Ransomware attacks against businesses will become more common, more damaging and more expensive, security vendor LogRhythm has warned.
Cybercriminals have traditionally used mass distribution ransomware to sting individuals or small businesses for a few hundred dollars' worth of Bitcoins here or there.
But now they have set their sights on larger organisations that have bigger budgets to pay bigger ransom demands, LogRhythm said, citing a spate of attacks to hit hospitals and other healthcare operators in the US in Q1.
The Hollywood Presbyterian Medical Center, which was by one estimate thought to be losing $100,000 (£75,000) a day just on its inability to perform patient CT scans, paid its attackers $17,000 to unlock its files following a ransomware attack in February.
"We are seeing criminals shift their tactics to targeted ransomware attacks," said Ryan Sommers (pictured), manager of incident response at LogRhythm in a recent report.
"They scope out a specific organisation that has deep pockets and is more likely to pay a hefty ransom request in order to minimise the downtime."
Because these attacks are so lucrative, they are sure to become more common, LogRhythm added, highlighting figures from the FBI which estimate that $1bn will be paid out to cybercriminals using ransomware this year.
Larger organisations served by the channel not only have bigger budgets to pay bigger ransoms, but also have more important files and computer systems critical to their daily operations, the vendor pointed out.
Some 72 per cent of companies hit by a ransomware attack cannot access their data for at least two days following the outbreak, according to research from Intermedia cited by LogRhythm, with 32 per cent losing access for five days or more. In 47 per cent of cases, the attacks spread to more than 20 staff.
Whereas the timeline of a mass distribution attack is often as little as 15 minutes, the new style of targeted attacks coming into vogue act more like APTs, LogRhythm said, with cybercriminals looking to inflict as much damage as possible by infecting the entire business in order to bring in a higher ransom.
"Given that targeted attacks are usually operated by a person as opposed to an automated system, the response timeline can be a little less critical than for mass distribution ransomware. Unfortunately, this also means the attack can be more difficult to detect," LogRhythm said.
Five steps to stopping ransomware
However, there is no reason why the channel cannot help detect and snuff out even targeted attacks before they have taken hold, LogRhythm said.
The five key steps of defence are preparation, detection, containment, eradication and recovery, the vendor said.
The preparation step involves patching aggressively, creating and protecting backups and preparing a response plan in the event of an attack. Assigning least privileges, connecting with intelligence sources and protecting end-points were also recommended by the vendor, alongside investing in a cyberinsurance policy that explicitly covers losses due to ransomware.
"The cost of a ransomware attack can be quite high – not just the cost of the ransom itself, but also the loss of business during the time that files and documents are unavailable," LogRhythm said. "For example, when Hollywood Presbyterian Medical Centre experienced its ransomware attack in February 2016, the hospital was crippled. The Radiation Oncology department was shut down, and CT scans and lab work were unavailable. Affected patients were transferred to other facilities or simply turned away. The inability of the hospital to provide its normal business services for more than a week was financially devastating."
The second step – detection – can minimise the damage in the event of an attack, LogRhythm said. To this end, firms should be priming their defence devices, screening email for malicious links and payloads, using rule blocks for executables and looking for signs of encryption.
The next step is that of containment, the vendor added. Once the ransomware has done its dirty work on one device, steps can be taken to contain it locally so that network files are not affected. This includes killing the running processes and isolating the afflicted end-point.
Step four – eradication – involves replacing, rebuilding or cleaning machines and step five – recovery – primarily involves restoring from backup and looking for the infection vector, as well as notifying the relevant law enforcement agency.
"Because these attacks are so lucrative for the perpetrators, they are certain to become more common, more damaging, and more expensive. What's more, almost every organisation – large or small – is vulnerable to a ransomware attack," LogRhythm said.
"Your organisation's success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems and to detect, shut down and contain suspicious activity."