Ransomware Goes Corporate in 2016

Posted on by RSAC Contributor

This post comes from Liviu Arsene, security analyst at Bitdefender.

ransomwareThe ransomware threat is growing. More than 13.1 million U.S. users—4.1 percent of the total population—have encountered ransomware, and half of them paid the ransom to recover their personal data. Another 40 percent would actually consider paying, according to a recent study we commissioned.

In our security predictions for 2016, we projected that ransomware would become even more aggressive and diversify by targeting businesses. While it was previously limited to the Windows operating system, we’ve now seen Linux and Android variants that could be just as lucrative and effective.

Job-related documents are not a top recovery priority for end-users—18 percent of U.S. respondents would consider paying recovery fees—but companies will likely believe otherwise if sensitive corporate data gets encrypted by ransomware.

While there have been “urban legends” of companies that were infected with ransomware and paid to recover all their data, it’s entirely likely they’re willing to cough up even more than the average user, as the data can be mission-critical, and the loss could cripple their business. Any company that can lose business because of ransomware will either consider paying the ransom or have incremental backups ready to kick in once an infection is detected. Odds are that the latter is sparsely implemented by small and medium-sized businesses.

Ransomware should not be associated only with file encrypting capabilities. Another method through which cybercriminals can make money is to perform blitzkrieg attacks on companies, exfiltrate data and sensitive information, and then blackmail victims with the threat that they will dump the information online.

This new mechanism, already dubbed “extortionware” by security experts, will gain significant traction in 2016. SMBs will probably bear the brunt of this type of attack, as their security policies are usually more lax.

With 44 percent of enterprise security managers expected to increase their budget in 2016, SMBs and large companies can set some security mechanisms in place to minimize the fallout of an eventual ransomware or extortionware attack.

Companies must first identify their critical assets and data. While they won’t be able to protect them indefinitely, the goal should be to make it increasingly difficult for attackers or malware to get to it. Security teams need to devise plans to deal with procedures and recovery steps in the event of an eventual breach or data loss.

Setting up an off-site or off-line backup mechanism for all critical data should also be considered, especially since file-encrypting ransomware has a knack for making things irrecoverable if the ransom is not paid.

Authentication, authorization and accounting policies along with security software should also be deployed company-wide, especially since these could not only aid in protecting against a wide range of attacks, but also help the forensic process. Being able to trace back the original infection point and plugging the breach should be a top concern after a reported breach.

With ransomware usually being distributed via malicious email attachments, employees should be educated in spotting and reporting suspicious emails to IT departments. Our own telemetry found 15,000 spam emails with zip files that distribute some variant of Android malware.

The ransomware plague will become a leitmotif throughout 2016, causing significant data and financial losses that could be unprecedented. The malware-as-a-service industry has become extremely financially oriented and particularly focused on maximizing their return on investment.

RSAC Contributor

, RSA Conference

anti-malware ransomware

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community