The Changing Face of Cyber Extortion
Over the last couple of years, ransomware, malware that locks up computers or data, has burst into the collective consciousness of businesses and governments worldwide. High profile ransomware attacks have brought operations to a halt, leading organizations like the Hollywood Presbyterian Medical Center to pay thousands of dollars in untraceable cyber coin to get operations back on track. While the threat of stopping operations loomed large, ransom costs were small in comparison to the typical costs of a data breach. The data was not actually stolen (presumably), and the primary defense—good data backups—was straightforward. So for many organizations, ransomware seemed like a manageable risk. But now ransomware is evolving, attacks have become commonplace, and privacy regulations are updating to include ransomware attacks. Information security, privacy, and risk management teams need to stay abreast of these threats and beef up their defenses on the assumption that this kind of cyber extortion is here to stay. Ransomware is Not a Blip Ransomware is the criminal equivalent of fast food: it’s easy, it offers near-instant gratification, and it makes their coffers fat. So it’s no surprise that the tactic has grown quickly. Symantec’s 2016 Internet Security Threat Report found that ransomware attacks increased 35% in 2015. They estimate that between businesses and consumers, there are at least 4,000 ransomware attacks per day. According to an August 2016 study by Osterman Research, nearly 50 percent of U.S. organizations surveyed had been victims of a ransomware attack in the last 12 months. Cyber extortionists pick their targets carefully, looking for organizations that have the most to lose if operations are shut down or critical data is lost. As you would guess from the news headlines, healthcare was the industry most commonly targeted, since a loss of information access there can be life-threatening. But healthcare was closely followed by financial services and manufacturing (where an operations shutdown can cost millions of dollars a day), and then government. Only 37 percent of U.S. organizations were confident in their ability to stop ransomware. The Escalation of Ransomware Until recently, businesses hit with ransomware could find slight solace in the fact that ransomware locks data in place, so these attacks don’t entail all the costs and complications of a data breach. But that is changing fast. Healthcare was the first industry to feel the change when, in mid 2016, the Office for Civil Rights (OCR) of the Department of Health and Human Services (DHHS) said that any ransomware attack involving protected health information (PHI) may be considered a data breach under the Health Insurance Portability and Accountability Act (HIPAA). But experts have warned that, even if a ransom is paid and files are unlocked, attackers could leave hidden malware ready to exfiltrate data or lock files again. So ransomware victims in any industry need to prepare for the possibility of an ensuing breach. More recently, a new kind of cyber extortion has made the breach threat explicit. Dubbed “doxware” after the slang term for posting stolen information on the Dark Web, this kind of ransomware not only holds data hostage through encryption, it also threatens to expose the data publicly if the ransom isn’t paid. So you can now choose: face the cost of ransom or the costs of a data breach. Because you’re dealing with criminals, paying the ransom doesn’t guarantee that information won’t be stolen, but not paying guarantees that it will be. Beyond Backups The FBI and other law enforcement agencies have advised against paying ransom. For plain old ransomware, that’s a straightforward choice for an organization that has good backups. But once the costs of a doxware breach are figured in, the ransom equation becomes less clear. The best solution is to invest up front to stop extortionware. Encrypting data at rest can help defend against the threat of data exposure through doxware. For ransomware, in addition to having secure, working backups and keeping up with security patches, the FBI recommends training to help staff resist phishing and other malware-delivery tactics. (Interestingly, the Osterman survey found U.S. companies are more likely to invest in ransomware-related staff training than those in other countries.) The FBI also recommends keeping strict control of file permissions, application whitelisting, and penetration testing—basically, attempting to hack your own systems. Security software can also help to detect ransomware and other “extortionware,” but new variants are cropping up so fast that security vendors can’t keep pace. Many organizations are now considering data loss prevention (DLP) tools that use machine learning to track normal behavior for a computer system so they can flag abnormalities that might signal an attack in progress. As the Osterman report notes, U.S. businesses tend to rely on training to combat malware, but with so many points of entry, it’s inevitable that something will get through sometime. There needs to be other internal lines of defense. Ransomware Readiness Now At the beginning of 2016, experts predicted it would be “The Year of Ransomware.” And so it was. But until the tech world can produce 100% secure software, which is highly unlikely, we will not see a year without ransomware. For what it’s worth, whatever measures we take to fight cyber extortion will also help to protect us against cyber attacks of all kinds. No step towards greater information security is wasted.