Expect to hear more, not less, about ransomware next year.
A recent survey of 500 businesses revealed that nearly half were slammed by a ransomware attack within the last 12 months; 85 percent suffered from three or more attacks, with six being the average for how many times an organization was a victim of ransomware.
If you narrow the SentinelOne survey (pdf) down from cybersecurity decision makers in U.S., UK, France and Germany, to look at only U.S. respondents, then 50 percent admitted to being successfully attacked in the last year. That’s slightly higher than the overall worldwide picture of 48 percent suffering from a ransomware attack in the last 12 months.
Eight one percent of those surveyed said the hackers gained access to their networks via phishing emails or social media. Fifty percent were hit via drive-by-downloads after visiting compromised sites. Forty percent were infected through a computer that was part of botnet.
Being slammed with ransomware numerous times was enough for half of the companies to lose faith in traditional security measures such as antivirus and a third felt “helpless to defend their organization from new forms of ransomware.” Although 68 percent said traditional cybersecurity techniques are unable to protect them, “only 42 percent would demand answers from their IT security vendors.”
“Ransomware has become one of the most successful forms of cybercrime in 2016 and is on the top of every security professional’s list of most prolific threats,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “It’s not surprising to see high levels of apathy towards traditional antivirus software, and we don’t expect the ransomware epidemic to slow down anytime soon. The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky.”
The largest chunk of ransomware affected employee information, followed by financial data and then customer information. The victims believed financial gain, followed by disruption of business and then cyber espionage to be the most common motives for the attacks.
After being hit with ransomware, 67 percent upped spending on IT security. It took an average of 38 man hours for companies in the U.S. and Germany to replace the encrypted data with back-up data; for France the average was 37 hours and 22 hours for the UK.
Getting hit with ransomware would be bad enough, but imagine paying the ransom and then having the attacker come back and demand a second ransom? It happens; more and more people pay, but it’s not like a cybercriminal’s promise to decrypt upon receiving the first ransom is a sterling guarantee that the victim’s files will be decrypted.
Grossman believes that unlockers – the decryption keys to unlock ransomware-encrypted files which are released to the public by security experts – may not be something people can hope for in the future. Right now, some crooks reuse the same key for all their ransomware infections; once a security researcher gets hold of the key, then they offer it to the public since it works for other victims of the same ransomware to decrypt their files.
“I personally think that era, the era of unlockers, is short lived," Grossman told CSO. "Some of the bad guys are still in amateur mode, but we can expect the malware families to grow in sophistication and effectiveness. The bad guys will move almost universally to asynchronous encryption.”
Some experts believe traditional ransomware will move over to doxware; if the demanded ransomware is not paid, then the files, photos, videos or whatever the cybercriminal locked up, will be leaked online.
Chris Ensey, COO of Dunbar Security Solutions, told Fast Company that thugs running doxware have not yet made good on threats to leak data; some variants show a fake progress bar of data being transferred to the crooks without ever storing the files with the intention leaking them. Yet Ensey expects doxware to be an actual threat by next year – pay up or your files are leaked online.
Backup is great advice, but that won't help if doxware actually catches on.