The scourge of ransomware hit new highs in 2015 and 2016 is turning out to be no bargain – particularly attacks against businesses as the payoffs are higher, the FBI said this week.
Ransomware attacks are not only proliferating, they’re becoming more sophisticated, the FBI stated.
+More on Network World: FBI warning puts car hacking on bigger radar screen+
“Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals,” the FBI stated. And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers,” said FBI Cyber Division Assistant Director James Trainor in a statement.
Ransomware has been in the news of late because of a series of extortions involving hospitals. CIO wrote recently that in fact ransomware has become a major threat to the U.S. healthcare industry this year. The high-profile attacks that involved Hollywood Presbyterian Hospital in Los Angeles, MedStar Health in Washington, D.C., and other healthcare systems are just the tip of the iceberg. Over half of hospitals surveyed recently by HIMSS Analytics and Healthcare IT News said they had been hit by ransomware attacks in the past year. Another 25% were unsure whether such attacks had occurred.
In the typical a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code, the FBI stated . Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
“One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides,” the FBI said.
+More on Network World: World’s coolest concept cars+
An industry debate about ransomware centers on whether or not to pay the scammers.
For its part the FBI doesn’t support paying a ransom in response to a ransomware attack. “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals,” Trainor said.
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.”
The FBI says organizations in particular should focus on two main areas:
Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls and the creation of a solid business continuity plan in the event of a ransomware attack.
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
Business Continuity Efforts
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.