How bad is it? Arctic Wolf Networks has measured a 433 percent spike in ransomware attacks over the past year, and the FBI says victims paid up $209 million in the first quarter of 2016, up from $24 million in all of 2015. And that only counts complaints actually registered with the bureau.
A basic attack involves enticing a victim to click on a corrupted attachment or web link that arrives in a legit-looking email message. If the ransomware successfully downloads, it's game over. In mere moments, all sensitive files on the targeted machine are swiftly encrypted. To unlock the files, the victim must purchase a decryption key from the attackers.
If you or your organization stores sensitive data, you could be targeted next. Frankly, the reason many organizations haven't been compromised is that the bad guys haven't gotten around to them yet. Here are five ransomware developments you'd be wise to fully grasp:
Attacks shift to companies.
Ransomware purveyors are reaping huge fortunes pillaging the business sector. These criminals are not content encrypting just the files on one PC; they are locking up wide swatches of data stored on servers deep inside company networks.
Elite criminals have begun probing long-known vulnerabilities in the open-source protocols that businesses rely on to stitch together digital systems and applications. Cisco recently disclosed how one ring has perfected a way to spread the notorious SamSam family of ransomware laterally inside company networks to multiple Microsoft Windows systems.
The latest ransomware variants are highly resistant to decryption. So if your organization does not maintain readily available back up files, purchasing a decryption a key, under duress, may be the only viable option. Typically, the victim is allowed 90 hours to pay up, a deadline emphasized by a countdown clock. Caught in a lurch, many companies are routinely paying five- and sometimes six-figure ransoms.
Bitcoin replaces cash.
The criminals are taking pains to route all attack-related communications through the Tor traffic anonymization system, making it difficult for law enforcement to track them down. And they demand payment in Bitcoin, which can be easily divided to pay ring members in an untraceable way.
"They'll give you steps on how to acquire the Bitcoin," says Travis Smith, senior security researcher at Tripwire, a supplier of compliance auditing systems. "Once you transfer your Bitcoin to the address they provide, then they'll give you the decryption key,"
Most often the criminals will deliver a decryption key upon payment. But sometimes the key doesn't work. Sometimes files get lost. There really is no way to tell if the attacker tampered with your files, or kept copies. And then there is the risk of re-infection. Cisco researchers report instances of ransomware striking the same users twice on the same machine.
It's crucial to realize that what we see now are early examples of server attacks that only scratch the surface. More invasive, resilient network-level attacks are sure to come. Cisco anticipates the coming of self-propagating ransomware that can spread on their own, just as Conficker and other Windows operating systems worms proliferated nearly a decade ago. Tripwire's Smith anticipates that it won't be long before experimentation to spread ransomware through the Internet of Things commences.
"We could see ransomware begin to target thermostats and TVs, as far as encrypting IoT devices and preventing consumers from accessing those devices," Smith says.
How do we deal with this today? Be vigilant and suspicious when clicking on attachments and web links. Never trust, always verify. Be obsessive about backing up important files. Train employees to be alert and patch known vulnerabilities in a timely manner, especially in open-source networking protocols. And, adjust to the fact that this will be the new normal, because ransomware is going to be with us for a while.