Cybersecurity is a field defined by its dynamism, as is crime. When analyzing trends to assess the future of these two
frequently overlapping spaces, the most efficient way to separate persistent threats from hype is by asking not just where the money is, but what the easiest way is to get it. While ransomware has had a lock on headlines all year, the most recent news stories all seem to emphasize increases in attacks targeting educational institutions, state and local governments, and healthcare organizations. Let's examine why this change from shotgun targeting to more focused targeting is happening.
Individual victims aren't likely to pay up
An analysis of Cerber ransomware infrastructure by Check Point shows that the number of people who pay up after their data is encrypted is only around two percent. This low infection-to-payout rate corresponds with what we have observed with ransomware in general, which is that very few individuals infected with ransomware actually pay the ransom.
So, why the low payout rate? It's mainly due to:
- Previous data loss experiences - A lot of computer users (myself included) have at some point in their life experienced a catastrophic data loss. Whether that’s an accident, hardware malfunction, theft, or a laptop forgotten on a bus, it means starting over is less costly than paying a $400 ransom.
- The inconvenience of cryptocurrency - The people most likely to have irreplaceable data stored on a PC they’ve used for years are often the least likely to understand the byzantine world of cryptocurrency transactions and decryption keys. The pain of figuring out how to pay and the lack of trust that it will actually work pushes them to just accept the data loss.
- Not wanting to give in and pay cybercriminals - It’s what the FBI and most cybersecurity organizations recommend, as there is no guarantee of your data being freed.
Organizations are more likely to pay ransoms
Recently, many strains of ransomware are focusing on targeting specific types of businesses, such as schools, government agencies, and hospitals. Contrary to the trends we have seen with individual ransomware victims, targets in these industries are more likely to pay a ransom to regain access to their encrypted data.
In looking at survey responses and statements made by organizations who have paid ransoms, the following common themes emerge:
- Privacy laws regarding storage of health and medical records make backup and storage more complicated and more expensive. Without adequate backups these organizations are left with little choice but to pay a ransom.
- Data availability for these organizations is more critical for companies in these sectors than it is in the general public. Because immediate access to data is crucial to day-to-day operations, the quickest solution to restore access to encrypted data may be to pay the ransom.
- There is a shortage of qualified cybersecurity professionals in these industries. These lack of resources sometimes lead to a lack of preparedness to defend against these types of attacks and even less readiness to respond with effective solutions.
So what’s next?
It's unlikely that individuals struck by ransomware will begin paying ransoms at a higher rate. Based on cybercriminal adaption we have already seen, they’re likely to continue looking for infrastructure critical to daily operations used by organizations who can afford a bitcoin or two. Education, state and local governments, and healthcare organizations will remain prime targets until those industries prove more resilient to ransomware attacks (and cybercrime in general). The rest of us should expect to see additional industries targeted by ransomware as cybercriminals get better at identifying organizations with a higher propensity to pay ransoms.
Most ransomware infections happen via phishing emails, exploiting the susceptibility of the user to unwittingly install the ransomware on the targeted machine. However, malware like Mirai has exposed the incredible vulnerability of IoT devices - opening another avenue for high-volume ransomware distribution. Proof-of-concept IoT ransomware has already been demonstrated. As IoT technologies become further woven into the fabric of our daily lives, the likelihood of that individuals will be willing to pay ransoms to restore an IoT device grows. You may not be willing to pay to recover lost data stored on a laptop, but what about restoring your car, your HVAC, or your door locks?
Prepare for the future
Though organizations targeted by ransomware have changed over the past few months, the target selection process has not. Finding critical infrastructure and a profitable pain point with which to extract a ransom has been proven a successful criminal strategy. To prepare for the future of ransomware, as well as cybercrime in general, we have to constantly assess our own vulnerabilities. By assessing our own weaknesses, we are able to better prepare for the next evolution of cyber threats.
For a deep-dive into ransomware, download the whitepaper Pay Up: The Definitive 2016 Guide to Ransomware, where we explore how threat actors use ransomware for profit, the three stages of ransomware defense, and how to react if you are infected.