September 5, 2016 by Angela Stelmakowich, Editor
Ransomware. The nasty-sounding malware threat comes armed with an equally nasty array of sticks: sticks that can shut down a business for a time; sticks that can cost companies thousands of dollars (or more) to restore or rebuild what once was; sticks that can lead to loss of brand value and corporate embarrassment; and sticks that can batter down confidence, leaving in their wake nervousness that the threat will resurface yet again.
Unfortunately, this malware du jour shows few signs of relenting any time soon. To date, it has certainly proved successful enough to keep its run going.
Regardless of the specific motivation, regardless of whether the malicious perpetrator is working solo or as part of a well-oiled team, ransomware is proving a solid commercial venture with a shape-shifting approach and blistering speed bolstered by the move to automation.
Awareness of the potential impacts is growing, although one could argue perhaps not quickly enough to keep pace.
Tools, measures and strategies are available, but, again, these may not always be enough. Key to preventing or mitigating the potential losses associated with ransomware attacks, as is the case with any malware, is to understand that the best defence is a good offence.
The offence an organization adopts may not be guaranteed to cut down those big sticks into harmless twigs each and every time, but the threats can be trimmed sliver-by-sliver over time to deaden the impact when hits inevitably occur.
Preparedness, technology, training and continuing monitoring offer promise.
Ransomware is a family of malware that enters systems via email attachments or a link on the intranet, sources say. Once executed, it begins encrypting files on the computer, preventing them from being viewed, by using one of many different cryptographic algorithms available with a unique key. A message is then sent with an extortion demand.
“Incidents of ransomware and extortion-driven attacks are expected to increase in Canada, particularly within the public, legal and financial services sectors given the private and sensitive nature of the information these organizations hold,” KPMG LLP reported this past March.
“So far, 2016 saw a double-digit growth in incidents caused by ransomware and we anticipate a similar trend for the rest of year and beyond,” adds Ruchir Kumar of KPMG in Canada’s cyber security arm.
Reporting of high-profile ransomware incidents in the mainstream media has helped to raise awareness and vigilance, Ron Kirkland, manager of ICT security for Crawford & Company (Canada) Inc., suggests. But that same media attention may also be “attracting more criminals to the enterprise,” Kirkland points out.
These attacks have become so prevalent “we’ve actually seen… that when the ransom message comes up, they provide a toll-free customer support number” to help the target facilitate a bitcoin payment, says Eduard Goodman, chief privacy officer with IDT911. Ransomware is “something that organized crime rings and folks can use as a dependable way to make money,” Goodman says.
“With the growth of computing and the Internet of Things, ransomware is a risk trend that we expect to only increase,” say Rob Jones, global head of financial lines specialty claims for American International Group (AIG), and Garin Pace, AIG’s head of cyber liability underwriting excellence for the United States and Canada.
“One of the main challenges with ransomware is that it’s constantly changing. It operates and evolves at a rate that makes it impossible for security teams to keep up,” says David Masson, Darktrace’s Canada country manager. “As a result, many Canadian institutions have already fallen victim to these attacks,” Masson says.
“We are seeing reports of more attackers using different encryption variants that are extremely difficult to decrypt,” Kirkland reports. To that, Kumar adds “ransomware has significantly evolved in the recent past as we see it not just encrypts, but deletes all or partial files.”
Karl Sigler, threat intelligence manager at Trustwave, says ransomware is also starting to use worms as a method of infecting victims. “Worms automatically use the current victim to search for and infect more victims,” Sigler explains.
Jérôme Segura, lead malware intelligence analyst for Malwarebytes, expects ransomware will get “more aggressive and sophisticated as a counter-action to the efforts of the security community.”
Masson says ransomware is at the beginning of a trend towards machine-based cyber attacks. “Based on the trends we have seen, ransomware will likely develop to become more advanced, fast-acting and machine-based,” he reports.
That hard turn into automation may be contributing – at least for now – to ransom demands staying fairly low.
“The attackers are not stupid,” says David Pick, managing partner of Brownlee LLP’s Calgary office. “They know that smaller sums will be paid as being economically feasible to the attackee as opposed to the cost of losing data,” Pick suggests.
Canadian-specific findings, part of a Malwarebytes survey – involving 540 chief information officers (CIOs), chief information security officers and IT directors from companies in Canada, the U.S., the United Kingdom and Germany – note companies here are most likely to pay ransom demands, 75%, compared to their counterparts elsewhere.
Conducted by Osterman Research, the survey found 82% of polled Canadian organizations also lost files if they did not pay, 43% expressed losing revenue and 25% revealed a stop in business because of a ransomware attack.
“One of the reasons that ransomware is so popular right now is because it is extremely profitable,” Sigler says. “We did a study last year that showed a non-technical criminal paying a simple $5,900 investment in ransomware could earn a criminal $90,000 in just a one-month campaign,” he notes. “That is calculated with only a 10% infection rate across targeted victims and only a 0.5% payout rate from infected victims,” he reports.
“The ransomware business model is very attractive to other criminals or even lone crooks that never really wrote malware before,” Segura says. “This explains why we have seen a huge increase in spam campaigns pushing ransomware as well as many web-based attacks via exploit kits,” he adds.
Payments, Sigler says, are typically via bitcoins or some other cryptocurrency.
Citing comments from a CIO, Richard Wilson, a partner in cyber security and privacy at PwC Canada, reports, “he said, ‘Not that we’ll ever get rid of bitcoin, but if we could, we would really disable an ability for these guys to have a currency that they can hide behind.'”
Kirkland says “most publicly released figures suggest the cost is between $300 to $600 per attack if you decide to pay for a single computer breach.” But costs can be much higher for more significant institutional or enterprise breaches.
The Malwarebytes survey shows the most common amounts demanded in Canadian attacks are $6,500 or less.
“While we have seen ransom demands that are generally in the $10,000 to $20,000 range, claims in this area are increasing,” note Jones and Pace. “The cost to evaluate the intrusion and the impact or interruption to an organization’s business can be much greater than the actual ransom demand,” they add.
In the case of a University of Calgary ransomware attack, the university paid the demanded $20,000 earlier this year.
Jason Brvenik, principal engineer for Cisco’s security business, is not convinced ransom demands will remain low. “We expect to see further investment in ransomware by the attacker developing automation and targeting capabilities that allow ransomware to seek out and leverage high-value assets in order to demand higher ransoms,” Brvenik says.
While most attacks currently revolve around encrypting data or blocking access to systems, “what happens if they do that not to data, but to an operational system?” Wilson asks, such as a car maker’s assembly line, a production process at an oil and gas company or operations of a mining company.
“Those, to me, are significantly different situations where the likelihood that they’re going to get paid is higher,” he suggests. “When it comes to pure operations and we’ve now lost the ability to operate,” Wilson says, “that equation completely changes things.”
Fragile infrastructure, poor network hygiene and slow detection rates “are providing ample time and air cover for adversaries to operate,” Brvenik says. “The key is to reduce the time to operate.”
Looking at cyber security generally, analytics software company FICO, citing findings of a 2015 Ponemon Institute study, reports that the average time to detect an advanced threat was 98 days for retailers and 196.5 days for financial services institutions.
THEFT WITH PURPOSE
Without a decryption key, Segura argues it is near impossible to recover files. “To make things more difficult, criminals also try to delete back-ups or restore points so that victims are forced to come to them and pay,” he says.
“Ransomware is only a mechanism; it’s not necessarily a peril,” says Brian Rosenbaum, director of the legal and research practice at Aon Risk Solutions. “The consequences of ransomware can go in a bunch of different directions.”
An April bulletin from Borden Ladner Gervais LLP notes related financial loss and other harm include the following:
“A big concern is that organizations will lose customer or market trust if they cannot demonstrate they are taking steps to protect their systems and invest in a cyber security program that addresses this new era of threats,” Masson says.
Perpetrators are eyeing entities where data is time-sensitive to resume operations, says Kumar. “This puts additional pressure on the victim organization to panic and pay the ransom as back-ups sometimes might take longer to make data available to conduct business.”
PAY OR NOT?
Determining whether or not to pay may, in fact, be a million-dollar question. Some sources are adamant that payment should never be made, emphasizing the action contributes to more criminals using ransomware, provides no assurances the data will be restored and funds development and exploitation of others.
Others, however, say it all depends.
For example, organizations that have not properly backed up data, those that are extremely data-heavy or those operating in such dynamic environments that whatever restoration time is necessary is simply too long, might consider paying, Goodman says. “For some businesses, it becomes a balance sheet equation, a cost-benefit analysis. If we’ve got good back-up, what’s going to take us out longer? What’s going to be easier to do?” he says.
“But you also have those companies that literally have no other choice,” he says. “It’s either pay it to get their data back or close the doors,” he suggests.
Wilson reports a client, a fairly large Canadian company, was infiltrated with ransomware. The attacker, who encrypted some data and extracted other data, was able to “lie in wait” for months, unbeknownst to the company, before coming forward with the demand.
Though the company went back and forth about whether or not to pay, it decided not to. “They felt that providing $100,000 to $150,000 to a criminal organization would further their capabilities and their cause and it would just happen to somebody else,” Wilson says.
“I think ransomware really targets small businesses a lot because they have weaker controls and are the kinds of companies that may be more prone to pay the ransom,” says Jeremiah Tonn, Zurich Insurance Company’s security and privacy underwriter for Canada.
Whether or not to pay “is an easy question to answer, unless you are attacked. Then it becomes exceedingly more challenging,” says Kirkland. “There are publicly documented cases in Canada where enterprises have paid and successfully recovered their data, but few organizations would share details about situations where the outcome wasn’t successful.”
Pick’s view is “it depends on the nature of the data that is being held hostage.”
Citing the university incident, “I understand that years of research results/data would have been lost, making the $20,000 ransom a reasonable bargain. That type of data cannot be replaced.”
Compare that to another Calgary incident involving a retailer whose customer list was hacked, he says. That “could be regenerated with time and effort.”
Because many ransoms are small, a lot of times these are below many insurers’ retentions, Tonn says. As such, “we really haven’t seen too many ransomware claims actually come through.”
Jones and Pace, however, report that “we’ve seen an uptick in ransomware incidents reported to AIG, which matches reports we’ve seen from information security experts who say cyber criminals are shifting to ransomware for its ease and opportunity for income.”
Goodman says most coverages he has seen have at least a US$1,000 deductible. As such, paying is “cheaper than pulling in an IT guy to do data back-up.”
Another wrinkle, Kirkland adds, is that “it is becoming increasingly common for the criminal to demand subsequent payments from a victim once they have shown a willingness to pay.” Segura may not agree. “It’s a risk, indeed, although, globally, criminals have lived up to their word when victims paid because it ensures that ‘business model’ is viable.”
Victims have no assurances of anything, Sigler says. Some criminals will do as promised, some will demand more once a payment has been made and others will abandon campaigns “and there’s no one left to decrypt your data even though those bitcoins are already gone.”
As a result of paying ransoms, suggests Borden Ladner Gervais, “the number and sophistication of ransomware attacks have increased over recent years and are predicted to continue to do so.”
One thing on which all agree is decisions to pay can be avoided by having in place appropriate protective measures.
“These are criminals operating outside the law and holding your systems and data for ransom,” Brvenik comments.
“Your only true assurance is good security, operational hygiene – keeping your security systems up to date, and robust back-up and recovery systems.”
Before any payment is made, an assessment is in order. This may involve answering such questions as the following:
“We encourage our clients to isolate the infected segment of the network and scan the entire environment to look for any traces of suspicious malware to ensure multiple machines on the network are not infected,” Kumar says.
Ensuring back-ups are done properly and regularly tested will provide “a point of recovery prior to the attack to allow you to recover data,” Kirkland says. “If at all possible, a complete re-image of the local computer compromised is advised to remove all traces of the threat.”
Even with a full forensics analysis, “there is always a small risk that malware may remain hidden and ready to come back to life,” Segura cautions. “Companies need to remember the most valuable thing is their data, while the hardware is expandable/replaceable,” he advises.
“It is impossible to prevent all of today’s cyber threats. You have to assume that you’ve already been compromised,” Masson advises. Protecting the perimeter alone simply is not enough. “You need to understand what’s happening on the inside of the network as well.”
So-called immune system technologies “automatically learn and understand what is normal for your environment and are extremely sensitive to any deviation from that ‘norm,'” Masson says. “The big breakthrough now is the ability for the machine to fight back against those attacks, not just detect them.”
FOCUS ON PREVENTION
“Prevention is crucial to defeat ransomware,” Segura says. “Basically, ransomware is extortion for those that aren’t prepared. Regular off-site back-ups are your best option,” he maintains.
“When you don’t have a plan ready to deal with something, it, in general, can put people in a panic,” Tonn suggests.
Beyond obvious preventive steps, “the most effective prevention is employee/user education,” Pick contends.
Kirkland agrees the most vulnerable point of entry into the organization is at the user level. “Some system-wide tools, such as blocking the download of .exe and .zip files, removal of local administration access on user computers and not using mapped network drives, are key mitigation factors,” he advises.
Keeping software patched and up to date is also vital, Sigler emphasizes. “Most malware gets installed either by exploiting vulnerabilities in your web browser or through tricking a user through social engineering into opening a malicious document,” he points out.
“Too often, we see organizations delay patching by up to years at a time,” Brvenik states. “Attackers are counting on those missteps for their own nefarious gains, so don’t put off those updates.”
An organization will want “good, reliable, iterative, non-network-connected back-up,” Goodman says. It also needs to institute ongoing monitoring and actually test the system to ensure it performs as expected when needed, he adds.
Malwarebytes notes business applications are a more common entry point for ransomware (18%) in Canadian organizations. Email links are a less likely source of ransomware entry “possibly because of Canada’s very strict anti-spam laws.”
AFTER THE ATTACK
In a ransomware situation, losses hit “more than just the extortion coverage in the typical cyber policy,” Rosenbaum says. In addition to cyber extortion coverage (available for full policy limits on a sub-limited basis and covering costs to terminate the extortion and any extra expenses around that), the third-party liability insuring agreement, the first-party coverage for notification and forensic expenses and the business interruption coverage could all be triggered where there is a ransomware incident, he notes.
“When you talk about ransomware, ransomware crosses over a number of insuring agreements that one would buy,” says Rosenbaum. For example, if an organization’s system is shut down, resulting in business interruption and loss of business, “that’s another insuring agreement,” he explains.
“We encourage our clients to annually review cyber insurance according to the risk appetite, the dynamically evolving threat landscape and changes to the business operations,” Kumar says. If not specially mentioned in the policy coverage, “insurance companies may decline to pay for the damage claims where the organizations paid the ransom,” he says.
Rosenbaum says most cyber policies incept the day insurance is purchased, meaning there is no prior wrongful act coverage for third-party actions. So if a system contains malware or social engineering, not yet activated, and a business purchases insurance and then an attack occurs, “you would not have coverage for the compromise of personal information of your customers or employees because the policy wouldn’t give you wrongful act coverage backwards,” he says.
“My feeling is if insurers don’t want to give the coverage, they should deal with it at the underwriting level,” notes Rosenbaum. Review the company to see what controls are in place “and then decide whether or not they’re a risk they want to take on.” If coverage is provided, “give retroactive coverage,” he says. “Don’t give me exclusionary wording in the policy that limits that exposure.”
A policyholder should not look at insurance coverage “as a cheap alternative to investing in data back-up, good testing, good IT infrastructure,” Goodman emphasizes. “Carriers aren’t going to let them get away with that, either.”
But it does seem ransomware awareness is increasing, says Tonn, adding that his company is receiving more submissions for companies seeking coverage.
When reviewed, “we respond with recommendations so that companies can have a sense of what we’re looking for and what we think are good controls to put in place to help mitigate exposures.”
Whether or not insurance is purchased, just going through the process offers value, Tonn believes. “You’re being asked questions that can potentially uncover vulnerabilities,” he says.
“One of the reasons that ransomware is so popular and profitable is because it is instantly monetizable,” Sigler says. “There is no additional step of selling data. You simply infect the victim and they are either going to pay or they won’t.”
Wilson says it is critically important to remember that what makes ransomware work does not relate to the data the attacker cares about; it is about data the company or organization cares about.
Ransomware is “without a doubt, the malware ‘du jour,'” Sigler says. And like all security threats, Kirkland adds, “it is a moving target with technology and techniques that are always evolving.”