In late 2015, malware trends hinted a ransomware epidemic was on its way.
And what happened? Less than three months into 2016, security analysts had branded it the ‘year of ransomware’.
Even popular media outlets were covering ransomware cases on an almost daily basis, and both consumers and businesses the world over would come to understand exactly what the word ransomware really means.
So what happened? After all, ransomware has been around for decades, so why the sudden explosion?
Last month we released our annual Phishing Trends and Intelligence Report, in which you’ll find everything you need to know about the current phishing landscape. The following is a summary of the report’s ransomware section.
If you’d prefer to read the full report, click here to download it for free.
Want to know more? Later this month we're hosting a webinar to help organizations understand the threat posed by ransomware, and what they can do to mitigate it. Places fill up quickly, so register now to avoid disappointment.
Show Me the Money
The first (and most obvious) answer is profit. Ransomware, more than any other attack vector, makes it incredibly easy for threat actors to make money.
There are no credentials to sell, no sophisticated hacking to be done, and no fraudulent transactions to complete. Threat actors simply create their phishing site, construct an email campaign, and then wait for the money to roll in.
Of course, ransomware, like most malware, has a fairly low success rate. Even if they are fooled by a campaign, most would-be victims sensibly opt not to pay their ransom.
But given how easy it is to distribute a single campaign to thousands of potential victims, ransomware doesn’t need a high success rate to be worthwhile. Threat actors, for the most part, simply resort to increasing the scope of their campaigns, knowing eventually they’ll find a victim who cares enough about their files to pay up.
Another factor in the ransomware explosion is the increasing success of the Bitcoin cryptocurrency. After launching in 2008, the currency gained legitimacy between 2012 - 2014 as it began to be accepted by a number of prominent websites and financial institutions. But while most Bitcoin transactions are perfectly legitimate, in recent years it has been adopted as the de-facto currency for nefarious online transactions.
Cyber criminals consistently rely on Bitcoin for their illegal activities, because although transactions are technically public, it is extremely difficult to tie specific transactions or accounts to an individual or group. As a result, accepting ransom money in Bitcoin dramatically reduces the chance that a cyber criminal will be caught.
If criminals were unable to rely on Bitcoin as a payment mechanism, ransomware would be a much less appetizing prospect for cyber criminals.
But these aren’t the only factors that led to the explosion of ransomware in 2016. Even more significant is the level of technical skill required to pull-off a successful heist.
Debunking the Hacker Stereotype
When you think about hackers, you probably imagine some technical whizkid wreaking havoc from their parents’ basement.
And it’s true that all malware variants, including ransomware, rely on some highly technical individuals. After all, somebody has to the design and develop the payload.
But the idea that all cyber criminals are highly advanced programmers or security professionals is nowhere close to the truth. In fact, the vast majority of threat actors have almost no technical skill at all. They simply download or buy malware from a small number of developers, and use it as a payload for mass phishing campaigns.
For these actors, ransomware is the holy grail. Suddenly, instead of needing to sell on stolen credentials or sensitive data, they have a tool that promises easy money with no further effort on their part. Meanwhile, ransomware developers don’t even need to conduct their own campaigns, as their income is supplemented by the sale of the ransomware product itself.
But here’s the thing. People who are interested in making easy money, and are willing to commit crimes in order to get it, often don’t want to pay for their tools. So in 2016, the underground economy of cyber criminals changed.
Instead of selling their ransomware products through underground markets, some developers started distributing them for free via download sites and even social media. But there was a catch. Since they were no longer making money through sales, these developers altered their business model so that unsophisticated users became affiliates rather than independent actors. Now, each time a ransom was paid, the fee was split between the affiliate responsible for the campaign and the developer.
So what does this mean for the non-technical threat actors? Suddenly, they have a way to earn money that requires no technical skill and no upfront investment. Unsurprisingly, this proved irresistible for many low level threat actors in 2016.
Media Coverage Doesn’t Always Help
The funny thing about media coverage is that while it of course increases awareness of undesirable activities, it also increases participation.
Threat actors all over the world, both established and prospective, saw the mainstream media cover a new ransomware case almost every day. So what happened? Collectively, the threat actor community turned to ransomware as their go-to attack vector.
This sudden media coverage proved that above all other considerations, ransomware was working. Even though most victims were opting not to pay up, enough of them did that the pay-off was worth the time investment. And if there’s one thing that threat actors care about, it’s making money.
The Target Switch
Prior to 2016, most ransomware attacks targeted individuals. Threat actors utilized mass phishing campaigns, hoping that if enough people were exposed to their payload, at least a few would opt to pay their ransom demands.
But last year, threat actors got a little smarter.
Sure, the high volume campaigns targeting individuals were still going strong, but there was a sudden flurry of attacks targeting schools, healthcare organizations, and small businesses. And what do all these targets have in common?
They’re much more likely to pay.
Almost without exception, these campaigns targeted organizations with limited security, small IT budgets, and strict compliance obligations that make backing up sensitive data a difficult prospect. When faced with a ransom demand, many of these organizations had no choice but to pay, as the alternative was permanent loss of essential files and databases.
In many cases, the damage caused by ransomware posed a significant existential threat to its targets. For these organizations, there was really no choice but to pay ransom demands as quickly as possible, and desperately hope that the threat actors in question would honor their side the deal by restoring access to encrypted files.
Proactive is Best
So now that you understand how and why the ransomware explosion happened, what can you do to prepare your organization?
In essence, there are two primary tasks to be completed.
First, you should have a robust backup plan in place. In an ideal world, your organization's critical data should be backed up daily, and stored in a secure, offline, off-site location. Many ransomware variants actively search for and encrypt backup files first or obvious reasons, but by keeping your backups separate you can negate this tactic.
But that’s only half the battle. Even with comprehensive backups, a ransomware can cause substantial damage to your organization’s network, and force your operations to grind to a halt until repair work can be completed. For this reason, prevention should be your primary aim.
As we’ve already explained, the vast majority of ransomware is deployed using mass and spear phishing campaigns. The real solution, then, is to implement a powerful security awareness training campaign that teaches users to identify and report phishing emails on sight. This provides two huge benefits to your security program:
1) Reported emails can be quarantined before they cause damage to your network. A malicious email need only be reported by one user in order to protect the entire organization.
2) As you collect malicious email samples via user reports, you can identify recurring trends in their content, source, and subject lines, and use this information to tighten technical controls such as your spam filter.
To find out how you can develop and implement a powerful security awareness training initiative for your organization, check out this article.