Easy to carry out, difficult to fight against: Why ransomware is booming in 2016

With more devices connected to the internet than ever before and organisations increasingly reliant on constant access to such connected systems, it's no wonder ransomware has surged this year.
Written by Danny Palmer, Senior Writer

CTB-Locker is one of the many variants of malware which have been terrorising victims in 2016.

Image: Cisco/Talos Group

When it comes to tech security threats, 2016 has been the year of ransomware, with numerous high-profile organisations forced to pay ransoms in order to regain access to crucial files and systems after becoming victims of data-encrypting malware. The surge in ransomware even saw the US and Canada issue a rare joint cyber alert in an effort to warn against its dangers.

But ransomware is far from a new phenomenon -- the first instance, dubbed PC Cyborg, was written in 1989 -- so why is it now suddenly booming? There's a combination of factors; one of them is simply that people are becoming more reliant on computers to store files and victims don't want to lose that data, so are often willing to pay a ransom to get it back.

"Because people are now so dependent on the online world for everything, from photos of family to business information, the perceived and real profitability of targeting people with ransomware has become apparent, which is why there's been a real head of steam," says David Emm, principal security researcher at Kaspersky Lab.

Unlike stealthy forms of malware such as data-stealing Trojans, ransomware isn't subtle. However, a Trojan takes developers a lot of time and effort to code it in such a way that it remain undetected; ransomware doesn't need to do that, which makes it quicker to build and deploy.

"If kicking down the front door is going to work, it beats putting the time in to development," says Emm.

Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once? For cybercriminals, ransomware is now the best way to make a quick buck.

Ransomware might be a "random spray and pray technique" but hackers are finding it provides a good return, warns Greg Day, vice president and EMEA chief security officer at Palo Alto Networks.

Ransomware is successful because victims may see a ransom of a couple of hundred dollars as a price worth paying in order regain access to files -- especially those of sentimental value. While a $200 ransom might not seem like much in the big scheme of things, if thousands of people give in and pay ransoms to the perpetrators of ransomware, then the amount of money being illicitly made quickly adds up.

"The simple reality is the concept of ransomware is really basic: I encrypt your data then you pay me some money to get it back," says Day.

Cybercriminals have realised this technique works, which is why there's been a rapid rise in ransomware, especially this year. However, it's now moved beyond an issue that just impacts upon unlucky individuals: hackers are now targeting organisations with ransomware in order to extort larger fees from victims that can't perform their day-to-day operations while they're in the grip of the malware.

"What cybercriminals can now do is charge significantly more if they understand what data is valuable -- the ransom may no longer be a couple of hundred dollars, it may be tens of thousands," says Day.

One of the most infamous examples of this sort of targeted attack occurred in February when the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 Bitcoin fee in order to free its computer network from a Locky ransomware infection and regain access to vital patient files. Ultimately, hackers have learned that if they can get into a system which can't afford to be compromised at all -- like that of a hospital or another piece of critical infrastructure -- they're in for a big payday.

"You have a situation where attackers are seeking to make a quick buck and they want to do that with the least effort required, so you want to select victims which are probably the least flexible with hesitating to pay that ransom. So, for cybercriminals, hospitals are a great place to start because they don't really have the choice to not pay that ransom and they're potentially very large environments," says Mike Hanley, director of Duo Labs at Duo Security.

While the threat of ransomware is growing for every sector, hospitals are fast becoming an easy target for hackers, because not only is it potentially a life-and-death situation if their networks aren't operational, they also tend to run on older operating systems which are highly vulnerable to malicious attacks.

"The healthcare industry has four times as many Windows XP endpoints as the financial sector and that's a pretty damning statistic. Healthcare's generally behind and then if you add to that how if you don't pay people could die because you can't provide medical services, that makes it a juicy target for the bad guys," says Hanley.

But hospitals are far from the only organisations which have been impacted by ransomware: almost 40 percent of enterprises were hit by it last year and some had to stop trading as a result.

In many cases, it's because the victim hasn't properly backed up their systems. "Up until recently, ransomware was primarily aimed at individuals and small businesses because bigger organisations tend to have backed up as a routine thing. So over the last year or so I've been at surprised at just how many large organisations have been in a position where they've had to pay a ransom," says Kaspersky Lab's Emm.

"The attackers are realising that even organisations are going to be in this position so an attack is going to be successful, so rather than target a user, if they can get an organisation then they can get more money," he adds.

As well as ransomware being both simple to carry out and effective, there's also another reason why it's on the rise so rapidly: the boom in the use of smartphones and tablets -- fully functioning computers in their own right -- means hackers have far more targets to potentially infect, especially if users are highly reliant on their devices.

This, argues Emm, means people are becoming susceptible to 'digital amnesia' and are becoming reliant on smartphones for quick access to important information -- meaning people might be more willing to pay to unencrypt an infected smartphone.

"People can't necessarily remember things in the way they could've done [in the past] because it's all on the device at their fingertips. That isn't a bad thing, but it does mean it ups the importance of this device and attackers know this too, which is why we've seen an exponential rise in mobile malware," he says, adding: "they realise it's an easy way to monetise malware" especially as users don't tend to secure their smartphones like they would with a computer.

With ransomware therefore being so successful for cybercriminals, the problem is only going to get worse before it gets better, especially if they know it's working. "It'll continue to be productive, and while it's productive, they'll exploit it," says Emm.

A recent incident at the Kansas Heart Hospital certainly demonstrated this to be the case, because when the hospital paid the hackers, the extortionists just asked for more money. As long as victims are willing to pay cybercriminals ransoms in order to try to get their files back, ransomware will only continue to grow and continue to be a threat -- especially as more and more objects become connected to the internet.


Editorial standards