Taking data hostage: The rise of ransomware Proposal title goes here | Section title goes here Table of contents Introduction .............................................................................................. 01 A class of its own ..................................................................................... 02 Easy profit lures new players, changes the game ............................ 02 Lessons from kidnap-and-ransom services ..................................... 03 Be prepared ..............................................................................................04 Data taken hostage? Don’t panic ......................................................... 05 In summary .............................................................................................06 Ransomware realities.............................................................................. 07 Learn more ................................................................................................08 03 Taking data hostage: The rise of ransomware Introduction It begins much like any other day at the office: you’re working away on your computer when you receive an email informing you an invoice has arrived for your department. It directs you to download the invoice using the link provided. Without giving it much thought, you download and open the file. Sometime later, you discover you can no longer access your files and that several copies of a file named “DECRYPT_YOUR_DATA.txt” have been created. It’s a chilling moment. Sensitive files on your computer, and probably on the network you’re connected to, have been encrypted. They’ve effectively been taken hostage in one of the fastest-growing forms of cybercrime: ransomware attacks. Ransomware, as the name suggests, is campaigns being launched against targets a malware designed to make a target’s with deeper pockets and more motivation data unusable or to prevent access to to pay quickly. systems until a ransom – typically in Canada is not immune: ransomware attacks hard-to-trace digital currency - is paid. have been occurring here for the past The scene described above is of a typical three years, with the volume rising sharply ransomware incident, a trap any computer in recent months. It now ranks among the user can fall into. A newer and more sinister top three biggest cybersecurity concerns of development is targeted ransomware, in Canadian organizations. which individual organizations are pursued and, once infected, might take a couple Victims are often willing to pay whatever of months to paralyze a system before sum is demanded of them to get back demanding a ransom. to business as soon as possible. It’s not unlike families being willing to pay Ransomware is becoming highly kidnappers whatever is required to release sophisticated: some recent variants can their loved one from captivity. Given the gain access without connecting to the parallels in criminal strategy, it may not Internet at all, making its source virtually be surprising that the methods used untraceable. The lucrative and fast pay-off, by teams dealing with human kidnap combined with its stealth and relative incidents can be successfully adapted to anonymity of the transactions, has made a cyber environment. We’ve found these this type of cyberattack increasingly strategies effective when negotiating with attractive to criminals. ransomware criminals to gain time, reduce Indeed, ransomware attacks have reached the ransom amount, and resolve the issue epidemic levels across the globe. There quickly. have been more incidents in the first Before exploring the parallels, it’s half of 2016 than in the past five years important to examine what ransomware combined, and we expect the number to is and why it’s becoming the malware of increase exponentially. Their severity has choice amongst cybercriminals. also increased, with more sophisticated 1 Taking data hostage: The rise of ransomware A class of its own Ransomware differs from other types With traditional ransomware, the strategy is of cyberattacks in that the objective is to get in, get as much cash as possible, and to make the victim pay money to the get out as quickly as possible, because the perpetrator directly. Other types of longer it takes to get the money, the less malware attacks often take more effort likely the plan is to succeed. This made it to monetize: stolen credit cards, for different from the typical cyberattack. But example, need to be divided into bundles things are changing: targeted ransomware, of certain sizes and sold to different people, which is becoming more popular with eventually working out to about $5 a card. criminals, plays a long game. Ransomware also differs in that the goal Once this malware has gained entry, it will isn’t to steal data but to deny access to identify an organization’s most sensitive or it until money has changed hands. That prized data, corrupt the backups to make makes it about availability, whereas other them useless, create backdoors in the cyberattacks seek to breach confidentiality system to make future infiltrations easy, (stealing personal data, credit card and encrypt the data all before sending information, etc.) and compromise integrity a ransom demand. It could be quietly (as privacy breaches must be disclosed to wreaking this havoc for a couple of months authorities). before the victim is even aware of a problem. By then, the organization is on its knees. Easy profit lures new players, changes the game For years after the first known ransomware As they’ve shifted their target sights, incident, executed in 1989 by way of perpetrators are also changing their floppy disks and demanding a US$189 methods. A few years ago, a typical tactic ransom, perpetrators tended to seek a was the drive-by download, a passive relatively small sum from a wide range of approach. Today, attackers are also actively victims, including individuals. While such targeting potential victims with social opportunistic entries are still the typical engineering. An estimated 80 percent of infection vector, criminals have become ransomware is introduced by downloading more interested in preying on specific macro-enabled Office documents sent by a organizations. Attractive targets include party mimicking a legitimate source. those with potentially limited cybersecurity Today, the average negotiated ransom is resources whose data may be needed in in the $20,000 range, but it can be much, life-and-death situations, such as hospitals. much higher. According to reports, US Several were targeted in early 2016, victims handed over more than US$325 including a Los Angeles health centre that million to the creators of the CryptoWall reportedly paid a US$17,000 ransom to variant in 2015. The lucrative potential regain control of its computer system. The of this malware has attracted more stakes are extraordinarily high—imagine sophisticated criminals, ushering in a new how much might be paid to retrieve a era in which ransomware attacks will likely decade’s worth of cancer research. proliferate further. 2 Taking data hostage: The rise of ransomware Lessons from kidnap-&-ransom services As we’ve already noted, through our Typical human hostage Potential data/systems experience handling ransomware crises for management services hostage management services clients, we noticed the paradigms between data and human kidnap-and-ransom situations are similar. • Assess vulnerability of client • Assess the vulnerability of the client (typically, affluent or high- (company or organization). But physically capturing a person and profile individual). • Educate client about the risk, holding him or her until demands are met • Educate client about the risk, and teach attack detection and takes a great deal of planning and creates including attack detection and prevention. Ensure adherence a good deal of risk for the perpetrators. Prevention protection. to a good cybersecurity hygiene With ransomware, criminals can reproduce routine. a similar situation by hijacking an • Ensure client has a strategy/ organization’s prized data without ever methodology in place to follow having to step outside, thus reducing risk closely in case of attack. and expense while increasing the potential payday – they can cripple an unprepared organization in a way taking a human • Sell insurance to cover ransom, • Sell insurance to cover ransom, hostage never could. legal fees, consultant fees, loss legal fees, consultant fees, loss Insurance of business and replacement of business due to operations However, given the parallels between workers. slowdown/shutdown, data these types of criminal acts, we believe destruction, damage to reputation. it’s instructive to look at typical hostage management services/tactics to design a defence plan and negotiation strategy • Immediate response steps • Implement response strategy; follow step by step. against ransomware: • Engage media relations and Crisis communication • Resist urge to disconnect. management • Call on-site consultants • Call on-site consultants. • Arrange support for family/employer. • Ask for proof of life. • Ask for proof of attacker’s capacity to decrypt the data (e.g., proof of • Determine motive decryption key). Negotiation (politics or profits?) • Slowly reduce ransom price. • Slowly reduce ransom price. • Assess risk of second ransom. • Assess risk of second ransom. • Conduct compromise • Conduct compromise assessment. assessment. • Follow recovery plan. • Offer psychological support. Debrief • Profile cyberattacker.