THE RANSOMWARE THREAT: A GUIDE TO DETECTING AN ATTACK BEFORE IT’S TOO LATE
A Rapidly Growing Threat: A Scourge Called Ransomware
Over the past three years, ransomware has jumped
into the spotlight of the cyber threat landscape.
Kaspersky Lab reports that in 2015, its solutions
detected ransomware on more than 50,000 computers
in corporate networks?—?double the figure for 2014. Even
at this rate of detection, Kaspersky admits that the real
number of incidents is several times higher than what
has been detected and reported. 1 In just the first quarter
of 2016, $209 million was paid out to cyber criminals
using ransomware. The FBI estimates that losses to be
incurred in 2016 due to ransomware will top $1 billion. 2
Once again, this is just the tip of the iceberg.
Just what is this scourge called ransomware? It is
malicious software that allows a hacker to restrict access
to an individual’s or company’s vital information in some
way, and then demand some form of payment to lift
the restriction. The most common form of restriction
today is encryption of important data on the computer
or network, which essentially lets the attacker hold user
data or a system hostage. Payment in Bitcoins is the
typical demand, as the digital currency is both global and
anonymous. Ransomware attacks are rapidly growing
in popularity with cyber criminals, and for good reason:
it’s estimated that this type of attack earns criminals $10
million to $50 million a month. 3
The notion of ransomware has actually been around for
quite some time. In 1989, Dr. Joseph Popp distributed
a Trojan called PC Cyborg in which malware would hide
all folders and encrypt files on the PC C: drive. A script
delivered a ransom message demanding that $189 be
THE PC CYBORG TROJAN
DEMANDS $189 RANSOM
2013
Another type of ransomware scheme, dubbed
“scareware,” displayed a warning on a user’s computer
that the device was infected with malware that could be
removed immediately by purchasing what turned out
to be fake antivirus software. The scareware message
appeared repeatedly, prompting many victims to
purchase the “antivirus software” just to get rid of the
warning message.
The term “ransomware” broadly describes a wide range
of malicious software programs, including CryptoLocker,
Locky, CryptoWall, KeyRanger, SamSam, TeslaCrypt,
TorrentLocker, and others. Various strains of these major
applications appear and continue to evolve in order to
avoid detection. In fact, researchers saw more than 4
million samples of ransomware in the second quarter of
2015, including 1.2 million that were new. That compares
to fewer than 1.5 million total samples in the third
quarter 2013, when fewer than 400,000 were new. 4
The vast majority of attacks today are against Windowsbased systems. This is largely due to a numbers game;
there are more Windows-based computers than any
other type of OS. Attackers often use exploit kits to get
the ransomware software on victims’ machines.
KASPERSKY LABS DETECTS
RANSOMWARE ON 50,000
COMPUTERS IN CORPORATE
NETWORKS
400,000 NEW SAMPLES OF
RANSOMWARE
1989
directed to the PC Cyborg Corporation. The afflicted
PC wouldn’t function until the ransom was paid and the
malware’s actions were reversed. Since then, numerous
enhancements to this type of scheme have been made,
especially in the area of stronger file encryption. Now it’s
virtually impossible for victims to decrypt their own files.
2014
KASPERSKY LABS DETECTS
RANSOMWARE ON 25,000
COMPUTERS IN CORPORATE
NETWORKS
$24.1 MILLION IN LOSSES
2015
FBI RECEIVES 2,453
COMPLAINTS RELATED TO
RANSOMWARE ATTACKS
1.2 MILLION NEW
SAMPLES OF
RANSOMWARE
Kaspersky Lab, “Kaspersky Security Bulletin 2015”
CNN-Money, http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/, April 15, 2016
3
David Common, CBC News, “Ransomware: What You Need to Know,” March 11, 2015
4
Security Magazine, “’Ransomware’ Attacks to Grow in 2016,” November 23, 2016
1
2
WWW.LOGRHYTHM.COM
PAGE 3
THE RANSOMWARE THREAT: A GUIDE TO DETECTING AN ATTACK BEFORE IT’S TOO LATE
Attacks Are Shifting from Individuals to Organizations
Until recently, most ransomware attacks were simply
opportunistic and mostly affected individual users’ or
small businesses’ computers. The ransom demands
have commonly been the equivalent of just a few
hundred dollars for an individual PC. This has been, and
continues to be, a lucrative business for criminals who
consider end users to be low-hanging fruit. But now they
have set their sights on larger organizations that have
bigger budgets to pay bigger ransom demands. They
also have more important files and computer systems
that are critical to the organizations’ daily operations.
A survey of nearly 300 IT consultants commissioned by
Intermedia and executed by Researchscape International
revealed that downtime is more detrimental to most
organizations than the actual ransom demand. Of the
companies affected by a ransomware attack, 72% could
not access their data for at least two days following the
outbreak, and 32% lost access for five days or more.
What’s more, 86% of the attacks affected two or more
employees, and 47% spread to more than 20 people.5
In addition to the Hollywood Presbyterian Medical
Center in Los Angeles, a sampling of other organizations
known to have experienced a ransomware attack
include: MedStar Health, the largest healthcare provider
in Maryland and Washington, D.C.; Methodist Hospital
in Henderson, Kentucky; the Swedesboro-Woolwich
school district in New Jersey; and even local police
departments in Maine and Massachusetts. All of these
organizations faced a work stoppage due to their critical
files being unavailable to them.
Many of the attacks on individuals and small businesses
are mass distribution ransomware. The victims are
usually targets of opportunity (i.e., these people/
businesses were not specifically targeted because of
who they were). They most likely acquired the malware
through a phishing email, through a drive-by download,
or from a compromised website. For example, websites
belonging to The New York Times, the BBC, AOL and the
NFL have all been hijacked by a malicious campaign that
attempts to install ransomware on visitors’ computers.6
The threat is shifting, according to Ryan Sommers,
Manager of Incident Response at LogRhythm. “We
are seeing criminals shift their tactics to targeted
ransomware attacks. They scope out a specific
organization that has deep pockets and is more likely
to pay a hefty ransom request in order to minimize the
downtime,” says Sommers. For example, the Hollywood
Presbyterian Medical Center paid close to $17,000 to
get its files unlocked and return to business as usual.
By one estimate, this was a bargain, as the hospital was
losing as much as $100,000 a day just on its inability to
perform patient CT scans. 7 The perpetrators understand
this math as well. Targeted organizations are likely to
see much higher ra
Please complete the form to gain access to this content
