Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/21/2016
08:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
100%
0%

Ransomware Surveys Fill In Scope, Scale of Extortion Epidemic

Half of all surveyed organizations have been hit with ransomware campaigns in the last year, many more than once

Some 50% of organizations have been hit with a ransomware infection in the last year, and of those, 85% have suffered from three or more attacks, according to a user survey conducted by security vendor SentinelOne.

As a result, 70% of respondents report an increase IT security spending, and 65% have changed their security strategies to focus on mitigation. More than half — 52% —  say they've lost faith in their antivirus protection.

"It’s not surprising to see high levels of apathy towards traditional antivirus software, and we don't expect the ransomware epidemic to slow down anytime soon," says Jeremiah Grossman, chief of security strategy for SentinelOne, in a statement. "The situation is likely to get far worse, as some of the ill-gotten gains will be invested into research and development designed to improve encryption strength and utilize new delivery methods, as witnessed with Locky.”

Tis the season for vendors' ransomware surveys. PhishMe reports this week that developers of Locky ransomware have shown "creativity, agility, and adaptability" in their repeated improvements to the malware, frustrating the efforts of analysts, researchers and infosec professionals to prevent or mitigate attacks. And Cato Networks says that 73% of CIOs view defending against ransomware and other emerging threats as their top priority for 2017.

While few security pros would deny that ransomware is a growing problem, the trio of vendor reports begins to put the scope and scale of this malware epidemic into sharper contrast.

"Infosec professionals need to understand that ransomware leverages the current malware infrastructure, it's extremely easy to create, and it scales very well. It's also very lucrative for the bad guys," Grossman tells Dark Reading in a phone interview. Left unaddressed, the proliferation of ransomware threatens to mirror that of spam. "We have an opportunity now, but if we wait too long, ransomware's going to be everywhere," he adds.

Grossman also distinguishes between two kinds of ransomware attacks: indiscriminate and targeted. With indiscriminate campaigns, the bad guys know nothing about the content or value of the data they're encrypting. In a targeted attack, bad actors will go after a healthcare organization, for example, because it's literally life and death and widely assumed that they'll pay. "A couple weeks ago, a company was targeted and four hospitals had to reschedule patient operations while they dealt with ransomware infection," Grossman explains.

SentinelOne surveyed 500 "cybersecurity decision makers" at organizations with more than 1,000 employees in October 2016, including 200 people in the US, and 100 each in the UK, France, and Germany.

What can organizations do to protect themselves against this kind of extortion? One obvious preventive measure is performing regular data backups, so if an organization's servers or desktops get hit with a ransomware attack, they'll have unencrypted copies in reserve that allow them to carry on with business as usual. "One thing ransomware has done is inadvertently exposed the lack of backup data" on the part of end-users, Grossman explains.

It really comes down to patching, especially since browsers are getting hit with drive-bys; another protection is to monitor inbound attachments on email and to disable macros. "Should malware get into the system and start to execute, there's technology available that detects bad apps at runtime," Grossman recommends.

SentinelOne's survey highlighted other issues for companies hit with ransomware:

  • Company data most often affected by ransomware campaigns was financial data (52%), employee information (46%) and customer information (37%);
  • 68% of respondents agreed that traditional security techniques can't protect organizations from the next generation of malware;
  • Most companies still assume responsibility for data breaches and ransomware attacks; only 42% say they would demand answers from their IT security vendors.

Related stories:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/25/2016 | 5:30:41 PM
Re: Ransomware defense strategy
Good points.  This is why I preferred the days of MS-DOS.  After I was compelled to upgrade, my understanding of my computer and its processes severely diminished.
kasstri
50%
50%
kasstri,
User Rank: Strategist
11/22/2016 | 7:50:27 AM
Re: keydown
Thanks for your post, BPID... we hear this same refrain with each new threat type that emerges: Vendors can fix this in software without involving the user. And yet here we are again!
Shantaram
100%
0%
Shantaram,
User Rank: Ninja
11/22/2016 | 5:21:28 AM
Re: 192.168.l.l
It is the right words, I fully agree with you
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
11/21/2016 | 4:20:42 PM
Re: Iamazing
Excellent article plus its information 
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
11/21/2016 | 4:17:38 PM
Re: amazing
Excellent article plus its information and I positively bookmark to this site because here I always get an amazing knowledge as I expect.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
11/21/2016 | 10:45:49 AM
Re: Ransomware defense strategy
Thanks for your post, BPID... we hear this same refrain with each new threat type that emerges: Vendors can fix this in software without involving the user. And yet here we are again!

I'd welcome better insight as to what happens on the vendor or developer side. Is ransomware prevention just one more thing in the OS security equivalent of whack-a-mole? Do vendors only see costs that they won't recoup?
BPID Security
50%
50%
BPID Security,
User Rank: Strategist
11/21/2016 | 10:10:36 AM
Ransomware defense strategy
The concept of ransomeware is insidious, not just that it encrypts but that it can be forwarded via email to all your email recipients.

That being stipulated, it should be rather easy to have the OS, or any OS, monitor activities for encryption and notify users of questionably nefarious activities.

Online game makers have long ago created CPU process monitors to prevent realtime game 'cheating'.

The function is simple to understand, monitor for encryption code running in the cpu rather than the contents of an executale. Then stop it unless the user permits. Otherwise send it to AV for cleanup. Building it is a bit more complex as was the one my firm built for a client. Really the CPU resources and disk activity of full disk encryption is really easy to detect.

Ransomware exists because we make computers with an interface non technical people can use, It wouldn't live very long in a command line OS. Holding users responsible for their failures just adds more stuff people will ignore. It is the responsibility of the service, software or vendor to protect the user.

As an analogy: If you rent a hotel room for a night, go to dinner and your door doesn't lock, and someone comes in and spray paints the room and your possessions, who is ultmately responsible for the loss? You as temporary rentor of the service, or the security of the hotel?

We need legislation to clearly identify responsibility and the limits of that responsibility.

Still, it is a problem that technology created, one that is beyond the technical expertise of most users, and one that is solvable through intelligent technology.
<<   <   Page 3 / 3
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...