Rise of a cyber crime.

A typical scenario we see in movies is of hackers sitting behind keyboards and trying to hack into systems using hack commands. In real life, hacks are not just about command lines anymore. Attacks are more evolved these days, with hackers automating the process of compromising systems. Attackers are leveraging heavily on malicious software known as malware to automate their cyber criminal activities right from cyber espionage to data theft. These malware are like robotic assistants that serve the hacker by spreading across multiple systems at lightening speeds giving the hacker the gift of time, which the hackers wouldn’t have, had they tried to hack every system individually.

Ransomware- the new threat vector

There are numerous types of malware that hackers use to carry out attacks. The nature of the malware used depends on the end result of the attack that the hacker desires. Hackers have now started using malware for cyber extortion. Malware known as Ransomware infect systems and lock users out of their system demanding actual money (ransom) for letting the users back into their systems. A 2016 Symantec report on malware states the following:

  • Between January 2015 and April 2016, the US was the region most affected by ransomware, with 28 percent of global infections. Canada, Australia, India, Japan, Italy, the UK, Germany, the Netherlands, and Malaysia round out the top 10
  • Around 43 percent of ransom-ware victims were employees in organizations.
  • The average ransom demand has more than doubled and is now $679, up from $294 at the end of 2015

The above statistics indicate that ransomware attacks are now rampant, they don’t just target large corporates, but also regular users.

The modus operandi for ransomware infection

Ransomware can enter the organization or personal systems/phones in a number of ways, some of the ways the infection happens are:

  • Visiting unverified/unknown websites
  • Allowing pop ups from unverified/unknown websites
  • Opening attachments in emails from unknown sources
  • Using pirated software and media
  • Using unverified cloud services

Ransomware can enter the organization or personal systems/phones in a number of ways, some of the ways the infection happens are:

Impact of ransomware: how can it damage your business?

Ransomware are varied in nature of their attack and extortion model. A simplistic and broad categorization of ransomware based on their outcome to the end user is outlined as under:

  • Locker ransomware – this sort of ransomware locks the entire system and demands ransoms for providing a key that unlocks the system, failing which the data is eventually corrupted or erased. An additional variant of such ransomware also involves encryption of the data once the lock in is in place.
  • Crypto ransomware – a ransomware of this variety doesn’t encrypt the whole system but encrypts/locks critical files useful to user like documents, photos, databases, email files etc. Again in this case a ransom is demanded upon payment of which a decryption key is provided for decryption of data.
  • Mobile device ransomware - are ransomware that may carry out either of the above types of attacks but are focussed on mobile devices. Typically android devices have seen a higher base of ransomware as compared to I-phones.

In both above cases ransoms are demanded in electronic forms such as bit coins or transfers using e-wallets/onlinec payment platforms.

From a corporate and business point of view, the impact of ransomware is far reaching. A large number of organizations globally have faced operational issues due to ransomware attacks. A table below summarizes on an illustrative basis some of the targets and business impacts of locker based ransomware.

Target systems for ransomware Operational impact of ransomware infections on business
Mail Servers In ability of businesses to communicate internally as well as to customers leading to loss of sales and regulatory non-compliances.
ERP systems Loss of financial data and its confidentiality, that may lead to the following:
  • Missing accounting information
  • Erroneous/in accurate/incomplete financial reporting
  • Regulatory fines and penalties on account of wrong reporting
  • Inability to collect outstanding dues from customers due to absence of debtor balances
File servers Loss of data confidentiality and business/regulatory impact depending upon data stored in the file server. In case such servers are used for storing finance data for financial reporting and accounting. The abovementioned impacts will occur.
Web servers In ability to carry out e-commerce and online sales activities.

Additionally, ransomware have also known to anti-virus servers in order to cripple an organizations basic line of defence against detectable viruses and malware. In short ransomware can target most if not all systems, server or mobile devices.

Defending against ransomware

Building a fool proof line of defence against ransomware is a practical challenge, as it will involve a lock down on freedom of usage offered to the end users of an organization. Some key precautions that need to be taken as first line of defence are outlined as under:

Operational impact
Precautions at end user level
  • Ensure all desktops have anti-virus (AV) software
  • Install desktop level firewalls
  • Ensure users don’t have access rights for disabling anti-virus and desktop level firewalls
  • Educate users on usage precautions such as”
    • Avoiding disabling web based popup
    • Surfing unknown/malicious usage
    • Using/installing pirated applications, media
    • Avoid opening attachments from unknown sources
    • Avoid installing unknown apps on official phones
Precautions at enterprise level to be taken by IT teams
  • Ensure all desktops virus signatures updated
  • Restrict usage of USB devices
  • Monitor the following elements in terms of network
  • Alerts thrown by AV server of potential infections on various end user devices
  • Use network monitoring system for detecting anomalous processes running on critical servers
  • Use network traffic analyzers for anomalous traffic spikes and protocol usage especially on critical servers
  • Monitor Security Incident & Event Management System (SIEM) for aspects like:
    • Malware alerts
    • Anomalous traffic patterns
    • Connection attempts to black listed sites
    • Extensive usage of unusual protocols at odd hours
    • Attempts for large data exfiltration
    • Frequent encrypted transmissions
  • Increase frequency of back up of critical systems to ensure options to restore data in case ransomware encrypts and corrupts data
  • Have an effective and practical incident response plans to malware attacks

To conclude, protection against the rising threat of ransomware is not a onetime process and neither is it pure technology based, the best defence strategy is one that has an equal mix of technology, awareness on precautions to be taken by all stakeholders and continuous monitoring of IT systems.

About the author

"The author is IT risk management professional with over 16 years of experience with top global IT consulting firms. He has worked in diverse geographies such as India, Middle east, Europe, Japan and North America with focus on areas such as IT governance, cyber security, robotics and data privacy."