The threat of ransomware is becoming widespread among corporations, with almost half of U.S. businesses suffering an attack from the nasty form of malware recently, according to a new survey.
Security firm Malwarebytes sponsored the study, which found in June that 41 percent of U.S. businesses had at least encountered between one to five ransomware attacks in the previous 12 months.
Another 6 percent saw six or more attacks.
The study surveyed corporations in the U.S., Canada, U.K. and Germany to gauge how ransomware affected their operations.
The malware, which can infect a computer and take the data hostage, can be bad for business. Thirty-four percent of the victim corporations in the countries surveyed reported losing revenue because the ransomware had prevented access to important files.
U.S. businesses victimized by the malware generally didn’t suffer a heavy toll and only 6 percent of them reported losing revenue. In most cases, the malicious code only affected personal files.
[...] More amateur cybercriminals are probably indiscriminately spreading ransomware in the U.S. like spam, the survey added. Low-level ransom demands of up to $500 are prevalent in the U.S. However, high ransom demands of more than $10,000 are more common in Germany.
Malwarebytes sponsored Osterman Research to conduct the study by surveying 540 CIOs, CISOs and IT directors across the four countries.
What steps has your company taken to protect against ransomware? Is it enough? What about your personal system(s)?
Related Stories
Securelist.com has a writeup about a new ransomware that mostly targets the Netherlands:
While ransomware is a global threat, every now and then we see a variant that targets one specific region. [...] Today we can add a new one to the list: Wildfire.
Wildfire spreads through well-crafted spam e-mails. [...] Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro. This is also due to the fact that the spam e-mails are getting better and better.
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the "rid" exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won't get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim's computer are encrypted.
(Score: 2, Interesting) by Anonymous Coward on Friday August 05 2016, @08:40PM
Wow, 47 percent of US businesses? That's an incredibly high number for a 12 month period. I don't believe it.
(Score: 2, Informative) by Anonymous Coward on Friday August 05 2016, @08:49PM
This report presents the US results of a survey undertaken in the United States, Canada, Germany and the United Kingdom on ransomware and related issues. The survey was conducted during June 2016 with 165 organizations in the United States, and 125 each in the other nations for a total of 540 surveys completed.
Small sample size, and the study was done by a company that sells anti-malware products. I could believe it, but I could also believe that the survey was done as a marketing activity.
(Score: 3, Insightful) by Anonymous Coward on Friday August 05 2016, @09:05PM
I could actually see that number being higher, due to how the question is interpreted by the respondent. For example, our HR department and those with publicly posted email addresses get at least one ransomware file a month and commonly has at least one a week. However, none of those have made it past the layered security. So, depending on the mood of our CIO, either we have "experienced" zero ransomware attacks or more than twenty. Similarly, a friend who runs his own business got his first of the year, but VT flagged it; so, he "experienced" either zero or one, depending on his experience.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @09:14PM
Good point. Attempted (but failed) attacks are still attacks. I wasn't thinking of them as such.
(Score: 4, Interesting) by EvilSS on Friday August 05 2016, @08:55PM
I'm surprised it's that low. Every company I talk to has been playing whack-a-mole with ransomware it for the past two years. Most of it doesn't require the user to have admin rights, it uses their existing access to their own profile folders (desktop, my documents) and their network access to things like department shares to do it's work. AV products have a hard time picking it up since it tends to not do the usual things that other viruses do like writing to weird OS locations, or trying aggressively to hide itself. It's usually not added to definition updates until after a particular ransomware executable is found in the wild. It only takes one user's machine getting infected to cause a huge headache if it's not caught quickly.
(Score: 2) by julian on Friday August 05 2016, @09:16PM
Fire one employee for negligence and watch how quickly the rest start taking security seriously.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @09:33PM
For a few months anyways. Then things will slowly start slipping back to how it was before. Good security takes dedication and willingness to take extra steps to make sure things are done right, most desk jockeys just can't maintain it. It's funny how inefficiently they are will to preform some tasks day in and day out, yet security never seems to be one of those things, it boggles the mind.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @10:42PM
It's because they are not rewarded/evaluated/fired based on it.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @04:04AM
Fire an employee for what is perceived as an honest mistake that anyone could make by other employees and watch yourself having a very hard time retaining any employees. Employees are expensive to replace and you don't want to encourage them to quit. This should be done with a whole lot of care if you want to go down this route.
That's not to say you shouldn't be tough but I think educating them on how to avoid such ransomware, where to report it to if you suspect you have it, and emphasizing the importance of keeping it off your system would go a long ways.
(Score: 3, Insightful) by lentilla on Saturday August 06 2016, @12:46PM
Bravo - good comment. The insidious thing about malware is that is sneaks up and catches people unawares by its very design. I'd wager that getting infected by malware is almost always an "honest mistake". I certainly agree with you that firing people in such a capricious manner would be counter-productive.
educating them on how to avoid such ransomware
This might be difficult. Could you design an effective training course? I think I'm well placed to design such a course: I've trained adults in the workplace and I understand computers. I'm at a loss imagining how even to begin to approach the topic.
If I was asked for advice I'd trot out the usual suspects. Just off the top of my head: avoid certain classes of software (Acrobat, Flash, etc), minimise third-party ECMAscript, don't open documents with live content (aka "macros"), don't execute or install anything, don't allow your mail client to parse HTML, don't click links in emails (and most especially those from third-party domains or with markers that are likely to uniquely identify the recipient [like http://example.com/newsletter?id=bcbd4ad63bcbfa]). Unfortunately, most people would be unable to get much done if they were to follow my rules.
At any rate, the rules go flying out the window the moment an email arrives [purportedly?] from the boss containing an Excel spreadsheet with macros with the text: "update the attached by close of business". If it's hard to explain malware vectors to staff, it's even harder to explain to the boss - especially with deadlines looming.
(Score: 1) by anubi on Saturday August 06 2016, @07:28AM
In a way, I am happy to see that at least businesses are becoming aware of the cesspool of malware out there. It is so frustrating to try to talk to a business about their communication models when all the businessman knows about is what was in the package of sales tools provided by some vendor.
It can be frustrating, like a medical guy from the USA visiting Africa, knowing an ebola outbreak is in place, but the guy he needs to do business with keeps insisting on handshakes.
Or, in cyberspace, JavaScript.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Open4D on Friday August 05 2016, @11:40PM
I tend to think it should be mandatory for corporations to report most/all crimes committed against them. For minor things like untargeted malware it would give much more accurate data. And for major things like targeted DDOS blackmail, it would work against the serious social problem of corporations being incentivized to just give money to the crooks so as to avoid bad publicity.
(I am not an expert, so I don't know what's already in place. I guess reporting data protection failures, at least, probably already is mandatory.)
Obviously, for the minor crimes, there would need to be a very lightweight reporting process.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @08:57PM
Security firm says "all your bases are belong to the hackers!!!@#@!!!!!"
Who you gonna call? Ghost Busters!!!
(Score: 1, Funny) by Anonymous Coward on Friday August 05 2016, @09:08PM
I do my part by clicking every link and opening every attachment in every spam email I get. I also try to follow every ad that pops up, sure it takes a lot of time out of my day, but it's well wroth it. Like when I take my kids to a chicken pox party, I'd rather these viruses be handled naturally instead of trusting my companies network to Big Anti-Virus or some shady "ad blocking" extension.
(Score: 1, Insightful) by Anonymous Coward on Friday August 05 2016, @09:15PM
It is pretty common, but, it is not always real malware. It might be the survey (which I didn't read) counted pop-ups as "malware". Sometimes, you see pop-ups that block the screen, and claim to be ransomware, and users don't know how to deal with this, so they call the helpdesk.
Had a few clients get the real thing, a few months ago. Most were restored from backups; it was time-consuming but it worked. One couldn't be - a user with local admin rights had stored their personal photos in a folder off the C drive, not watched by backups. They paid it. Another one, they had installed a SQL server and made it integral without contacting IT. They learned to do without the broken database.
Overall things have gotten better, but it's because we got more ruthless in preventing these from reaching users. There is a Software Restriction Policy now on various systems with users prone to this- not unbeatable, it is path-based, but has been a good step. It blocks a few things a week.
The spam filter is more ruthless about blocking attachments now too.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @09:23PM
physically archive data offsite, keep recovery instructions on paper - anything I forgot?
(Score: 0) by Anonymous Coward on Friday August 05 2016, @10:07PM
Stop running as Admin every-frickin-where.
(Score: 0) by Anonymous Coward on Friday August 05 2016, @11:07PM
These things don't require admin privileges to be effective. Anything that is in a network share is a potential target.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @12:39AM
That and they usually come packaged with a privilege escalation exploit anyway.
(Score: 2) by richtopia on Saturday August 06 2016, @12:34AM
I take security on my personal system relatively lightly, with basic anti-virus and a heavy dose of don't talk to strangers on the internet.
I do however use SpiderOak to backup in the background. Am I mistaken for thinking that a robust backup strategy mitigates the effects of these attacks? If someone encrypts my computer, I would return to previous versions of my files that are not encrypted. Inconvenient yes, but devastating no.
(Score: 2) by Scruffy Beard 2 on Saturday August 06 2016, @07:42AM
For your back-ups to be safe, they must be "off-line".
Not sure spider Oak meets that criterion.
(Score: 0) by Anonymous Coward on Saturday August 06 2016, @08:56AM
Couldn't such thing be solved by a versioning filesystem (every filesystem write is a new version, versions are retained and can be rolled back)? Like git, but then for filesystems no every write.
Ransomware encrypts file... restore to previous "version".
(Score: 2, Interesting) by Anonymous Coward on Saturday August 06 2016, @11:40AM
Sure, check out btrfs for a similar setup.
But, understand, these businesses are all running Windows, so anything like competent, flexible, useful software is just not available.
(Score: 2) by Hairyfeet on Saturday August 06 2016, @08:11PM
Because the combination of offline backups combined with hidden encrypted "data vaults" that keeps an image of the OS and a copy of the latest backup has so far worked perfectly against every nasty thrown at 'em. I haven't run into Ransomware yet in part because I have trained my clients well to "in doubt call me" and because by default the browser is always run in a low rights sandbox with adblocking and the AV vetting websites for malware before page load, but the few nasties that were able to actually get far enough to pop up on screen? A simple reboot was enough to wipe the sandbox and make them go bye bye.
Of course the ironic thing is that I ended up having to strike out on my own because the PC shops where I worked would actually got pissed at me for "doing too good a job" and not leaving PC vulnerable, they cared more about repeat business than doing a decent job. I guess that is why they are out of business now and I get mine from referrals from happy customers but I'm proud to say I have PCs in the field pushing the decade mark, still happily serving their owners bug free. I suppose I should be planning their migration but I'm honestly not worried about it, after all XP to 7 was a lot bigger jump than Vista to 8.1 and I'm sure the previous strategy will work just fine, simply make a VM of the previous OS to run on the new OS so they don't have to hurry or worry about compatibility as they slowly move their programs over. In about a year all their programs will be switched over and I can toss the VM, easy peasy.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.