The virulent spread of the WannaCry worm around the world was a dramatic reminder that ransomware is the digital era’s equivalent of the highway robber — it appears from nowhere to panic and blackmail its victims by preventing them conducting their daily business unless they pay up.
As organisations struck in May by WannaCry in around 150 countries have discovered — from the UK’s National Health Service to Spanish telecoms company Telefónica and US-based logistics firm FedEx — these cyber-era Dick Turpins target indiscriminately in their efforts to make a profit. Criminals now cry “stand and deliver” using digital technology.
WannaCry is just one piece of computer hostage-taking malware, a headline-grabbing sign of an underground growth industry. The number of new ransomware “families” — or variants — more than tripled to 101 in 2016 from the year before, and the average ransoms they are demanding increased from $294 to about $1,000, according to Symantec, the cyber security company.
Ransomware is a more effective way to make illicit money than stealing data. The crooks do not have to wait for black market buyers. Instead victims quickly pay to restore access to their files and services. Research by technology company IBM in 2016 found that 70 per cent of businesses hit by the malicious software paid the ransom.
Ransomware operators run like “pseudo companies”, according to George Kurtz, chief executive of CrowdStrike. “To collect on the ransomware, they have help desk support on how to pay the ransom. A lot of the time, if you don’t know how to pay in bitcoin they will have a video,” he says.
Even before the WannaCry attack, cyber criminals were creative in causing disruption with high-profile attacks, such as the hijacking of the Washington DC police camera system just days before the presidential inauguration in January, and the breach at the San Francisco Municipal Transport Agency last November that made the public transport system free for a day. Neither authority paid the ransom. UK police arrested two people in south London suspected to be behind the Washington DC camera hack.
Criminals now often go beyond accessing one computer or set of files on a corporate network, to attacking databases filled with sensitive customer information. Candid Wüest from Symantec’s threat response team says recent attacks have targeted online cloud databases built on platforms such as MongoDB and Hadoop. Hackers access your network and delete the local copies of the files while holding the cloud versions hostage, Mr Wüest says.
“I’ve seen at least once instance when a shop used the [cloud] database for all the customer invoices. Whatever you ordered, your whole history is in the database,” Mr Wüest says. “The scary part is some of the attacks just delete the data and ask for a ransom, they don’t even copy the data so, even if you pay, you don’t get it back.”
Mr Wüest says he is aware of at least 30,000 attacks of this kind, including a small US manufacturing company in the supply chain for much larger companies that lost track of all outstanding orders and invoices.
Even keeping back-ups does not necessarily secure business data from attack, as newer ransomware strains scan for back-up files and delete them as well. Some businesses, such as hospitals, need up-to-the-minute data. Simply restoring back-ups made 24 hours earlier is not an option if your patients have serious conditions that need regular monitoring.
The UK’s NHS was one of main victims of the recent WannaCry attack, though the health service seems not to have been deliberately targeted. But cyber criminals have aimed at hospitals in the past. The Hollywood Presbyterian hospital in LA admitted last year that it paid $17,000 in bitcoin in hackers to regain control of its computer network.
However, cyber security companies, including Cisco and IBM’s Resilient, are now selling software that detects and responds to ransomware, with many others following suit.
KnowBe4, a company that specialises in training employees to be more security aware, has created a tool that simulates ransomware incidents so that businesses can check how robust their defences are. Stu Sjouwerman, KnowBe4’s founder and chief executive, say anti-virus softwares vary wildly in their ability to cope with this new threat. “Some commercial anti-viruses are very good and block everything,” he says. “But other very well known household names in anti-viruses are essentially ineffective and do nothing.”
The challenge for anti-virus developers is distinguishing behaviour within systems. For example, programs such as Microsoft Word automatically save the file every few minutes, while malicious software opens file after file to encrypt them so their owners cannot use them.
Varonis, a security company that specialises in protecting data, says it examines normal behaviour for each employee, as well as each administrator’s account and the machine services that operate in the background.
Brian Vecci, a cyber security expert at Varonis, says its software can see when an action moves from a human being “opening a Word doc and saving Excel” to “suddenly my user is opening lots of information and files in a short period of time, changing them to what looks like encrypted”.
The Boston Globe newspaper used Varonis to help stop a ransomware attack in 10 minutes after an administrator clicked on a link that downloaded CryptoLocker, a ransomware virus that targets Windows software. The problem was isolated to her PC by immediately shutting down her access to external files and turning the computer off.
Most companies would like to avoid being held up on the highway in the first place. This is difficult because the first point of entry for most ransomware is phishing, the sending of links to malware in emails.
Mr Sjouwerman says employees should be trained to recognise danger signs, and that phishing tests should be sent out about twice a month to staff
With trained employees, companies can create a “human firewall”, he says. But, he adds, you need two back-ups: one instant and another completely disconnected from the internet and not on the same site. “You need weapons grade back-ups,” he says.
1. On May 12 2017, mobile operator Telefónica was among the first large organisations to report infection by WannaCry
2. By late morning, hospitals and clinics across the UK began reporting problems to the national cyber incident response centre
3. In Europe, French carmaker Renault was hit; in Germany, railway company Deutsche Bahn became another high-profile victim
4. In Russia, the ministry of the interior, mobile phone provider MegaFon, and Sberbank became infected.
5. Although WannaCry’s spread had been checked, the US was not entirely spared, with FedEx being the highest-profile victim