Criminals chase the market, and this year the hottest market has been in hacking businesses’ data and holding it for ransom.
Since the hack of Hollywood Presbyterian Medical Center in February, in which its data was scrambled by a so-called ransomware program and only unlocked after it paid $17,000 in bitcoins, the number of such attacks is up three-fold over the same period last year.
Nearly 1 million such ransomware attacks have occurred thus far this year, a rate of more than 4,000 a day and a 300 percent increase over 2015, according to a report by the FBI. One reason: The hospital paid quickly, which appears to have sent a signal to the black market.
“It was very clear that one hospital was willing to pay the ransom and so hospitals began to get targeted because of that,” said Kevin Haley, director of security response for Symantec’s security response division in Culver City. “They are going to look where they can get the most bang for their buck with these attacks.”
It’s not just hospitals that are getting hit with ransomware – small and large businesses alike are falling victim to attacks because the crime is easier than ever to commit and companies are juicy targets, said Haley.
“The bad guys love businesses more than end users because they tend to have more money in their account,” he said.
There have been rumors of attacks in Los Angeles recently, but despite the volume few businesses are willing to publicly acknowledge they have been hit. That’s in part because they don’t want to make themselves known as susceptible and in part because the amounts extorted tend to be nominal.
Though most businesses don’t pay ransoms nearly as high as Hollywood Presbyterian – a targeted and sophisticated attack – the market for stealing company data is booming, said Austin Berglas, senior managing director at K2 Intelligence in New York.
“I’d say that $300 to $500 is where you will find the majority of these schemes,” he said, noting that many are random spam-based phishing attacks, which rely on unwitting users accidentally clicking on bad links or attachments that contain viruses.
“If you send out 200,000 loaded emails with an attachment and 10 percent click on that, that’s a pretty good payday,” he said.
Crimes of opportunity
Low barriers to entry and a high payoff are encouraging cybercriminals to take up the practice ransoming businesses’ data, said Juan Andres Guerrero-Saade, a Miami-based senior security researcher with cybersecurity software maker Kaspersky Lab.
“A lot of those developers that were focused on banking threats or Trojans are switching to focusing on ransomware,” he said.
Many types of ransomware attack a business’s Microsoft Word or Excel programs, encrypting the files in an unusable jumble of characters that can only be straightened out with a password after a bitcoin ransom is paid. Other varieties scramble financial, picture, or AutoCAD files.
In fact, some ransomware can calculate the value of a system’s files and automatically set a ransom amount, a sort of price discrimination, said Guerrero-Saade.
Because it’s easier than ever to buy ransomware online for as little as $50, more bad actors are entering the market, K2’s Berglas said.
“You’re going to have to go to the deep Web or dark Web on sites that are only assessable through a tor browser, but it’s not hard once you get access to one of these sites,” he said. “Oftentimes they are offered in kits that come with customer support. You communicate with the person who sold it to you (via a chat) if you are not technical.”
Some criminal organizations are even turning to a kind of affiliate marketing to drive revenue growth, giving accomplices a cut of their ransom for successfully spreading their viruses to new hosts, said Symantec’s Haley.
“They will get generally 40 to 60 percent of the take,” he said. “As there has been competition out there, they are actually increasing their offering. We saw someone last week offering 80 percent of their take to their affiliates. Market demand plays out in this area just like it does in the real world.”
Tough problem
Dealing with a ransomware attack can be a bewildering and crippling experience for many businesses, said Berglas.
“The problem is a lot of organizations when they get hit with ransomware it could be the first time they’ve heard of bitcoin,” he said. “It’s a step outside of their comfort zone.”
And while most organizations can get data back by paying the ransom, that doesn’t necessarily mean the end of their problems, said Haley.
“In most cases you’ll get your files back, but it’s not guaranteed,” he said. “We are seeing some of these guys that hold you for ransom and then drop a banking Trojan (horse attack) on your machine and clean out your bank account.”
While some businesses avoid paying a ransom by relying on backup files, most find those to be incomplete, said Berglas.
“I have yet to see an organization that is so properly prepared that they can just go, I don’t care if I’m attacked. I’ve got perfect backups,” he said.
What’s more, companies might be obligated to pay the ransom to keep their business running smoothly, said lawyer Sharon Klein, a partner at Pepper Hamilton’s downtown office who consults with clients on cyberattacks.
“They don’t like to pay the money, but if they don’t, the economic loss to the business is greater,” she said. “From a legal perspective, we look at that as a fiduciary duty to the business.”
Some businesses may have a contractual obligation to notify people of the breach, she said, suggesting that companies purchase insurance to cover the cost and potential liability of cyberattacks.
“You need to check your contracts to see if there is indemnification or risk mitigation that you are obligated to do because you’ve been entrusted with sensitive data,” Klein said.
In addition to antivirus employee education and rigorous file backup systems, it’s recommended that companies make sure that their cybersecurity programs are constantly updated, Haley said.
“We see over a million new pieces of malware every single day,” he said, noting a large portion of new malware programs are slight variations of older programs, a morphing technique used to avoid detection. “We are putting out new protection for our customers approximately every 35 minutes.”
The cybersecurity industry is constantly coming up with new ways to thwart ransomware attacks, but there is only so much that can be done against an ever-evolving threat, said Berglas.
“Anything (the criminals) can do to monetize their exploits they are going to do it,” he said. “The day industry comes up with a way to completely thwart ransomware attacks they’ll move on.”