Recent media coverage of hospitals attacked by ransomware in Ottawa and Norfolk County has alerted everyone to the inherent dangers – and complexity – of these nefarious attacks, which are increasing at an alarming rate.
While cyberattacks receiving the most press in recent years have been focused on stealing information or outright theft, the motivation behind ransomware is profit-making in its simplest form.
Ransomware is a particularly insidious subset of malware that is difficult to detect with conventional antivirus tools. The main vectors for distribution are compromised websites or email attachments. Once on a system, the ransomware gets to work immediately, encrypting pictures, music, Word and Excel documents and many other personal files. When that happens, the perpetrators then demand sizeable payments in bitcoin in return for release of documents. Payments demanded typically range from $500 for an individual to thousands of dollars for an institution.
While the attacks can come in different forms, the primary vector is through email attachments or unprotected websites, said Jérôme Segura, senior security researcher, Malwarebytes, the company that unearthed the attack on the Norfolk General Hospital. According to Segura, the top five regions for ransomware attacks in Canada are Toronto, Ottawa, Montreal, Markham and Calgary. An interesting aspect of the attacks is that culprits are using an older macrovirus technology that is particularly challenging for antivirus programs to detect.
In tracking the Norfolk General Hospital incident, Segura reproduced the attack in a contained environment. Within minutes files were encrypted and a note was sent demanding $500 in bitcoin payments. “The hospital was not even aware of the problem at the time,” he noted. In this blog, Segura explains in detail how the attack was discovered and how it was spread (the main culprit being vulnerabilities in an outdated version of Joomla CMS used to power the web portal).
Ransomware is now rapidly outpacing other malware categories, said Amir Belkhelladi, leader of Deloitte Canada’s cybersecurity practice for Eastern Canada in Montreal. “Recent statistics show that ransomware now accounts for up to 80 percent of cyber attacks that are seen. I would say that that shift happened towards the end of summer last year when the numbers started to approach 70 percent.”
There are some simple reasons for this growth, Belkhelladi said. These include:
- Poor security patching (especially at the application level)
- The rise of bitcoin enabling anonymity of the transactional elements
- Wide scale targeting allowing for higher return on investment
- Lack of rigorous backup strategies on the part of businesses
“Cybercriminals are also proficient in building better arsenals that cost less. Once you can make money and the tools are cheap enough, you just target more and more people,” Belkhelladi said.
As with any criminal activity, there is a thriving community of participants willing to help the cause. There is a sophisticated supply chain at work on the cybercrime side, including people who specialize in just creating ransomware software, he added. “In December, we saw three large ransomware attacks. We could also see that the tools have really stepped up and are much cheaper to use. There’s even ransomware-as-a-service that lets you rent your ransomware suite to perform an attack. While that rental may cost $50, attackers can easily demand $500 per target.”
The simplicity of the business model is also a compelling attraction for the criminal element. Simply put, return on investment is faster than with most types of malware because there is no middleman involved – there is no need to resell anything such as personal data; it’s a cash deal only.
An interesting parallel trend that is fuelling the ransomware market is the rise of the bitcoin, Segura said. “There’s a definite correlation between bitcoin and the number of ransomware hits. Whereas it used to be clumsy to get money and attackers ran the risk of payments being traced, bitcoins are untraceable, therefore providing anonymity on both sides.”
Ransomware is presenting an increasingly daunting front, and organizations are well advised to take additional steps to protect themselves. Given the nature of ransomware attacks, organizations need to be proactive in security maintenance of their websites and in ensuring all patches are up to date, including software and operating systems, Segura said. Increasing awareness and training for staff on correct procedures can also help to minimize risk. A relatively easy litmus test is to simulate a phishing attack to gauge how many staff – and systems – are prepared. “If the failure rate is 50 percent, training is definitely in order.”
From the standpoint of infrastructure architecture, a holistic antimalware strategy should deploy defenses at the perimeter, on email servers, on the network and user endpoints, according to Belkhelladi. This should be further supported by a resilient backup and recovery process, including frequent testing of backup and restoration procedures.
If an attack has already happened, the key is to ensure the damage doesn’t spread throughout the environment. “Once you have contained it, the next issue is to ask, how do you recover?” Belkhelladi explained. Options are to “go back in time” to records stored before the date of the attack, or to retrieve backup data stored off site (if you have a robust backup plan in place). “Having fully secured backup plans is key to recovery. You have to assume you can’t retrieve the data being encrypted because the attackers are using top grade encryption tools.”
One of the major debates surrounding ransomware attacks is whether a company should pay or not, he added. “That’s the biggest question – and there is no easy answer. The speed and agility of ransomware’s revenue model is affecting companies that do not have rigorous backup strategies. So they end up with a critical decision of whether to pay up or disrupt their business. It’s never an easy choice.”