If you ask the Institute for Critical Infrastructure Technology (ICIT), this is the year when “ransomware will wreak havoc on America’s critical infrastructure community,” including financial services.
Ransomware basically locks the data on a computer — or the computer itself, or even an entire system or network — so that users cannot gain access to data or processes; it then holds the system and its data hostage, or even threatens destruction of the data, until the system’s owner pays a ransom for its release. The recent decision by Hollywood Presbyterian Medical Center to pay hackers $17,000 in bitcoin to release its entire digital network has highlighted just one of the dangers posed by such threats.
In the ICIT Ransomware Report, provocatively titled “2016 Will Be the Year Ransomware Holds America Hostage,” the authors lay out the threat posed by this rising form of hacking, which “is less about technological sophistication and more about exploitation of the human element.”
Ransomware can arrive on a computer system the same way other malware does, but ransomware threat actors — those who hold the data hostage — aren’t usually able to breach systems themselves. Instead they rely on a variety of methods to get their malware onto the systems they deem ripe for plucking.
Why should you care about ransomware? Simple: ICIT says that “financial institutions are likely the next major sector to be targeted by ransomware, if their systems have not been infected already.” Ransomware attackers are 21st century highwaymen, the report says, “threatening the lifeblood of their victims — information” and “law enforcement has neither the time nor the resources to track down the culprits.”
In fact, if infected by ransomware, law enforcement itself often pays the ransom simply to regain control over its own computer systems. If the good guys are reduced to paying ransom, what’s a financial services firm to do — particularly since the cost of being locked out of customer data can be far higher than paying ransom?
One thing firms can do is make sure that personnel are more aware of common ransomware attacks, since, as the report says, “[o]nly a societal cybersecurity reformation in user awareness and training will deter the attackers.”
The importance of not clicking on unknown emails or attachments, or even ads on reputable sites, and of learning to recognize bogus emails and ads, should be impressed on all staffers from top to bottom at financial firms. In addition, all personnel should be warned not to use unsecured devices for client data, connect unprotected personal devices (such as flash drives) to company systems and to keep their own antivirus protection up to date. Last but not least, firms should keep their own system protections current, ensure that all third-party vendors are thoroughly checked out, and have a plan in place to respond if they’re infected.
To that end, here are seven ways the report says ransomware can gain a foothold at your firm:
1. Traffic distribution system (TDS)
As if you needed another reason that watching porn at work is a bad idea. Traffic distribution services redirect Web traffic to a site hosting an exploit kit. That traffic can be pulled from adult content sites, video streaming services or media piracy sites. Some ransomware groups may even hire a TDS to spread their ransomware. If the host is vulnerable to the exploit kit on the landing page, then the malware is downloaded onto the system as a drive-by download, sometimes without the user’s knowledge.
As with a TDS, a malicious advertisement can redirect users from a harmless site to a malicious landing page. Malvertisements may appear legitimate and can even appear on trusted sites if the administrator is fooled into accepting the ad provider or if the site is compromised. Malicious threat actors can purchase traffic from malvertisement services. Redirected victims can be purchased according to geographic location, time of day, visited site and a number of other factors.
3. Phishing e-mails
These are the primary delivery methods of ransomware, simply because people are so conditioned to open emails and click on links and attachments. Even with training and awareness programs, the report said, most organizations find it difficult to reduce successful spear phishing attempts to less than 15% of personnel.
Botnets send spam or tailored phishing emails randomly or to personnel within an organization. According to Symantec, ransomware emails tend to masquerade as mail delivery notifications, energy bills, résumés, notifications from law enforcement or tax returns.
Malware can be delivered onto systems through stages of downloaders to minimize the likelihood of signature-based detection. Ransomware criminals pay other threat actors to install their ransomware onto already infected machines.
Ransomware could even act as a mask for a deeper malware infection unsuspected by users that will remain even after the ransomware is removed.
5. Social engineering
Social engineering and human ignorance can conspire to get people to install the malware on their own computers. The report pointed out that fake antivirus applications tell users that their computer is at risk of numerous debilitating viruses, and performance optimizers convince users that their system can achieve better results. Even locker ransomware (which locks a user out of a system, rather than encrypting the data the system contains) that appears as a malvertisement on other sites depends on users clicking on the prompt to initiate installation.
Usually a form of crypto-ransomware (which encrypts a user’s data), some forms of ransomware are able to self-replicate throughout a network much as other kinds of malware do — such as spreading through a user’s contact book via messages into other systems. ICIT said that self-propagating ransomware is likely how malware will evolve, thanks to the growing interconnectivity of the Internet of Things.
7. Ransomware as a service (RaaS).
This is actually the outsourcing of malware to less technical criminals. The applications are designed to be deployed by almost anyone, with the original creator of the malware collecting a percentage of the ransom as a fee if the person using the creator’s ransomware is successful at collecting a ransom from the victim.
Let’s continue the conversation on Facebook!