Corporate Ransomware Attacks and What to Expect Next


Posted on by Liviu Arsene

Organizations have been plagued by sophisticated malware attacks in the past year, showing that cybercriminals have shifted their attention to more profitable targets and that organizations might be more prone to malware than previously believed.

Oddly enough, only 38 percent of organizations currently have a strategy to deal with destructive malware, as compared to 43 percent in 2015, according to recent surveys. Ransomware has been behind some of the most devastating attacks in recent months, specifically targeting the medical sector. However, no industry is safe from this threat, with cybercriminals leveraging the fact that the balance between IT spending versus IT security tips in the attacker’s favor.

Are Organizations Easily Giving in to Ransomware?

Some 50 percent of infected consumers are willing to pay to regain access to their encrypted files after being hit by ransomware, and organizations are being faced with the same tough decision. Recent incidents involving the Presbyterian Medical Center—and other hospitals and institutions—have proven that ransomware is far more likely to generate more revenue from hitting only a couple of victims than infecting thousands of users.

One hospital paid a ransomware attacker more than $17,000 to recover patient data and resume activities, and that’s just a single incident where management has decided to come forth with the information. It’s believed that the attackers demanded around $3.6 million at first, showing that the cybercriminals could generate huge financial gains just by hitting a couple of large targets.

The FBI encourages victims not to give in to threats, as it fuels cybercriminals by providing the funds necessary to keep developing new threats and demand more with each attack. While some organizations have admitted they have encountered ransomware in their own networks, few actually came forward and said how much they paid the attackers.

Ransomware Evolving to be Even More Persistent

New ransomware strains have not been limited to only encrypting sensitive files, such as documents, databases, or even pictures. The Petya ransomware, for example, shows how cybercriminals have shifted focus towards restricting users from accessing information from the entire disk. Specifically, it encrypted the NTFS Master File Table to further pressure the victim into paying because it wouldn’t even allow them to use the operating system.

The relative sophistication of the malware shows that attackers are becoming more skilled and even more determined to force victims to pay. Petya also shows that new variants are more efficient in terms of encryption speed. If traditional ransomware encrypted files one by one, the process sometimes dragging for hours, this new approach is much faster as it only encrypts the NTFS file responsible for managing all information on all disk files.

While there have been no actual reports on Petya specifically targeting any organization’s endpoints, it’s safe to assume that, without a proper backup or advanced endpoint security solution, it would be extremely difficult for a company to assess whether to pay for decryption.

What organizations should be expecting

Crypto-ransomware has proven highly versatile in targeting both consumers and businesses. Cybercriminals have been conjuring up new methods and mechanisms for making the entire decryption process more difficult—sometimes even impossible—and they’re digging deep into victim's pockets.

If right now ransomware is one of the most serious threats companies and individuals face, what if it evolves into extortionware? Not only will organizations find themselves forced to pay for decryption, but cybercriminals might also be copying internal sensitive documents and threatening to publish them online unless additional money is paid.

This form of extortion would leave businesses even more vulnerable and likely to end up settling, as having intellectual property or confidential documents exposed online could be far more damaging to a company’s reputation and financial stability than the cost of recovery from a traditional ransomware infection.

To this end, regardless of an organization’s size, proactively setting up new security and back-up mechanisms that can detect and rapidly mitigate such infections are more than recommended. 


Contributors
Liviu Arsene

Director of Threat Research and Reporting, CrowdStrike

ransomware

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs