as well as to the devices of all users who have access to the file (via the EFSS) impacted by ransomware. Because the file is encrypted, it is no longer accessible in the central repository or across endpoints.
An EFSS solution allows system administrators to take control of the situation and provides rapid resolution. It should be able to help the administrator in identifying any infected files and then restoring them to their clean versions before any serious damage can be done.
Consequences of ransomware attack
The potential impact of an attack goes far beyond the initial ransom payment. Whether an organisation chooses to pay the ransom or not, the costs involved in responding to, remediating and recovering from a breach can put a huge burden on its finances. In addition, it causes loss of productivity. An organisation can lose hours, weeks or even years of work in a matter of minutes. The amount of time and resources it takes to recover files or reproduce the work altogether has significant cost implications. Further, a ransomware attack completely disrupts the daily business operations. The company’s IT systems remain frozen while the infected files are being removed and the clean versions are being restored. It also causes enormous reputational damage. Once the news about an attack or breach is out, it quickly jeopardises the reputation of the affected organisations that they worked so hard to build. Stock price, brand value and competitive advantage take a hit when a breach goes public. A ransomware attack can also lead to an increase in the customer and partner churn rate. A company’s customers and partners want to ensure complete protection and security of their valuable data. The moment their confidence is shaken, there is a higher risk that they will leave.
Attack trends across sectors
All organisations, from small businesses to large enterprises, should be concerned about the increasing frequency and severity of ransomware attacks. The number of ransomware attacks tripled in 2016, rising from one attack every two minutes in the first quarter to one every 40 seconds by the third quarter. While no industry is immune to these attacks, some are more frequently targeted than others.
The healthcare industry is expected to witness a 400 per cent increase in ransomware attacks by 2020. The WannaCry attack, which compromised over 20,000 systems in May 2017, highlighted some key vulnerabilities that may be contributing to the industry’s large attack surface. These include the digitisation of patient health information, a low tolerance for risk (with patients’ lives at stake), a high number of connected endpoints and technologies, lower investment in cybersecurity technologies. The healthcare industry is not the only susceptible target. More than 20 per cent of organisations in the education, IT/telecommunication, entertainment/media, and financial services sectors have been affected by ransomware attacks.
The public sector has also witnessed several attacks. On March 22, 2018, the citywide systems in Atlanta were hit by ransomware, locking their files. The attackers demanded approximately $50,000 in Bitcoin. In the days following the attack, the city residents were unable to perform simple tasks such as paying parking tickets or utility bills and the employees did not receive the all-clear to turn on their computers for five days. After the attack, Atlanta’s police chief disclosed that the cyberattack destroyed years’ worth of police dashcam video footage. Even heavily regulated industries like financial services, which have made a significant investment in cybersecurity technologies, continue to be targeted by ransomware attacks. This has prompted the United States Security Exchange Commission to tighten its cybersecurity requirements in 2018.
Any organisation with a large volume of valuable data and a low tolerance for downtime is a prime target for cyberattackers. Thus, it is critical for such organisations to ensure they have a layered defence model in place and an enterprise technology stack designed to prevent any breach. They also need to implement a plan and set of tools that enable them to quickly and efficiently recover from a breach.
A business continuity plan consists of both preventive and restorative measures to deal with cyber attacks like ransomware. Having a proactive solution in place allows IT administrators to quickly remediate the threat while enabling employees to remain productive.
Based on a white paper by BlackBerry