If you are a victim of ransomware, don’t pay!
That has been the mantra of the FBI for several years now – one that was forcefully echoed by one of the nation’s highest-profile security bloggers – Brian Krebs – in a recent post.
But based on the statistics, either a lot of people aren’t listening, or it’s a bit more complicated than that. The reality is that the success of ransomware isn’t just increasing. It’s exploding.
The Ponemon Institute reported in a study released last month that 48% of businesses victimized by ransomware said they paid.
According to the FBI, the collective amount of ransoms paid in all of 2015 in the US was $24 million. In 2016, it had jumped to $209 million in just the first three months – which means if the growth curve continued it would easily have topped $1 billion by the end of the year.
Of course, that was just what was reported to the FBI and just in the US. The Cyber Threat Alliance (CTA) reported that the global ransomware damages in 2015 just from CryptoWall3 were $325 million.
The latest version, CryptoWall4, caused an estimated $18 million in damages to 36,118 victims since its discovery last year, the CTA reported.
Numerous other studies have pointed to the ransomware growth curve. Beazley, a breach insurance vendor, reported last fall that based on client trends, ransomware attacks in 2016 would be four times greater than in 2015.
MarketsandMarkets began the year predicting a 16.3% compound annual growth rate in the market for ransomware defense, rising from $8.16 billion in 2016 to $17.36 billion in 2021.
The FBI reported that, “one particular ransomware variant compromised an estimated 100,000 computers a day.”
Candid Wueest, a researcher at Symantec, said the company’s Ransomware and Businesses 2016 whitepaper found that ransomware infection numbers spiked to 56,000 last March – double the normal rate.
And the problem is likely worse than the findings. The FBI said many victims don’t report it, “for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.”
Indeed, ransomware is even trendy – at the top of the agenda of this week’s RSA Conference in San Francisco, where there was an all-day “Ransomware Summit” on Monday, led by DataGravity CISO Andrew Hay.
The reasons for its attractiveness to cyber criminals are not complicated. It doesn’t take all that much expertise – it has been widely reported that it is easy for so-called “script kiddies” to buy or lease the malware on the Dark Web.
A ransomware attack is potentially more damaging than a data breach, especially to a business. No organization wants its data stolen, but it can continue to function after it discovers a breach. If all of its data are encrypted and it doesn’t have a backup, it can’t function.
Third, as a white paper by ICIT (Institute for Critical Infrastructure Technology) noted, the ransom demanded is generally not a crippling amount. For individuals, it tends to be a few hundred dollars in Bitcoin. “From law enforcement’s perspective, a home burglary results in greater loss than a singular ransomware attack,” the report said, which means law enforcement will rarely devote “significant resources” to investigating it.
According to ICIT, Joseph Bonavolonta, the Boston-based head of the FBI's CYBER and Counterintelligence Program, got into trouble with Sen. Ron Wyden (D-Ore.) in October 2015 when he said, "To be honest, we often advise people just to pay the ransom."
After Wyden complained, the FBI “clarified” that its position was, “only to pay the ransom if mitigation steps failed and the only other option was to lose the files.”
Those factors, which all contribute to the success rate of ransomware attacks, are some of the same reasons victims are motivated to pay – they are desperate to recover their files, and they can afford the price more easily than they can afford to lose their files.
Of course, there is plenty of logic behind the FBI’s arguments as well. The primary one is that paying simply makes the problem greater – the more criminals make, the more they will attack.
The bureau and others also note that there is no guarantee that criminals will produce an encryption key once the ransom is paid, or get rid of the malware on the device, meaning a victim could get victimized again.
Krebs said victims do have options, even if they don’t have a current backup. He recommended contacting two websites – No More Ransom and Bleeping Computer – which provide free solutions to at least some ransomware variants.
Krebs said No More Ransom, which is backed by security firms and cybersecurity organizations in 22 countries, had saved 6,000 victims of ransomware more than $2 million by December 2016.
But that statistic, say other experts, shows that while it is a laudable initiative, it is unlikely to slow the explosive growth of ransomware – $2 million is barely a rounding error in the total being collected by cyber criminals.
“Resources like No More Ransom are great, but unfortunately they are a drop in the ocean,” said Ilia Kolochenko, CEO of High-Tech Bridge.
He is just one of many experts who say the only really effective way to deal with ransomware is to prevent it. He called it, “somewhat similar to AIDS – it’s relatively easy to prevent it, but only when it’s not too late.”
Stu Sjouwerman, CEO of KnowBe4, has a similar message. “In principle, don't pay because that encourages the criminal business model,” he said, “but in practice, it's not that easy.”
He said for most organizations, it comes down to a cost/benefit calculation. “It becomes a no-brainer if you are faced with a failed backup and more than a month of lost data that could shut you down.”
And Ed Cabrera, chief cybersecurity officer at Trend Micro, also noted the divide between what should happen and what does happen. “The consensus is clear that paying ‘should’ never be an option,” he said. “However, as companies fail to plan, they are planning to fail when it comes to ransomware attacks. This is obviously a very lucrative business in the Deep Web and is only going to continue evolving to different file types and systems that are very important to companies and consumers.”
It is pretty clear that many organizations are failing to plan, which is somewhat of a mystery, since the ways to prevent ransomware are fairly straightforward and widely publicized, including on the FBI website.
The most important, of course, is to back up data regularly, and secure the backups – don’t leave them connected to the computers and networks they are backing up – so they can’t also be infected by an attack. Beyond that, experts say organizations should:
- Disable macro scripts
- Install all updates and patches – especially for buggy programs like Adobe Flash or Java
- Set antivirus and antimalware solutions to update automatically
- Only download software – especially free software – from known and trusted sites
- Train employees – emphasize that they should never open an attachment in an unsolicited email.
Krebs has his own Three Rules of Online Security:
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it.
- If you no longer need it (or, if it’s become too big of a security risk) get rid of it.
So, why don’t more people follow that advice – especially organizations that could be crippled or taken down by ransomware?
It is not just a matter of being lazy, according to Sjouwerman. “The reality is that many IT departments are undermanned, overloaded, and coping with 16 fires at the same time,” he said. “The problem is that as a defender you need to be right 100% of the time, and as an attacker only once.
And even doing the right thing doesn’t always work. “Weapons-grade backups are paramount, but backups fail much more frequently than you think,” he said.
Wueest said sometimes it comes down to denial. He said while best practices can prevent most threats, “some companies do not plan for ransomware attacks or do not test these scenarios in their security process, as they wrongly believe it cannot happen to them.”
The bottom line – ransomware succeeds because potential victims make it easy to succeed. And once the files lacking any backup are locked, there are very few options.
“The root (ransomware) tactics still remain simple and easy to defend against,” Cabrera said. “But despite this, companies continue to fail to develop and deploy a multi-layered security defense.”