[BreachExchange] Ransomware has been labeled the biggest threat this year, but is it as dangerous as it's made out to be?
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jun 6 19:00:53 EDT 2016
http://www.scmagazineuk.com/ransomware-has-been-labeled-the-biggest-threat-this-year-but-is-it-as-dangerous-as-its-made-out-to-be/article/495687/
Ransomware is making headlines across the globe. In particular in the
healthcare sector where attacks on US institutions have been particularly
rife, with strikes on the Chino Valley Medical Center, the Kentucky
Methodist hospital and the Desert Valley hospital flagging some very
prominent warning signs across the pond to the UK.
Not only does ransomware result in the temporary loss of data, it also
leaves services out-of-pocket. The Hollywood Presbyterian hospital, for
example, paid the Bitcoin equivalent of £11,000 in February this year to
regain control of its mission-critical communications systems from cyber
hostage-takers.
According to reports, the attack even forced medical staff to revert back
to paper medical records. The 10-day intrusion locked employees out of
critical electronic medical record systems, among others. The hospital
explained that the “quickest and most efficient way to restore its systems
and administrative functions was to pay the ransom and obtain the
decryption key.”
With the NHS looking to digitise medical records and put the population's
health data online, it begs the question of “when” rather than “if” such
attacks will become prevalent in our healthcare system. However, as these
attacks grow more prevalent, the growing question is, “to pay or not to
pay?”
Risk/benefit analysis needed on whether to pay up
There's a school of thought that one should never pay a ransom, but even
the FBI admits that ironclad refusal isn't always the best option.
When it comes to the ransomware threat, criminals are market-savvy. They
know the precise cost of a particular dataset and will play on human
emotion to get what they want. Analysing the benefits and risks of paying
up for data will help determine what action to take when an enterprise is
hit by this insidious threat.
Think about the end result
We must remember that each situation is unique in terms of the consequences
it presents and these should be tackled on a case-by-case basis.
Organisations need to consider how valuable the stolen data set is and
whether it warrants paying up.
Organisations need to be as savvy as the criminals when they are
contemplating whether to pay up. If it is a matter of life or limb, then I
would argue that this warrants paying a ransom immediately.
However, if it's just that ransomware is creating a mere inconvenience to
organisations, as data is lost and individuals are unable to conduct tasks
for a few days, then ransoms should not be paid.
Being made to pay
Let's say an organisation was to pay. What are the risks involved? On the
one hand, historic ransomware payments have been secure. Institutions that
have paid in the past, including the Hollywood Presbyterian, did so using
Bitcoin. This essentially means that no physical money or banking details
changed hands. The payee uses a third party broker to conduct the encrypted
transaction and so has no way of knowing where funds end up, not to mention
no way of tracing the criminal.
So after such a transaction is complete, what is the likelihood of the
organisation actually retrieving its precious datasets back? Almost
certainly.
In the analysis of ransomware attacks so far, every criminal has released
the data back to its original location. The first ransomware criminal not
to honour this agreement, will ruin the game for everyone.
Enterprises shouldn't take these apparent securities as a given to pay up.
Paying the bad guys can also have repercussions and it shouldn't always be
the ‘go to' solution for an enterprise. A judgement to pay must be
worthwhile and justified as these actions only succeed in giving criminals
the upper hand and a clear mandate to attack other vulnerable institutions
and services.
Paying up in any other situation not only puts enterprises out of pocket,
but also actively fuels the weaponisation of ransomware for all of us.
Countermeasure
In figuring out a strategy to stem the tide of ransomware hacks, it's
important to know the two forms this type of attack takes: locker and
cryptoransomware.
Locker was once the most common, but these attacks have declined as illicit
actors learn the more sophisticated method of cryptoransomware. Locker
attacks restrict access to an entire computer system and it is because of
this panic that these attacks result in payouts to the bad guys.
Cryptoransomware targets only the most valuable parts of the networks and
endpoints it attempts to disrupt. A computer under this type of attack will
still work. However, access will be denied to encrypted files. It's a type
of judo, explain the authors of the ICIT report.
"Cryptoransomware is as simple as weaponising strong encryption against
victims to deny them access to those files," the researchers write.
"After the initial infection, the malware silently identifies and encrypts
valuable files. Only after access to target files has been restricted does
the ransomware ask the user for a fee to access their files."
Another reason to back up regularly
U nderstanding the type of ransomware attacking an enterprise helps
organisations plan their best line of defence. Building a culture of
consistent back-ups in the enterprise will serve as the most appropriate
solution against such threats.
If you can easily restore any valuable information ransomware has denied
you access to, you effectively neutralise the attack. Of course, if you've
let hackers into your system and they've accessed the data and found
information that would be embarrassing or harmful to business if made
public, the data could be leveraged for cyber-blackmail.
One solace for victims of ransomware is that cyber-insurance policies are
increasingly written to reimburse for the costs associated with these
attacks. If your company has this type of insurance, check to see if
ransomware is covered. If not, look into adding a rider to your
organisation's policy.
So while 2016 may indeed become the "Year of Ransomware," it could also
become the year companies and organisations figure out how to detect,
verify and respond to this insidious threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/08933a71/attachment.html>
More information about the BreachExchange
mailing list