santiago silver - Fotolia
UK organisations are still not taking ransomware seriously enough and continue to fall prey to this method of low-cost, low-risk cyber extortion, according to security experts.
Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.
The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.
Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.
“Cyber criminals spearheading these attacks are creatively evolving on a continuous basis to keep enterprises guessing,” said Raimund Genes, chief technology officer at Trend Micro.
Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.
The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.
Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.
A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.
According to Javvad Malik, security advocate at AlienVault, at least one university may have used sound tactics to minimise the impact.
“Rather than invest in preventative measures like antivirus that may or may not prevent ransomware from getting in, and to avoid the cost of paying ransomware, at least one university appears to have segregated its systems and put in place backup and restore processes that wipe and restore systems when they’re hit by ransomware,” he said.
In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.
“The damage that a successful ransomware attack can cause makes these findings not simply an issue for a trust’s IT team, but for its board of directors too,” said Ollie Whitehouse, technical director at NCC Group.
“Paying the ransom – which isn’t something we would advise – can cost significant sums of money, yet losing patient data would be a nightmare scenario for an NHS Trust,” he said.
Whitehouse said that while ransomware writers were sometimes careless in the past so there was often a way to retrieve files, that is seldom the case now, making preparation even more important.
“There is no silver bullet or one single solution that can stop this type of attack, despite what many security companies may claim,” he said.
NCC Group recommends a multi-layered approach, applying robust controls such as regular software patching, using up-to-date anti-virus software and educating staff on the risks posed by phishing and ransomware.
Emily Orton, director at security firm Darktrace, said the recent wave of ransomware marked the beginning of a new era of automated attacks.
“News of these attacks against UK universities and NHS Trusts comes months after a spate of ransomware attacks against US healthcare providers. And yet the lesson still needs to be learned,” she said.
Read more about ransomware
- Next wave of ransomware expected to be more pervasive, resilient and capable of spreading quickly and effectively throughout networks by capitalising on vulnerabilities.
- Businesses still get caught by ransomware even though straightforward avoidance methods exist.
- The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
Automated attacks are always going to be difficult to defend against, said Orton. For this reason, Darktrace believes machine learning and automation are at the heart of a new approach to catch early indicators of ransomware attacks.
“These latest studies should serve as a big wake-up call to the whole sector to embrace new technology innovation,” she said.
Commenting on the fact that only one NHS Trust reported the ransomware attack to police, Jonathan Sander, vice-president of product strategy at Lieberman Software, said it showed that many organisations do not think that law enforcement can help.
“They think, often correctly, that the criminals are in another country. So they conclude, often incorrectly, law enforcement will either be powerless or be forced to bring in higher level authorities that may actually cause more disturbance than good,” he said.
Another issue, said Sanders, is that organisations often fail to see what's happening as a crime, but see it instead as an IT issue. “Even when it’s certainly a crime, people can’t get past the attitude that anything attached to a keyboard is up to IT to sort out.”
Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.
Sophos lists best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:
- Backup regularly and keep a recent backup copy off-site
- Do not enable macros in document attachments received via email
- Be cautious about unsolicited attachments
- Do not give users more login power than they need
- Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
- Patch early, patch often because ransomware often relies on security bugs in popular applications
- Keep informed about new security features added to your business applications
- Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them