With the dawn of 2017, ransomware continues to emerge as a top security threat. This form of attack that encrypts and locks computer files and devices until a ransom is paid looms ominously over large companies, SMEs and even individuals.
Ransomware is part of the top 10 security threat predictions by various analysts and security labs across the world. In 2015, businesses paid $24 million to ransomware attackers, a figure that was expected to jump to $850 million in 2016, according to Carbon Black’s 2016 Threat Report. However, I would shudder to place a number on that total, with many organizations choosing to pay the ransom rather than report the incident.
New threats and attack surfaces emerge with every new innovation, such as the Internet of Things (IoT) and self-driving cars. Given the rapid increase of Internet-enabled devices on the market, the security threats associated with such devices also will continue to surge.
The incentive to hack is generally financial. Cybercriminals buy and sell stolen data at underground black markets. Social security numbers, bank account information, credit card data, personal identity information and personal health information are sold. Some experts have predicted that the sheer volume of ransomware attacks and breaches into IoT devices could create a new crime model called Ransomware of Things (RoT).
Enterprise-targeted ransomware attacks have become mainstream and will continue to be a major threat in 2017. New methods of ransomware include exploiting vulnerable web servers as an entry point to gain access into an organization’s network. Refining ransomware attacks to target a specific group, whether high-profile users or SME companies, will greatly increase the success rate of ransomware campaigns. The more cyber criminals know about their potential victims, the more resources they are able to exploit. They can automatically craft compelling, trustworthy spear-phishing messages that will drive record-breaking open rates and, thus, more users will get infected.
Once cyber criminals realize they are dealing with a vulnerable, data-rich company, they can customize ransom messages to ask for larger amounts of money than they typically would. Companies will be more compelled to pay up than ever before. The recent trend of attackers using social engineering and social networks to target sensitive roles or individuals within a company to get to data shows the need for comprehensive security education. In 2017, attackers will continue to exploit humans to install malware, transfer funds, and steal information, with significant changes in techniques and behavior across the three main vectors that target people: email, social media and mobile apps.
A prediction for 2017: “Small will be the new big,” as sophisticated threat attackers return to smaller, more targeted campaigns to deliver their malware payloads. In 2017, ransomware authors will target mission-critical servers and PCs within targeted departments. By holding these sensitive devices hostage, ransomware authors will be applying the right pressure at the right time to quickly receive the ransom.
The ransomware of the future would have the capability to turn off power, shut down communication lines and disrupt production, owing to the increased use of IoT which, as Brian Krebs noted at ISACA’s CSX North America conference in October, poses an enormous concern.
Ransomware attackers will also diversify their targets from large enterprises to SMEs, given that the SMEs are relatively easier picks and the attacks could be perpetrated multiple times spread over multiple targets.
There are several experts, labs and consultants available to provide solutions. However, ransomware is likely to remain among the top 10 security threats in 2017, even for the smallest of companies. Until companies of all sizes—as well as individuals—collaborate well enough to share threats, intelligence and research work, expect ransomware to continue to be a bane.
Sunder Krishnan, CISA, past president of ISACA Mumbai Chapter
[ISACA Now Blog]