Ransomware will “wreak havoc” on the United States’ critical infrastructure community in 2016, according to a recent report by the Institute for Critical Infrastructure Technology (ICIT).
ICIT’s newly released “Ransomware Report” warned that unlike traditional malware actors, ransomware criminals can generate a steady revenue stream from targeting any system, whether it be mobile devices and personal computers or industrial control systems. ICIT says many of these devices are not secured “in the slightest” against a ransomware threat.
Ransomware is malicious software that allows a hacker to block access to a computer system, in effect holding it hostage, until a ransom is paid. Last year, Symantec reported a 250 percent increase between 2013 and 2014 in new crypto ransomware families on the threat landscape.
“New attacks will become common while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim,” the report stated. “’To Pay or Not to Pay’ will be the question fueling heated debate in boardrooms across the Nation and abroad. Ransomware is less about technological sophistication and more about exploitation of the human element. Simply, it is a digital spin on a centuries old criminal tactic."
The researchers explained that although ransomware has been around for decades, its popularity steadily decreased in favor of other malware. However, a number of prominent security firms—including Kaspersky, Covenant Security Solutions, Forcepoint, GRA Quantum, Trend Micro and Securonix—predict a resurgence of ransomware attacks in 2016.
“One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence,” the report explained. “Attacks are more successful when effective countermeasures are not in place.”
The resurgence can be attributed in part to the prevalence of mobile devices and the emergence of the Internet of Things. According to Brian Contos, ICIT Fellow and VP & Chief Security Strategist at Securonix, attackers are pivoting to ransomware because “[It] is a volume business. It’s simple, relatively anonymous and fast. Some people will pay, some will not pay, so what. With a wide enough set of targets there is enough upside for these types of attacks to generate a steady revenue stream.”
Ransomware attacks are both highly profitable and difficult to combat. Although the Department of Homeland Security’s United States Computer Emergency Readiness Team, as well as the FBI and other law enforcement agencies, devote significant resources and expertise to mitigating attacks, the report states that “law enforcement has neither the time nor the resources to track down the culprits.”
Encryption can also complicate detecting and responding to ransomware threats. Without a decryption key, many variants of ransomware are almost unbreakable. ICIT stated, “No security vendor or law enforcement authority can help victims recover from these attacks.”
The report emerges on the heels of a ransomware attack in early February on Los Angeles-based Hollywood Presbyterian Medical Center, which paid $17,000 in bitcoins to hackers who had gained control of the hospital’s computer system. The attack highlights the dangerous escalation of ransomware attacks.
In response, Sen. Bob Hertzberg (D-Van Nuys) introduced legislation that would make the practice of infecting computers with ransomware the criminal equivalent of extortion. Under the bill, a person engaged in the activity could be convicted of a felony and be given a sentence of up to four years in prison.
“Nearly every day we read in the news about data breaches and online criminal activity,” Hertzberg said. “We must be clear that we will not tolerate this kind of conduct, and that using modern tactics to engage in age-old thuggery of ransom and extortion do not change the seriousness of the crime.”
To combat the proliferation of ransomware attacks, ICIT says responses will be largely situational. Possible responses include backing up systems, ignoring the ransom demand, or even paying the ransom. In addition, organizations need to train their employees to recognize and report threats.
“A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimize the attack surface populated by the human element,” the report concluded.