The Federal Trade Commission (FTC) is conducting a three-part fall conference workshop on select technology issues. The first conference was held on September 7th about ransomware. The second conference was held on October 13th about Drones and the last conference will be December 13th about Smart TVs.  This is the first post in a two part series that will highlight key themes from the FTC conference and provide tips to help your business before, during, and after an attack.

Ransomware: What is it?

Ransomware is malware that infiltrates a device or potentially an entire information technology network and uses tools to encrypt or “lock” the data located on a device or network such that the organization cannot access its own data unless it pays what is in effect, a monetary ransom (typically paid in untraceable electronic currency called Bitcoins), to the attacker for a “key” to unlock and retrieve the data. Alternatively, some attackers may threaten to either delete the organization’s data or expose the organization’s data to the public if a ransom is not paid in the specified timeframe.  Ransomware attacks are unfortunately becoming a common commodity service due to low barriers to entry.

Known sometimes as “ransomware-as-a-service,” the crime is attracting the participation of lower-end criminals as a distribution channel (an “affiliate”) for the “kingpin” or “boss.” The players are typically organized in a tiered hierarchy of 10-15 affiliates per boss. Such a structure makes it difficult to identify and catch the person in charge.  According to panelists speaking at the FTC conference, ransomware attacks quadrupled last year, averaging 4,000 ransomware attacks per day, with an average victim payout of $300 last year (though they’ve heard of some demands as high as $30,000), and trending towards an average payout of $700 this year.  They estimate that a boss can earn on average $90,000 annually, while affiliates earn on average, $7,200 annually.

“It’s Only Going to Get Worse”

According to Check Point Software, the total number of ransomware attacks increased by 13% in September 2016. Similarly, data breach insurer Beazley recently reported that it is projecting a fourfold increase in ransomware attacks in 2016. The increased number of attacks is in part because these attackers are continuously refining the ransomware business model. While the majority of ransomware attacks (greater than 90%) still occur via phishing emails targeted to users and requiring the user to take an action for the infection to take hold (such as clicking a link or downloading a document), attacks are now being delivered via a variety of other mechanisms such as malvertising, exploit kits, and other programs able to scan Internet of Things (IoT) devices like smart watches, cars, thermostats, and other home and business devices looking for “back door” entrances and other vulnerabilities to exploit.  Ransomware can also potentially infiltrate a network via a Trojan horse, by hiding behind other general malware and viruses.

Most recently, ransomware has joined forces with another form of malware, distributed denial of service attacks (DDoS).  DDoS attacks, more thoroughly explained here, prevent users from accessing legitimate websites.  Cyber criminals have recently begun to combine DDoS attacks with ransomware by demanding payment in the form of bitcoins in order to restore access to websites. So long as victims keep paying the ransom (which they likely will do, given the low ransom value and high data value), ransomware attacks will remain an attractive, profitable business model with low operational risk to the boss and affiliates.

Before You’re Hit: “Practice Good Cyber Hygiene”

Experts emphasize the practice of good cyber hygiene as a preventive strategy to not falling victim to a ransomware attack – be vigilant, be informed (educate all the users of your network), and take preventive measures.

  • Educate, educate, educate – your network is only as strong as its weakest link. Break the user mentality that “all links are meant to be clicked.” Teach your employees to recognize the good URLs vs. bad URLs. Train them not to click on bad or questionable links. Use VPN when on public WiFi. Don’t download free apps or any apps onto any device with access to your company’s network without prior approval from your organization’s IT team. Understand your network, what you have and the scope of your organization’s potential exposure (who is accessing what, where it is being accessed, etc.).
  • Backup your critical data – understand your business and determine what data is critical to be backed up. Ensure that you back up your data on a routine schedule and the backup is separated from the main network. Do not make it easy for the criminals to access your backup. Do not use drop box as your backup.
  • Isolate, segment and contain – segment the network so that any devices that really do not need to connect with other devices are not connected. Segmentation can help contain the spread of the malware to your other systems. As soon as a device is infected, isolate it as soon as possible to prevent the spread of the ransomware. Employers’ IT departments as well as service providers can use the latest commercially available applications to detect potential malware and strip them out before it reaches the employees/end users. Promptly install all patches to plug any holes identified in any network devices and applications.

Click here to continue onto Part 2 which identifies what you should do during and after an attack.