How much is your data worth to you? For victims of ransomware this is no longer a rhetorical question but painfully real. Ransomware locks or encrypts data on a device and then demands a ransom for the key to release it. It is a comparatively lucrative business for cybercriminals: while the majority of traditional attacks involve seizing data and then finding ways to cash that data in, with ransomware they can earn the money at once. Victims feel the effect of cybercrime very directly.
Our security analysts predicted ransomware would grow fast in 2016, and it seems that they were right. The first quarter of 2016 saw a huge spike in samples of ransomware as it becomes fashionable among malware writers. These types of attacks are also expanding into new markets – one of the most recent shockingly taking place against the healthcare industry, with a hacker stealing 9.2 million US medical records. However, ransomware still represents just a small share of the total number of malware samples we detect.
The massive publicity for ransomware is giving rise to a worrying misconception. There seems to be a belief that the IT security industry can’t stop ransomware. But this is wrong. First, the detection rates for ‘cryptors’ are as high as for any other type of malware. Modern security solutions can even detect unknown attacks by analysing the behaviour of an executed file. Second, the vast majority of these attacks rely on rather classic malware technology and are therefore easy to block. Only a very small number of samples have been found to be using more elaborate techniques in an attempt to avoid detection by security software. So from a security point of view, we can say that ransomware is not that different to other malicious software.
There are a number of reasons behind its growing popularity. As mentioned before its success lies in its very direct approach. As a criminal, you infect a machine and get money for disinfecting it. This is straightforward and doesn’t need much additional effort. With stolen credit card data you have to find a way to cash in, but with ransomware you just wait for the money to arrive.
The public awareness of ransomware can also be explained easily. Victims of ransomware attacks feel its effect far more directly and severely than they do those of other types of attacks. Your data is blocked, your device unusable, you feel totally helpless. This is very unpleasant for consumers and can cause immense hardship for organisations, for example, if a hospital is hit, as has happened several times recently. In such circumstances the motivation to pay the ransom can be very high. But we advise people and organisations not to do so, as decryption is in no way guaranteed.
For those infected, the situation is tough. The encryption algorithms are usually strong and it can be difficult or even impossible to get your data back. The ‘No Ransom’ project initiated by Kaspersky Lab and the Dutch Police collects decryption keys and is able to help many victims – although not all of them.
But it doesn’t have to reach this point. The malware’s infection vectors are classic: malicious advertising, malware planted in websites, and infected email attachments and social networks. Modern security technologies can protect users and businesses from that. These days, internet security software has technologies like exploit protection, URL filtering, emulators and cloud technologies which protect users from known and unknown threats. We advise users of our own products to turn on the System Watcher component and Kaspersky Security Network. This should be complemented by a mitigation strategy, including regular backups and software updates. Users should also be alert to the kind of things to look out for.
And what will the future bring? It is hard to speculate. We have seen cryptors on Android, OSX and Linux, so in theory ransomware can spread to different platforms and devices. But in the end the question is where do criminals expect to earn the most money? And currently Windows and Android are the most lucrative platforms.