Ransomware: An Enduring Risk to Organizations and Individuals

TLP: WHITE 

Summary

The NJCCIC assesses with high confidence that many businesses, schools, government agencies, and home users will remain at high risk of ransomware infections throughout 2016, as financially-motivated hackers continue to innovate and expand the targeting scope of their extortion campaigns. The most prevalent form of this profit-driven malware is known as crypto-ransomware, referring to the use of encryption to render files locked until a ransom is paid to release a decryption key. The observed increase in ransomware infections and development of new variants over the last two years illustrates the attractive incentives for criminal hackers, as the perceived return on investment outweighs the risk of attribution and prosecution. In recent months, several cybersecurity firms released threat predictions for 2016, with universal agreement that ransomware and other forms of cyber extortion would not only continue to increase, but expand into new digital territories. In addition to personal devices such as tablets and smartphones, criminal hackers will probably target other Internet-connected devices including home automation systems, smart appliances, vehicles, and medical devices. Likewise, business’ servers, websites, and cloud solutions are also at risk, particularly those who outsource data storage and management to third-party vendors with poor cybersecurity practices.

• The tactics used to distribute ransomware often involve cunning social engineering tactics, such as carefully crafted phishing emails, designed to manipulate as many unsuspecting victims as possible to maximize profit. Other infection vectors include exploit kits, drive-by downloads, malvertising, and botnets.
   
• The developers and propagators of ransomware are able to obscure their identities and reduce the likelihood of attribution using a variety of tactics. Most variants of ransomware now rely on the Tor anonymity network for command and control, as well as the use of cryptocurrency, namely Bitcoin, for anonymously accepting ransom payments. In addition to built-in anti-forensic capabilities designed to avoid detection and forensic examination, newer variants attempt to eliminate data recovery options by encrypting additional connected drives and network shares, deleting Shadow Volume Copies and system restoration points, and even overwriting free disk space.
   
• Demonstrating the effectiveness of ransomware and the damages a single campaign can inflict, the Cyber Threat Alliance reported that the CryptoWall 3.0 variant infected hundreds of thousands of victims worldwide and netted criminals $325 million in less than one year. In 2015, Microsoft reported that it had removed ransomware infections from 24,000 computers after updating malware signatures in its Malicious Software Removal Tool. Furthermore, in the 2015 Kaspersky Security Bulletin, the cybersecurity company reported the detection of ransomware on over 50,000 computers on corporate networks, double the amount they detected in 2014.
   
• There is an expanding marketplace for customizable, user-friendly ransomware tools, ransomware-as-a-service offerings, and affiliate programs that allow average users with limited technical ability to distribute malware and conduct for-profit cyberattacks. In 2015, a ransomware kit named Tox was released that allowed any Internet user to distribute and profit from ransomware. Although the developer of Tox ultimately put the kit up for sale fearing discovery by law enforcement, other hackers quickly filled the void by offering affiliate programs that promised shared profit to anyone who distributes the ransomware to more victims.

For many organizations, ransomware may not be entirely preventable; however, the impact of a successful infection can be greatly reduced if a robust data backup process is in place. Comprehensive data backups should be scheduled as often as possible and must be kept offline in a separate and secure location. The most effective method to prevent ransomware infections is to conduct regular training and awareness exercises with all employees to ensure users are proficient in safe Internet-browsing techniques and the ability to identify phishing emails.

• For more information on current ransomware variants impacting US victims, including resources, indicators, decryption tools (if available), and mitigation recommendations, see our Ransomware Threat Profile.

Traffic Light Protocol: WHITE information may be distributed without restriction.