Ransomware is one of the largest and well documented, in way of headlines, cyber-threats that organisations face on a daily basis. 2016 saw an unprecedented rise in attacks and has since been labelled the ‘Year of Ransomware’, according to a report by Sophos Labs however, 2018 is set to take this title.
Ransomware is known to have been an effective outlet for cyber-criminals looking for a pay-day and with Ransomware as a Service (RaaS) in high demand on the dark web, criminals have an increasing number of ways to get paid utilising malicious code. This is one factor that looks to support the view that 2018 will see a notable rise in the number of attacks businesses and individuals are susceptible to in the year to come.
Ransomware as a Service refers to ransomware code that can be purchased or sent on-demand or by request by cyber-criminals working on the dark web. Its use makes launching a Ransomware attack available to anyone, regardless of their technical capacity, all they need is a means to pay.
What does the current Ransomware landscape look like?
Ransomware attacks have been steadily increasing in numbers of the last few years, with large strains making headlines with the devastating speed they can take effect. The WannaCry attack in May 2017, most notably, affected over 150,000 organisations within 3 days in over 160 countries. The attack utilised a worm code, giving it the ability to spread quickly and exploit a known vulnerability within Windows systems; a vulnerability which had been patched several months before, many organisations however were too slow to patch systems and suffered as a result. The Sophos Labs report states that in the period between April and October 2017, WannaCry accounted for over 45% of all ransomware attempts detected by Sophos systems in that time, this was the most of any single strain. The second most common strain was the Cerber ransomware strain which was prevalent in late 2016. With these two strains having dominated 2016 and 2017, will 2018 see a new strain of Ransomware take hold?
Ransomware attacks often take a three-stage approach, first penetrating systems then deploying malware into a system before finally executing and encrypting systems. This approach gave cyber-criminals the opportunity to deploy their attacks in a more flexible manner as they could penetrate systems in different ways rather than simply waiting for a malicious email to be opened as past attacks have done.
The report, outlines key areas where Ransomware attacks have been identified. It is worth noting that the report is based on Sophos customer data, so figures may be skewed towards where their customer base sits, however it identifies the US (17%), UK (11%) and Belgium (8.6%) as the major areas affected. Industry trends also show that within these regions, cyber-attackers changed focus from individuals and began focusing efforts on industries likely to pay out quickly. These industries include healthcare and finance, due to the highly sensitive nature of data.
Four trends identified within the report as key areas that will ‘dominate’ ransomware in 2018 are:
- An increase in the threat posed by RaaS attacks.
- An increase in the number of Android applications infected with Ransomware
- More focus on cyber-criminals targeting Mac systems
- A continuation of attacks towards Windows systems, partially fuelled by ‘do-it-yourself’ exploits available on the dark web
Protecting against threats
It is increasingly difficult to ensure 100% protection against cyber-security threats and given the rate at which new strains of Ransomware are created this is unlikely to change. Organisations of all sizes can take actions to reduce the threat of becoming infected and also to reduce the damage that can be done if an infection does take hold.
Patching and Software updates
Software providers, security experts and anti-virus providers are regularly on the lookout for new strains and new vulnerabilities. Ensuring that systems and software’s are regularly updated will increase protection against new threats and could be the difference between having to pay a ransom and suffering downtime or not being infected, such was the case with the WannaCry attack.
It can be difficult to monitor what comes into a network from external sources and this is another avenue for attack. An unwitting guest could easily carry dormant malware into a network and kick-start an infection that infects an entire organisation. By separating guest networks from primary systems, the possibility of this happening is reduced, any damage done should not stop the organisation from operating.
Educate and train staff
Human error remains a threat to organisations and one that cyber-criminals will happily exploit. Training and educating staff on the threats that they face and how to spot malicious sites and emails will help to reduce the chance of infection.
Backup all data
With threats so hard to protect against, it is vital that there is a fall-back plan. Paying ransoms is unadvisable and organisations such as the FBI, the National Cyber Security Centre and many cyber-security firms mirror this stance – for one, paying a ransom does not guarantee the safe return of data. Ensuring that an organisation has a full, off-site, encrypted backup will give the ability to recover all data in the event of an infection taking hold. However, on-site backups or network attached backups may be susceptible to infection.