Operations

11/21/2016
08:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
100%
0%

Ransomware Surveys Fill In Scope, Scale of Extortion Epidemic

Half of all surveyed organizations have been hit with ransomware campaigns in the last year, many more than once

Some 50% of organizations have been hit with a ransomware infection in the last year, and of those, 85% have suffered from three or more attacks, according to a user survey conducted by security vendor SentinelOne.

As a result, 70% of respondents report an increase IT security spending, and 65% have changed their security strategies to focus on mitigation. More than half — 52% —  say they've lost faith in their antivirus protection.

"It’s not surprising to see high levels of apathy towards traditional antivirus software, and we don't expect the ransomware epidemic to slow down anytime soon," says Jeremiah Grossman, chief of security strategy for SentinelOne, in a statement. "The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky.”

Tis the season for vendors' ransomware surveys. PhishMe reports this week that developers of Locky ransomware have shown "creativity, agility, and adaptability" in their repeated improvements to the malware, frustrating the efforts of analysts, researchers and infosec professionals to prevent or mitigate attacks. And Cato Networks says that 73% of CIOs view defending against ransomware and other emerging threats as their top priority for 2017.

While few security pros would deny that ransomware is a growing problem, the trio of vendor reports begins to put the scope and scale of this malware epidemic into sharper contrast.

"Infosec professionals need to understand that ransomware leverages the current malware infrastructure, it's extremely easy to create, and it scales very well. It's also very lucrative for the bad guys," Grossman tells Dark Reading in a phone interview. Left unaddressed, the proliferation of ransomware threatens to mirror that of spam. "We have an opportunity now, but if we wait too long, ransomware's going to be everywhere," he adds.

Grossman also distinguishes between two kinds of ransomware attacks: indiscriminate and targeted. With indiscriminate campaigns, the bad guys know nothing about the content or value of the data they're encrypting. In a targeted attack, bad actors will go after a healthcare organization, for example, because it's literally life and death and widely assumed that they'll pay. "A couple weeks ago, a company was targeted and four hospitals had to reschedule patient operations while they dealt with ransomware infection," Grossman explains.

SentinelOne surveyed 500 "cybersecurity decision makers" at organizations with more than 1,000 employees in October 2016, including 200 people in the US, and 100 each in the UK, France, and Germany.

What can organizations do to protect themselves against this kind of extortion? One obvious preventive measure is performing regular data backups, so if an organization's servers or desktops get hit with a ransomware attack, they'll have unencrypted copies in reserve that allow them to carry on with business as usual. "One thing ransomware has done is inadvertently exposed the lack of backup data" on the part of end-users, Grossman explains.

It really comes down to patching, especially since browsers are getting hit with drive-bys; another protection is to monitor inbound attachments on email and to disable macros. "Should malware get into the system and start to execute, there's technology available that detects bad apps at runtime," Grossman recommends.

SentinelOne's survey highlighted other issues for companies hit with ransomware:

  • Company data most often affected by ransomware campaigns was financial data (52%), employee information (46%) and customer information (37%);
  • 68% of respondents agreed that traditional security techniques can't protect organizations from the next generation of malware;
  • Most companies still assume responsibility for data breaches and ransomware attacks; only 42% say they would demand answers from their IT security vendors.

Related stories:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:13:22 PM
prayer times

Nice to see this impressive article and wanna say thanks a lot for providing this much pretty info. I would like to share this with my friends to explore more about this

Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:13:05 PM
prayer times

Nice to see this impressive article and wanna say thanks a lot for providing this much pretty info. I would like to share this with my friends to explore more about this 

kasstri
50%
50%
kasstri,
User Rank: Strategist
11/28/2016 | 11:12:26 AM
Re: keydown
Thanks for your post, BPID... we hear this same refrain with each new threat type that emerges: Vendors can fix this in software without involving the user. And yet here we are again!
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/28/2016 | 9:46:54 AM
2 przykazania miłości Modlitwa do Ducha Świętego o wyproszenie łask

It's actually a cool and useful piece of information. I am glad that you shared this helpful information with us.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2016 | 11:19:40 PM
Re: Ransomware defense strategy
FWIW, virtualized sandboxing has been shown to be an effective countermeasure against ransomware -- and, indeed, that some forms of modern ransomware even actively scan for virtualized instances and decline to install if they find any (lest they be subjected to reverse engineering).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2016 | 11:01:03 PM
Re: Randsomware industry
@Terry: The only way I see regulation having an impact here is if it regulates businesses in certain sectors (e.g., healthcare, financial services, etc.) to specifically refuse to pay ransoms or set limits on the amounts they can pay -- and make the penalties for paying ransoms so substantial that such businesses would be compelled to not so pay.

And, as such, those regulations would be completely unworkable.  If a hospital's data is held ransom, human lives and limbs are at stake.  If a financial services' firm or even a generic Fortune 50 firm is held hostage, the entire global economy is at stake.

If those working in public policy really want to make a difference here, the solution is not regulation or legislation but rather better investment in improving cybersecurity.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2016 | 10:55:36 PM
Re: Randsomware industry
We don't need more regulation or laws here.  This is already covered by existing laws and regulations (standard wire-fraud laws, plus the CFAA, for starters).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2016 | 10:54:30 PM
Re: Ransomware defense strategy
@Dr. T: The whole point goes to understanding.

If you're using an OS based in the command line, whether Unix, old-school MS-DOS, or whatever, you naturally have to know much more about what's going on on your machine than the average MacOSX or Windows user.  As such, you're more of a power user and in general will position yourself better.
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
11/27/2016 | 2:47:55 PM
Re: Industry
Excellent article plus its information and I positively bookmark to this site because here I always get an amazing knowledge as I expect.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2016 | 2:39:58 PM
Re: Ransomware defense strategy
"We need legislation to clearly identify responsibility and the limits of that responsibility. " I agree with this. Added to that it needs to clarify accountability for the offenders.
Page 1 / 3   >   >>
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.