Ransomware hits a particularly raw nerve because of its brazenness. A criminal breaks into a computing device and simply takes over, demanding money – usually paid in bitcoins – for providing the owner the privilege of accessing his or her own data.
The reality is that the ransomware story is more nuanced than the pure fear that idea engenders. Ransomware, according to experts, is not monolithic: There are levels of qualities to the malware and how it is delivered. The targets are far from helpless.
IT Business Edge sent emailed questions with important questions about ransomware to Jon Clay, the director of Global Threat Communications for Trend Micro; Chester Wisniewski, the principal research scientist at Sophos; and Kevin Haley, the director of Security Response at Symantec. The answers painted a picture of a very serious problem, but one that can be avoided if an organization uses best security practices.
Two of the experts described a great range in ransomware sophistication. “We see incredibly complex, successful strains like Locky and Cerber impacting large numbers of victims on one end, all the way to ransomware as a service offerings for budding cybercriminals to simply sign up and start operating their own ransomware franchise,” wrote Wisniewski. Haley agreed that the level of sophistication is not constant. Clay had a slightly different perspective. His take was that the malware itself doesn’t have a great range of sophistication. There is wide variation, Clay wrote, in infection techniques, ransom amounts, and what is done with the hijacked data.
Ransomware: Will You Have to Pay?
There are also subtle differences in whether hope exists for devices invaded by ransomware: Does the owner either have to pay up or say goodbye to his or her data, or are there other possible outcomes?
A company affected by ransomware faces some very hard choices. “Trend Micro recommends not paying the ransom,” Clay wrote. “The threat actors will keep on attacking as long as there is money to be made. There’s also no guarantee you’ll get your data back after the ransom is paid. Ideally, if you have taken steps beforehand to protect your data, there will be other options than paying the ransom.”
Wisniewski addressed the question from a more technical angle. The target will be lucky to find a technical way out once the ransomware is on the machine, he wrote. “Some poorly coded ransomware strains (mostly no longer in circulation) have cryptographic flaws and weaknesses that allow for key recovery, but the high impact ones like Locky do not.”
Best to Prevent Ransomware in the First Place
Haley wrote that the best single way to prevent a disaster is to make sure you have plentiful backup. He also had a warning: Purveyors of ransomware are not honorable people: “[U]sers need to be aware that paying the ransomware does not always lead to getting your files back.”
The three experts had a lot of advice for security personnel charged with fighting ransomware and for employees seeking to keep their devices safe.
CISOs and others, Clay wrote, should follow “the 3-2-1” rule: “Have 3 backup copies on 2 different media with 1 backup in a separate location.” That suggests a tremendous amount of preparation and automation. His other two ideas are representative of good security hygiene: Keep patches up to date and use a layered security approach.
Wisniewski recommends sandbox technologies that can catch and neutralize ransomware payloads before they reach end users. Backup systems should be kept up and running. This involves regular testing. Wisniewski wrote that employees need to be made aware of potential problems:
“First, raise staff awareness with real examples of phishing emails that are often the beginning of the attack chain,” Wisniewski wrote. “Phishing tests, like that of Phish Threat, can help highlight parts of the organization that might require more focus with training and awareness campaigns.”
Haley mentioned many of the same basic steps. The theme – for Haley, Clay and Wisniewski – is planning. And that should not be limited to the corporate network. “Make sure your organization is following best practices, including in the cloud,” Haley wrote. “Attackers don’t distinguish between cloud and on-premises.”
Finally, the three executives shared common sense ideas on how to achieve the most important goal, which is to stay clear of ransomware in the first place. Advice to employees was similar to the suggestions IT and security staff always suggest: Don’t go to unknown links or open odd emails, back up important data (perhaps in addition to CIOs’ “3-2-1” copies) and keep security software current. As always in security, the key is to be a default sceptic.
Ransomware was perhaps the biggest security headline of 2016 and the beginning of this year. Hopefully, the most dangerous days will abate. “In 2016, Trend Micro identified and blocked an unprecedented number of ransomware attacks,” Clay wrote. “That said, we predict in 2017 ransomware growth will plateau. Rather than continuing to grow exponentially, we anticipate ransomware to diversify to different attack vectors. Instead of focusing on desktops and laptops, threat actors will use ransomware against databases, connected devices and mobile phones with more frequency.”
The year ahead will be key in the fight against ransomware. Some feel that ransomware will get worse. Wisniewski commented that it isn’t going away, but won’t likely get worse. Haley was the most downbeat: “It continues to grow because it is easy and profitable. In fact, the average ransomware demand continues to rise, because many people are willing to pay, no matter the cost.”
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.