Ransomware represents a growing threat for the enterprise, as 40 percent of businesses worldwide were attacked with their data held ransom in the past year.
This particular brand of malware is not new: The first recorded case of ransomware, known as the AIDS trojan, appeared in 1989. The attack is relatively easy to deploy and cash in on, said Michael Canavan, vice president of presales systems engineering at Kaspersky Lab.
In the past, cybercriminals targeted a wide range of consumers, and would ask for around $300 to release their personal photos and information. Between April 2015 and March 2016, more than 718,500 users were hit with encryption ransomware -- an increase of 550 percent compared to the same period in 2014-2015, according to Kaspersky Lab research.
"The way it's going, we don't see any indication that the growth rate is slowing," Canavan said.
Once businesses started getting infected, hackers realized payoffs could get higher, Canavan said. "Business targets are at a higher premium because they have a bigger resource pool and more capabilities in terms of data -- it's not just photos of your kids, it's patient files in hospitals and financial records in banking organizations," Canavan said. "Asking for a couple hundred bucks might not justify the value of the data encrypted."
Ransom costs are rising along with the attacks: The average ransom amount for 2015 was about $680 -- nearly twice that for 2014, according to a Symantec report. It will likely double again in 2016, said Kevin Haley, Symantec's director of security response.
The majority of ransomware attacks are not targeted toward one particular end user or business -- rather, they cast a wide net via a phishing email, and then infect a user's home or work device, Haley said. Still, about 43 percent of spear phishing attacks (malware hidden in messages that appear to be from a trustworthy source) include ransomware targeted at small businesses in 2015, up from 34 percent in 2014, another Symantec report found.
Hospitals are also becoming lucrative prey, in part due to high-profile attacks where healthcare organizations paid thousands to hackers. They also tend to have lots of sensitive material on file and outdated security practices, said Gartner analyst Peter Firstbrook.
Broken down by industry, some 38 percent of attacks are in the services field, which includes health care. About 17 percent of attacks are in manufacturing, just over 10 percent are in public administration, and nearly 10 percent are in finance, insurance, and real estate, according to Symantec. The US is the most affected region, with 28 percent of global infections, the report found.
One of the most popular vehicles for ransomware is a phishing email telling the user they have an invoice that requires payment, Haley said. Another common way is to infect a website, or redirect one website to another hosting the malware.
Haley expects to see more targeted attacks against businesses over the next year, and for other devices to come into play. Strikes on computers and smartphones are the norm, but they could also occur on any IoT device, from smart TVs to refrigerators to watches.
"Ransomware is real, and it's going to affect your organization," Haley said. "Most of the steps to protect yourself are not unique -- in the end, protecting yourself against ransomware will protect you against other security issues as well."
Best practices for your company
IT leaders should continuously seek out innovative technologies to add to their customized, layered defense, said James Scott, senior fellow and co-founder of the Institute for Critical Infrastructure Technology. "Look at where your valuable data is, who is trying to exploit it, and what vulnerabilities are there in protecting it," he added.
To prevent a ransomware attack on your company, experts say IT leaders should do the following:
- Use a layered security approach, with all endpoints protected, as well as protection at the mail server and gateway. "If you can stop these things from ever showing up in an end user's mailbox, you're ahead of the game," Haley said.
- Educate your employees. "The human element is always going to be the weakest element," Scott said. "The organization's infosec team has to continuously update their education for other staff with relevant threats."
- Run risk analyses, and patch vulnerabilities, especially on browsers, browser plugins, and operating systems. "Infosec teams should be savvy enough to continuously pen test the organization to hunt for vulnerabilities," Scott said. "It's important that they do that with the same vigor as the adversary would."
- Build a comprehensive backup solution, and backup often. "If your files get encrypted, you don't have to pay the ransom--you just restore the files," Haley said. Most businesses back up, but some have not tested whether or not these backups work in an emergency.
- Track behavior analytics to detect abnormalities among users.
- Limit access to file shares to only those who absolutely need access.
Some organizations are using AI products to predict threats, Scott added. "A year ago, the technology to detect and respond to threats was what everyone was talking about," he said. "Now, it's detect, respond, and predict."
READ MORE ON CYBERCRIME