$209 million dollars. That’s the amount of money criminals made in the first three months of 2016 through the deployment of ransomware—a type of malware that locks a computer or other connected device until the affected party pays up, and which is becoming more and more popular as a choice for online crime—according to a new report released by IBM Security.
According to the report, these criminals are growing more aggressive with their targets; flooding the digital world with several different types of this malware. Once again, the most popular method of infection is phishing emails, a huge amount of which now contain the malware.
Spam messages containing malware experienced a 6,000% increase—that was not a typo, 6,000%–from 2015, when they made up .6% of all spam spent, according to the report.
“I recall being told that ransomware is the threat that keeps [security teams] up at night, because they don’t know when an employee will open up a tainted email,” says Limor Kessem, executive security advisor for IBM Security. “Businesses were most concerned about their financial data, tied with customer and sales records.”
Though IBM’s report recommends not paying the ransom, and rather reporting the attack to the FBI, this anxiety is not unwarranted, and puts in context the high percentage of businesses who have paid to get access back—70% of businesses surveyed by IBM have paid hackers, with the average ransom amount hovering around $10,000.
Protection of consumer or client data is paramount for a financial institution, said Joram Borenstein, vice president of marketing for NICE Actimize:
I’d argue that the problem is less scary for the financial institutions themselves and instead more scary for the clients of those institutions, meaning the consumers. High net-worth individuals are ideal targets for these schemes, especially as more and more of our financial lives become digitized.
$10,000 is not an overly high amount to be asked for, especially the bigger the business and the bigger the security budget, but it still represents a significant payday for the criminals—especially as more businesses pay, as opposed to reporting the breach.
These criminals also have a tendency to demand payment in anonymous or virtual currency like bitcoin, according to the IBM report, making settlement both easier and harder to trace. The $209 million cost noted above is only from reported instances of attacks, as Kessem pointed out.
“Ransomware has been around for a really long time,” says Kessem, placing its original incarnation in 1989 when the malware was installed via floppy disk and payment was sent through the postal system. “It really popped open with the rise of virtual and anonymous payment methods, and once the criminals started coming with the [modern encryptions], they have been able to make it really for consumers [and businesses.”
This speaks to a shift in strategy for the criminals deploying this ransomware—the new appraoch is quantity not quality.
“They are asking for a smaller amount of money because businesses want them to go away, businesses don’t want to be exposed, and [the criminals] are going after the data necessary to that business,” says Stacy Leidwinger, vice president of product for RES Software. “The amount and types of ransomware are just exploding everywhere, and we’re seeing more and more ransomware go after the infrastructure of the web server—that way they can wait in ‘silent mode’ for someone with clearance accesses the [right] data.”
This could be disastrous for businesses in particular (though ransomware attacks are also aimed directly at consumers), which is why Leidwinger recommends safeguarding the company against the ‘careless user’—aka the good-intentioned but hapless employee that clicks on the phishing emails—by whitelisting employee access, making sure employees can only open and execute files that have been approved for use.
Leidwinger also cited the need for employee education, a sentiment Borenstein echoed, noting, “… it would help matters if they also began to educate their users and clients about the risks inherent in this problem, particularly among their high net-worth individuals.”