Before 2016 even began, Trend Micro researchers had predicted that it would be "the year of online extortion." So far, this forecast has proven to be all too accurate. In the past few months, the Hollywood Presbyterian Medical Center, The Methodist Hospital in Kentucky, the Desert Valley Hospital, the Chino Valley Medical Center and up to ten facilities associated with MedStar Health in Maryland have succumbed to ransomware. One of these institutions actually ended up paying the hackers $17,000 to lift the encryption.
Several of these incidents involved newer strains of malware, such as Locky and Samsam. Furthermore, the medical sector is hardly the only target for ransomware. Law enforcement agencies, school districts, financial institutions and others have been impacted by cyber extortion. In fact, the FBI recently estimated that cyber attackers wielding ransomware made off with $209 million in the first few months of 2016, putting them at pace to make a cumulative $1 billion by the end of the year.
It's safe to say that ransomware is a bona fide epidemic.
Just when you thought it couldn't get any worse . . .
A fresh strain of ransomware was recently discovered by researchers. It's called CryptXXX, and according to Trend Micro, it appears to be descended from Reveton ransomware, which was unique in its time for being delivered as a .DLL versus the traditional .EXE.
CryptXXX's claim to fame is that it doesn't just lock down a user's computer by encrypting files. Whether or not ransomware qualifies as data theft has always been a bit of a gray area. Technically, no one is stealing your data for themselves, but a case could be made that they are taking it away from you by barring your access to it. CryptXXX, on the other hand, does both. It encrypts a user's files and demands a ransom, but it also steals personal information from victims, and even siphons bitcoin from them.
Just when you thought the situation couldn't get any worse, hackers found a method to steal from their victims as they extort them.
Fighting ransomware: What can be done?
So many organizations have found themselves between a rock and a hard place upon being infected by ransomware. They don't necessarily want to pay the ransom, but if the data at stake is worth more or about the same amount money being demanded by hackers, what choice do they have?
More importantly, who's to say that they will actually decrypt files once the ransom is handed over? Late last year, email encryption service provider, ProtonMail suffered a distributed denial-of-service attack. While this is a completely different ballgame than crypto malware, the cyber criminals did demand a ransom to end the attack, which ProtonMail, under increasing pressure from clients, paid. Alas, the cyber criminals did not deliver on their word. Technically, it's not wise for hackers to break a ransomware promise. Once enough of them start doing this, organizations will be far less likely to pay them anything, and they'll just cut their losses. Cyber extortion is only sustainable if hackers keep their word.
Nevertheless, there's always the chance that they won't, in which case an organization is out money and vital data. Furthermore, no business should have to be in a position to meet cyber criminals' demands.
The first and most important step to try to prevent ransomware is to educate personnel about best cyber security practices. Don't open attachments that are not from a trusted source – even if the files appears to be an innocuous PDF or XML. These could be harbingers of ransomware. If the document is from a trusted source, but there is no message in the body and the attachment was sent at an unusual time or unexpectedly, confirm with the sender via another channel of communication. It's possible that their email credentials were stolen. Also, don't let macros used in programs such as Excel and Word run automatically, and don't run any macros from a non-trusted source. Do enable Macro protection features that come with the software.
Another strong approach to fighting ransomware is having a data backup, and preferably one that is stored remotely. If the entire network is locked down, you will lose access to your on-premises backup. If your backup is separate from the network, hackers lose any leverage they have over you.
Last but not least, it's also important to be aware of what cyber security software can help you fight ransomware. Trend Micro's Cloud App Security for Office 365, for instance, detects malware hidden in documents, which can help prevent macro malware from running. It also combats phishing scams by test-running files with sandbox analysis, thereby identifying malicious behavior before it can execute. Deep Discovery Email Inspector is also a useful tool for identifying phishing scams and other forms of social engineering used to disseminate ransomware; it detects malicious attachments and URLs in emails, flags them and blocks them.
Pundits had predicted that 2016 would be a bad year for cyber extortion, and it certainly has been. Protect your organization with smart practices, a reliable system back and strong cyber security software.