Gad Elkin, Head of EMEA Security, F5 Networks
In the 1996 film Ransom, Tom Mullen (Mel Gibson) attempts to retrieve his son from the clutches of a villain, leading a team of FBI agents to heroically save the day. Whilst this film and many others like it cast up images of money arranged neatly in suitcases and dramatic shoot-outs, the tactics of modern criminals have evolved significantly, instead holding businesses hostage via their data.
Hospitals, governments and banks alike have been targeted with ransomware - a form of malware that restricts access to personal files and demands a monetary ransom to be paid before access is returned - with the number of malicious attacks increasing by 16 percent this year alone. The frequency of these attacks and criminal intent behind them highlight that cyber-threats have moved into a new era. This change is reflected in consumer attitudes, with our recent research revealing that 85% of consumers would like to see more hacker convictions and stricter penalties against offenders. Being faced with cyber-extortion threats can be a traumatic experience for any business, but knowing what you’re up against and how to secure your IT effectively can help to remove these worries from the conscience of business leaders.
Knowing your enemy
Early ransom demands were generally low-level, made via email and paid scant attention. They would revolve around DDoS-type attacks that hackers would threaten to execute if a Bitcoin payment was not received, as demonstrated by hacker groups such as DD4BC. Alternatively, devices would be forcibly encrypted, with a fee demanded in order for users to access data stored on them. Whilst the significant pay-out involved means that financial services are consistently targeted, the tactics used have undergone some changes.
Whilst attacks have increased in intensity, hacker groups have also chosen to flex their digital muscles by launching attacks to a very specific intensity, so as to demonstrate their precise capabilities to victims. Another notable shift has been towards publicly shaming victims, a prominent example of which is the Ashley Madison breach. In such instances, hackers already have access to your data and the ransoms victims pay are purely to ensure that it is not released into the public domain.
In addition to the traditional email format, ‘malvertising’ campaigns are also being implemented, even as users visit legitimate websites. With outsourced cloud computing now also commonplace, service providers are being increasingly targeted. This can have a devastating impact, potentially triggering a domino effect by indirectly infecting their customers.
Don’t put your money where your mouth is
Despite their growing incidence, businesses are seemingly unaware of best practice when it comes to reacting to ransom demands. In fact, research from the IoD and Barclays recently found that only 28 percent of cyber-extortion cases are reported to the authorities, highlighting that victims are happier to pay ransoms than risk the release of sensitive data and the associated bad publicity. As our research showed that half of UK consumers would not share data with or purchase products from a company that has been hacked in the past, business leaders’ concern over the reputational impact of cyber-attacks is clearly validated.
Of course, this overwhelming concern for your data is exactly what cyber-criminals are counting on; in reality, businesses should avoid paying an extortionist. Recent advice from the FBI states that ‘paying a ransom not only emboldens current cyber criminals to get involved in this type of illegal activity… by paying a ransom, an organisation might inadvertently be funding another illicit activity associated with criminals.’ Furthermore, perpetrators are encouraged to carry out repeat attacks on the same target if they show willingness to pay up. Most importantly, there are often significant question marks over how real these threats are. Taking the example of recent attacks by the Armada Collective, thought to be a derivative of DD4BC, there was no way the group could have known which of their victims paid a ransom, suggesting that the threat was likely redundant.
Prevention is better than the cure
Although businesses are beginning to better educate their employees about potential risks and best practice for responding to cyber-ransoms. Before considering this, they must ensure that integral applications are well protected against sophisticated attacks. The first stepping stone to this must be a full evaluation of a business’s current infrastructure, to assess whether they would be able to withstand an attack of the magnitude that hackers are now capable of producing. Following this, employing a combination of on premise and cloud-based services can mitigate attacks in real-time and prove cost-effective by scaling up and down depending on attack volume and intensity.
Another key element is ensuring that your business is protected around the clock. Access to expertise, reporting and analysis at your fingertips is now a requirement to keep businesses and end-consumers safe and satisfied. Businesses have shown a growing inclination towards managed security services and the high-level expertise associated with them, given the increasingly hostile spectrum of cyber-ransom threats.
Over the past few years, the primary change in attitudes to cyber-ransoms has been that businesses are now immediately acting on ransoms demands posted by hackers, rather than only taking them seriously once significantly impacted. Whilst this is a positive, many are now moving towards the other extreme by paying hackers without sufficient consideration, something that can only serve to perpetuate the problem. Fundamentally, putting the appropriate measures in place to secure your applications will relieve worries over cyber-extortion, a scenario far preferable to giving up business revenue unnecessarily.