Ransomware attacks, in which online criminals block access to critical files until they’re paid to release them, are on the rise, security experts warn.
Last year, the Federal Bureau of Investigation’s Internet Crime Complaint Center saw 2,453 complaints about ransomware incidents that cost users a total of more than $1.6 million, according to the center’s annual report. The report cautions that many online attacks go unreported to law enforcement altogether, meaning total incidents and losses could be that much higher.
"And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance," the FBI warned in late April. According to security firm Proofpoint, in 2015 ransomware represented three percent of sample infected emails, but five months into 2016, ransomware already represents 30 percent of samples.
"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today," security firm Symantec said in an August report on the subject.
Ransomware typically installs itself after a victim is tricked into clicking an attachment or link in a phishing email, or when a victim visits a hacked website running code that can exploit vulnerabilities in a local operating system. It either prevents the victim from logging in to the computer or encrypts files with a secret key known only to the attackers. Then, it presents a message demanding a ransom to restore access, typically to be paid with bitcoin or another digital money transfer tool.
Typical ransom demands are about $300, according to the Symantec report, but victims—including companies and government agencies—can often be induced to pay more for access to their data. Hollywood Presbyterian Hospital in Los Angeles paid more than $17,000 in bitcoin to end a ransomware attack in February, Reuters reports, and even some local police departments have found themselves paying ransoms to regain access to their files.
The attacks can be more disruptive than traditional cyberattacks focused on stealing information, since they can entirely prevent access to critical business data that isn’t properly backed up.
"As harsh as it sounds, businesses can easily continue operations after a data breach," according to a March report from the Institute for Critical Infrastructure Technology. "Customers and end users tend to be the long-term victims. The same cannot be said for an active ransomware attack. Business operations grind to a halt until the system is restored or replaced."
And as the attacks have proven lucrative, they’ve also grown more sophisticated. While some early ransomware developers apparently wrote their own encryption code—considered poor programming practice in any circumstances—newer ransomware has used off-the-shelf libraries that are significantly harder to crack, says Engin Kirda, a professor at Northeastern University’s College of Computer and Information Science, who’s written about the subject.
"We’re seeing more and more ransomware using existing libraries," he says. "There’s a bit of sophistication from that point of view."
Attackers have also shifted to more sophisticated delivery mechanisms, switching from mass email blasts, which are often blocked by spam filters, to more targeted spear-phishing campaigns, according to the Symantec report. They’ve also developed downloadable ransomware toolkits that less-sophisticated hackers can deploy, and even "ransomware-as-a-service" offerings where developers pay commissions to hackers who can get their ransomware installed on other systems.
In some recent cases, including one that triggered a warning from Microsoft late last month, ransomware software can jump from computer to computer through flash drives and network drives like a traditional computer virus, though the Symantec report says ransomware operators are wary of accidentally holding the same organization’s systems for ransom multiple times, since they’re less likely to get multiple payouts.
"If the ransomware is continuously spreading through a network, infecting multiple computers and demanding payment each time, the cybercriminal’s promise to repair the damage after the victim pays the ransom is broken," according to Symantec. "Nobody will be willing to pay if the same gang continues to demand ransom payment after payment."
To some extent, the best way to prevent ransomware and minimize the damage it does is just establishing general good security practices: training users not to open unknown email attachments, making frequent backups and patching systems to remove vulnerabilities that could give it a way in.
In fact, if you’re prepared to restore machines from clean backups, getting attacked with ransomware can be better than other forms of malware, since it announces its presence rather than stealing data in the background, says Kirda.
"Ransomware is a problem, but at least if it hits you, they have to tell you that you’ve been infected to make money," he says. "If you actually do backups and you do offline backups, so you copy your data to the cloud, and you copy some good security practices, compared to some other types of malware ransomware’s not actually that bad, since once you’re infected you know something happened."
One problem, says Brian Nussbaum, a former intelligence analyst and an assistant professor of public administration at the State University of New York at Albany, is that many smaller organizations, including local governments, just have fewer computer security resources to prepare for that kind of attack.
"It’s going to be something that will push them to improve their IT practices," he says. "But it’s something that I think we’re likely to see for at least a while longer until people start having good backups and doing other hygiene stuff that keeps you safe from it."