As discussed in my previous article, ransomware was arguably the most notorious cyber threat for businesses in 2016. Ransomware caused severe disruptions to victims in different industries and countries, forcing them to shut down business and, in some cases, pay ransom with the hope of speed recovery.
Although malware spam messages that distribute ransomware look rather rudimentary, the actual payload is well-targeted and destructive, especially for businesses. When ransomware was only targeting consumers, it would only encrypt data that’s stored on local hard disk of compromised computer. In recent years, ransomware started targeting more business-related files by going after data that are stored on shared networks. Many people like using ‘Favorites’ or ‘network drive mapping’ to gain quick access to network resources that are used daily at work - unfortunately, they are also targeted by ransomware. In addition, ransomware specifically target business-related files, ranging from databases, to web contents, to CAD files, among others. We have even seen cases where terabytes of database became compromised by ransomware. These are clear indications that the threat is specifically targeting businesses for higher profit than they could possibly get from consumers.
Number of known ransomware families encrypting business-related files in 2016
As ransomware became more of a significant threat to businesses, their payloads or extortion tactics became even nastier. For example, Petya ransomware encrypts and destroys PC’s Master Boot Record and Master File Table, making it extremely difficult for recovery. Also, Chimera ransomware uses a scaremongering tactic of threatening to upload the data it successfully encrypted to the internet. It’s only a matter of time before ransomware begins using a combination of extortion tactics that, for example, not only encrypt data but also threaten to make them public or even start selling or using them in the underground market.
Beginning in October 2016, we started seeing ransomware campaigns that still use spam messages but are very much targeted email-like in Japan. These campaigns use bogus messages such as ‘system maintenance’, ‘announcement from a law firm’, and even ‘security alert from government agency’. These campaigns are also noteworthy in a sense that, instead of sending messages to thousands of users, they only send messages to a handful of corporate email addresses. As we have seen in spear-phishing emails changing from immature and spam-looking to more sophisticated and well-targeted, it’s likely that ransomware campaigns will start targeting businesses with more credible pretext to fool victims. In other words, the old, usual cliché of ‘don’t open suspicious emails’ will be obsolete sooner rather than later.
Just like any other cyber threats, ransomware has been a threat largely to traditional IT environments where businesses deal with payslips, customer data, financial sheets, etc. There’s a bit of twist in ransomware threat landscape for businesses. When ransomware attacked Hollywood Presbyterian Medical Center, the threat successfully compromised electronic medical record system where patients’ medical records are stored, meaning that there must have been significant disruptions to the hospital’s daily operation*¹. Ransomware also hit San Francisco Municipal Transport Agency, which forced the agency’s ticket station terminals to go offline*². Also, it’s reported that hotel key management system was compromised at a hotel resort in Austria*³. In addition, we saw ransomware that is capable of infecting smart TV and smart TV boxes. With Internet of Things (IoT) gaining traction in the market, it’s wise to expect that cybercriminals will start actively seeking to cause damage to non-IT environments such as IoT-enabled environments including industrial control systems*⁴.
Ransomware infecting Smart TV and smart TV box
Ransomware has become such a phenomenal threat to businesses in a relatively short space of time, mainly due to the type of damage it can cause to target victims. In order to mitigate risks of falling victim to ransomware, businesses must adopt multi-layered approach to their security strategy. Multi-layered approach firstly means strengthening security on every tier such as gateway, endpoints and servers in a corporate network. It also means enabling various security technologies such as web reputation, behaviour monitoring, and so on, on every tier. Even then, there may be a time it’s inevitable that you get hit by ransomware. In order to contain or control damage, breach detection capability, which allows you to identify ransomware activities such as retrieving encryption key from Command and Control server, will play a crucial role in combating the nasty nature of ransomware. Last but not least, ‘3-2-1 back-up rule’ is a must - At least three copies, in two different formats, with one of those copies off-site. Just like against any other security threats, security measures need to be implemented based on the assumption that breach will happen.