Ransomware, once a small-scale problem affecting PC users, has emerged as one of the most dangerous cyberthreats to organizations. The number of new types of ransomware attacks that have been discovered hit a record high in 2015 and global losses likely run in the hundreds of millions of dollars, according to a report published by security company Symantec.
Increasingly, governments have been the victims of ransomware extortions, in which a person accidentally downloads a piece of software code, known as malware, that will lock a computer’s files, preventing access until a payment is made. Approximately 10 percent of all ransomware attacks target government organizations, according to the report.
Ransomware attacks have grown because they are very profitable, according to Kevin Haley, director of Symantec’s Security Response. People are willing to pay to get their files back, he said. The average ransom demand has doubled to $679, up from $294 at the end of 2015.
Victims are also finding it harder to decrypt their files. In a disturbing trend, encryption software has become more sophisticated.
“Encryption used to be badly designed and was easy to break," Haley said, "but now it’s very hard to break."
Other findings from the report include:
A number of ransomware groups have begun using advanced attack techniques, displaying a level of expertise similar to that seen in many cyberespionage attacks. The number of new ransomware families discovered has been steadily increasing since 2011. Last year was a record high, with 100 new families discovered. The advent of ransomware as a service (RaaS) means a larger number of cybercriminals can acquire their own ransomware, including those with relatively low levels of expertise. The shift toward crypto-ransomware has continued. All but one of the new variants discovered so far in 2016 are crypto-ransomware, compared to around 80 percent last year. Between January 2015 and April 2016, the U.S. was the region most affected by ransomware, with 31 percent of global infections. In the public sector, small agencies and departments that run their own servers — and may have only rudimentary security controls — can end up as ransomware victims. A number of small towns, along with police and fire departments, have been victims of the extortion attacks.
But the number of incidents is growing. The Multi-State Information Sharing & Analysis Center (MS-ISAC), a state and local government cybersecurity organization, has seen a huge growth in the number of reported ransomware attacks, according to MS-ISAC Senior Vice President and Chair Tom Duffy. Speaking at the Symantec Government Symposium on Aug. 30, Duffy said one tactic among ransomware attackers is to delete selected files in order to increase pressure on the victim to pay.
Some local governments have even discussed budgeting for ransomware payments, according to Jen Nowell, Symantec’s national director for state, local government and education. Yet there’s no guarantee victims will get their files back, and paying the ransom only encourages more attacks, sometimes on the same organization that has already been victimized.
Decentralized IT operations in state and local governments can hinder a coordinated cybersecurity strategy, according to Nowell. But she sees attitudes changing about the problem, with more attention to possibility of breaches and more resources being steered toward prevention programs.
“If you want to minimize problems," Haley said, "follow best security practices, educate users not to click on attachments and make sure you have good backup."
Another important rule Nowell says to follow: “Always make sure you are up to date with critical software patches."