As senior security research engineer at security and compliance automation vendor Tripwire, Travis Smith spends his days studying the chess moves made by cyber criminals on the cutting edge.
The hottest, most lucrative criminal activity of the moment is ransomware, the cyber detective says. The most common variant revolves around getting a victim to click on a corrupted attachment or web link that arrives in a legitimate-looking email message.
If the malware successfully downloads to the victim’s machine, it’s game over. In mere moments, the malware will locate and encrypt sensitive files, then launch a shopping cart routine that guides the victim on how to use crypto currency, most commonly Bitcoin, to pay for delivery of a decryption key.
Individual victims usually are required to pay a ransom of a few hundred dollars; business entities are routinely paying five-figure, and sometimes six-figure, ransoms.
See also: Ransomware Threat Growing for Phones
How bad is it? A recent report
from Arctic Wolf Networks estimates a 433% spike in ransomware attacks over the past year. And the FBI says ransomware attack victims paid $209 million
in the first three months of 2016, up from $24 million in all of 2015. And that only counts complaints received by the bureau.
Typically, the bad guys actually do deliver a working decryption key in exchange for the ransom payment, Smith says. Here is some other useful intel Smith shared in our recent video interview. Text edited for clarity and length.
Why have healthcare organizations been so heavily targeted by ransomware gangs?
: Healthcare has a life or death connection to data. So it’s not a financial responsibility. Restoring lost data from data backed up and or reverting to some kind of paper trail takes time. And it’s not something that they’re really well-equipped to do.
Any indication what sectors the bad guys are going to focus on next?
We have been seeing that ransomware has been targeting IoT devices for consumers, as well, so they’re looking at thermostats and TVs and things like that as far as being able to encrypt those. And not only just encrypt them, but prevent access from the device.
As far as businesses, the energy sector is definitely a big one, as far as critical components, and financial. Those are probably the next two markets that are going to see heavy ransomware attacks.
Do you expect the bad guys to single out small and medium-sized businesses, because they’re less protected?
Everybody’s going to be targeted eventually. Ransomware is just too profitable a business model for criminals. It’s a 1,400% return on investment,
so the average criminal spends about $10,000 to invest in a ransomware campaign, and they get just under $500,000 back. So it’s very profitable for them. Every sector’s going to get targeted eventually.
How has the availability of crypto currency come into play?
Bitcoin provides the criminals with a completely anonymous way to get paid and get out. If you get hit with ransomware, they’ll usually change your desktop background and direct you to browse to a certain website. Then they’ll give you detailed instructions showing you how to pay to get access to your data again.
They want to have a seamless transition for getting their payment, and they want to build a reputation for actually letting people access their data again. They want to instill confidence that if you pay the ransom, you are going to get access to your data.
So they do supply working decryption keys if you use their crypto currency shopping cart tool?
In every instance that I’ve seen, yes. I haven’t seen one instance where they haven’t tried to give access to the data.
Couldn’t they just come after you again?
Exactly. A lot of these things are completely autonomous; they don’t require action from the cyber criminal, especially these huge campaigns. If the business does not understand how they got infected, then that same email could still be sitting in the secretary’s inbox. If she opens up the attachment again, then she’s encrypted again with a different decryption key.
What can businesses do beforehand to deter this?
Ransomware can only encrypt files it can access. It only has the same access privileges as the person who opened the attachment or clicked on the web link. So monitoring employee access and granting the least privileges is vital. You want to give people enough access so they can get their job done, but not give them so much access that they have the keys to the kingdom, so to speak.
See also: Ransomware: Your Money or Your Data!
What about training?
Employee awareness training is an important best practice. You want your employees to be aware these types of campaigns are out there. Don’t click on every link or every attachment, especially if you’re not expecting it. Always have your guard up, and try to verify from the sender before you open up any attachments. That’s usually how the ransomware is going to get in.
Sounds like we can’t trust email?
You can’t trust email from anybody. You can get an attachment and it’s ‘paystub.pdf.’ It looks like a PDF, it smells like a PDF, you say, ‘Oh, someone sent me my paystub.’ So you double click it to see what it is, and you get encrypted.
This article originally appeared on ThirdCertainty.