“Your Computer Has Been Locked” - Everything you need to know about Ransomware

By Reduxio Systems for Beyond The Blocks - Monday, October 17, 2016


Are you concerned that your industry will become the target of ransomware? Have you heard about the different types of ransomware and how much operating loss your company could be subjected to? Are you aware of the different ways to prevent and recover from ransomware lockouts?

The rise of ransomware, a specialized form of malware that charges a user a ransom to restore a locked up, or encrypted system, is taking center stage in 2016, inspiring news outlets, the FBI, and major business interests to take notice. Healthcare, government, and law enforcement agencies are the most frequent targets, with experts looking at the manufacturing space as the next likely battleground, to include networks managing logistics, supply chain, and RFID tracking systems.

Recovering a network in the event of a modern ransomware attack is no easy task, and many of the most advanced networks are ill-prepared to respond. Ransomware can sometimes take months to identify, isolate, and deactivate. In recent times, the most common way to deal with a ransomware lockout, even according to the FBI, was simply to pay the ransom demand. Estimates for ransomware payments made to hackers in Q1 2016 have so far surpassed $200 million US dollars.

The ransomware of just a couple years past was typically characterized as small potatoes compared to today, prompting unsuspecting users to download email attachments spiked with viruses. In the past, what would appear to be a .pdf or a web link would trigger a .exe or .dll file to download and auto-install on a local hard drive. The applications downloaded would sometimes spend weeks and months cataloging file systems, and one day, the user would find all of his files either encrypted beyond usage or screen blocked and inaccessible, with nothing to see except for a popup window demanding a bounty of $300 or so to unlock or decrypt.

Ransomware's past has proven merely a prologue, though, as ransomware attacks approaching the second half of 2016 have become more advanced, more covert, more frequent, and way more expensive, locking up IT powerhouses at hospitals and police departments, with the price of a single ransom demand on a large institution now averaging in the $15,000 to $20,000 range.


The Growth of Ransomware


Ransomware is considered to be the current biggest threat to data security, and the tide is rising quickly. Ransomware attacks specifically have increased fivefold in a single year, from 131,111 ransoms in 2014/2015 to 718,536 in 2015/2016. Ransomware attacks on corporate-level data more than doubled in this same time period, from 6.8% to 13.3% of large corporations being targeted for ransoms. In the first quarter of 2016, the number of ransomware attacks increased by 30% above attacks occurring in the fourth quarter of 2015. The daily count for ransomware attacks has risen from 1,000 per day to 4,000 per day in a single year, and attacks continue to increase in frequency.

"Ransomware domains," the domains used for hosting malware downloads and for communicating with malware, are also booming. In Q1 2016, the domain became the hacker's preferred method for managing malware, with the number of ransomware domains increasing by 3,500% and domain-based malware management now accounting for up to 60% of the total malware category.

The total number of human encounters with ransomware increased by 17.7% in the same time period, from 1,967,784 to 2,315,931. The total number of deployed ransomware samples scrubbed from networks worldwide, though, had already started ballooning, from 1.5 million in Q3 2013 to 4 million in Q2 2015. Crypto-ransomware attacks specifically, attacks that encrypt a user's files and demand a ransom to unencrypt, increased by 5.5 times, from 131,111 to 718,536. This is a significant rise, from a meager 6.6% of all ransomware to a majority 31.6% of total ransomware encounters around the world, proving encryption has become the preferred method of operation for hackers.

Not to say the entire world is at an equal risk, though, as networks in the United States, Germany, and Italy are the most frequently targeted, with signs pointing to certain regions of Europe as the likely origins of the ransomware campaigns.

In the United States, the FBI estimates that ransomware cost its targets about $209 million in Q1 2016, up from $24 million the entire previous year. Their estimate covers paid ransoms, revenue lost from downtime, and the cost to recover systems and networks.


The evolution of Ransomware techniques


Ransomware often comes in the form of a traditional email phishing scam and has prompted a renaissance of sorts in phishing, accounting for 93% of all phishing emails, which increased in number by 6.3 million in Q1 2016, a 789% jump from Q4 2015. These emails usually trick a user into downloading a Microsoft Office document or a malicious Javascript laced with ransomware.

As stated earlier, ransomware has evolved from the modest days of "phishing scams," moving on to target Android apps, Advertising networks, and even a sanctioned iOS app at the Apple Store. From 2015 to 2016, ransomware targeting mobile specifically quadrupled, from 35,413 to 136,532, with only 4 groups of malware taking responsibility for over 90% of the attacks on mobile.

Targeting PC users in the US, a March 2016 campaign to piggyback ransomware onto advertising networks spread across websites like the New York Times, the BBC, AOL, and the NFL, reaching billions of users. The campaigns exploited a security flaw in Microsoft Silverlight, still used by the ad networks even though it had not received an update since 2013.

The "Flocker" ransomware will only target your Android TV, but will leave it alone if it determines you are watching from Kazakhstan, Bulgaria, Hungary, the Ukraine, or Russia. If you don't live in one of those locations, the application will block your screen and demand $200 in the name of a fictional law enforcement organization, payable in iTunes gift cards.

Hospitals appear to be the most frequent "big ticket" targets, averaging around $18,500 per ransom, usually payable only in Bitcoin, and showing up at hospitals from Germany to Maryland and Washington, DC.


Ransomware Targeting Healthcare, Government, and Universities


One of the highest profile ransomware attacks in recent memory occurred in February 2016 at the Hollywood Presbyterian Medical Center in Los Angeles, CA. The ransomware on Hollywood Presbyterian's network blocked doctors and nurses from accessing any form of patient records or electronic communications, effectively closing down the hospital's emergency room capabilities for 10 full days, at which time the hospital's president and CEO simply decided paying the $17,000 ransom would be the quickest way to restore systems.

A week later, Los Angeles County Department of Health Services was able to isolate a separate ransomware attack on their system and has refused to pay the hackers anything.

Since February, Methodist Hospital in Kentucky and Maryland's MedStar, with 10 hospitals under management, have also been targeted, with ransoms from $1,600 to $18,500. These institutions, though, were reportedly able to resolve network problems without paying any hackers. Healthcare institutions in Germany and New Zealand have encountered similar ransomware attacks, as reported by the U.S. Computer Emergency Readiness Team, the US-CERT.

High profile targets in the U.S. have included the U.S. House of Representatives, 29 federal agencies, a BitTorrent application on Apple desktops, and a public school system in South Carolina. Police Departments in Massachusetts, Tennessee, and New Hampshire found the FBI and private firms unable to decode their newly-encrypted databases, and resorted to paying ransoms valued from $500 to $750.

A locked up University of Calgary network prompted administrators to pay a group of hackers in Bitcoin ransom valued at $20,000 Canadian dollars to regain system access.


How you can be prepared for a Ransomware attack:  Prevention and Recovery


In response to this very expensive mess, experts are advising that system administrators NOT pay any ransom demands. Because uncertainty continues as ransomware evolves, though, experts say the first step is to make preventive measures to insure the integrity for your data, your systems, and your networks, to be prepared beforehand for the increasingly likely event of a ransomware holdup. Experts advise installing the latest patches and updates from software vendors, updates which are assumed will include the best preventions against malware.

Frequently scheduled offsite backups remain the best strategy for maintaining data integrity, and the more frequent a network's overall "snapshot" of an existing point in time, the more likely it is to recover from a lockout or an encryption.

The usual best practices for networks include limiting access to secure areas, sandbox filtering for email accounts, segmenting network activities to isolate any breaches, extending visibility to every square inch of your distributed network, training your staff to detect malware activity, and basically assuming that your network will, at some point in time, become the target of ransomware.


Best practices for mobile and user bases follow similar common sense procedures. Restricting a mobile fleet from downloading or installing apps from anywhere besides the official app stores will usually preclude any ransomware gaining access. Yet and still, continuous monitoring is and will continue to be a necessity, based on security protocols that can identify malware and malicious web links, which can often sneak into the tiniest gaps in a network.

While preventing a ransomware attack means being prepared for one, external protections can insure any consequences of a system attack can easily be reversed. Improving upon the "snapshot" technique for data backup, the new BackDating innovation enables IT administrators to continuously record data from specific stacks or from entire networks, with a granularity of seconds. Admins can simply turn on BackDating and then pick a specific second in time to "scroll back" the system. No more losing the work your development team spent the last hour implementing or walking in at 8 a.m. to find last night's data crunch encrypted or inaccessible. Admins can scroll back the network to any previous second recorded from BackDating, precluding any malware installation or deployment. The BackDating application is validated for VMWare, Oracle, and Windows.

Download the BackDating Product Brief

InDustry Segments targeted by Ransomware in 2016


In 2016, ransomware has become the single biggest danger facing business and IT interests, basically resulting in long-term system outages at - but not exclusively - hospitals, universities, and public service organizations across North America and Europe, and only gaining strength as time progresses.

Ransomware today is more widely distributed and more advanced than other forms of malware encountered in years past, inspiring a hacking resurgence that often exploits missing links in legacy systems not designed to identify or block newer deployments of malicious code.


The surge in ransomware attacks, and specifically in crypto-ransomware attacks, is making the business world nervous, with experts indicating that manufacturing and the supply chain will become the next big targets for encryption malware and ransom demands.

For all these reasons and based on hundreds of millions of dollars lost to ransomware by major companies in the first half of 2016 alone, the future of business technology is banking on ransomware prevention and system recovery.


 New Call-to-action

Reduxio Systems

Written by Reduxio Systems

There has been no fundamental innovation in data management for primary storage for the last two decades. In 2012, a group of storage industry veterans founded Reduxio with the vision to redefine data management and protection by taking advantage of new processing, networking and media technologies.

Want to comment on this blog post?