This two-part series explores the rise of ransomware and how organizations can best be protected from it. In part...
one, statistics show how prevalent it is, and analysts weigh in on what organizations and vendors should do for best protection against ransomware. Part two will provide case studies of organizations that successfully recovered from ransomware attacks.
In many ways, 2016 was the year of ransomware.
The FBI estimated last year that ransomware payments in the United States were on pace to hit $1 billion in 2016. The U.S. government also estimated that ransomware attacks averaged more than 4,000 per day in 2016, up from the approximately 1,000 attacks per day in 2015.
Ransomware and protection: The basics
Ransomware -- malware that encrypts the victim's data and demands payment for the decryption key -- often gets into a system through an infected email attachment or website. Although ransomware has picked up in just the last couple of years, the concept dates to 1989, when PC-locking malcode was mailed to victims on floppy disks, according to a December IBM report. Ransomware has gained momentum in recent years with improved encryption and increased use of cryptocurrency like bitcoin, the report said.
Robert Rhameresearch director, Gartner
For optimum protection against ransomware, organizations should assume they're going to get hit, said Robert Rhame, a research director at Gartner who focuses on backup and recovery.
"Backup and recovery remains the top protection," Rhame said. Specifically, journaling, reporting and more frequent recovery points during the day are helpful.
Jason Buffington, a principal analyst at Enterprise Strategy Group Inc., in Milford, Mass., focusing on data protection, said there are three keys to protection against ransomware that organizations should make a priority: What can you do to increase the frequency of protection? How can you increase the length of retention? And how can your backup and recovery platform integrate with a malware detection tool?
"If you're using your backup solution as your mitigation [of] malware, you're in the ninth inning," Buffington said, stressing that protection is proactive, while recovery is reactive.
Ransomware by the numbers
According to a survey published in September by data protection vendor Datto, 95% of managed service providers said ransomware attacks are occurring with greater frequency. Ninety-one percent said their clients have been victims of ransomware. Eighty-eight percent of MSPs said they are "highly concerned" about ransomware, but only 34% of MSPs said their customers feel the same way.
According to the IBM report, only 31% of consumers surveyed have actually heard of ransomware.
Attackers often look for immature organizations, Rhame said, though hospitals are one exception. Several hospitals were hit by ransomware attacks in early 2016. In addition, in November, there was a highly publicized ransomware attack on San Francisco's transportation system.
Payment demands are often in the hundreds of dollars. The IBM report puts the average at $500, but it also said businesses are seeing larger attacks on servers and networks, along with money demands ranging from thousands all the way up to millions, in some cases.
The FBI does not recommend paying, as considerations include:
- Paying a ransom does not guarantee access to the data;
- Some victims who paid the demand were targeted again;
- After paying the ransom, some victims were asked to pay more; and
- Paying can encourage this criminal business model.
If hit, the government recommends contacting law enforcement immediately, such as a local field office of the FBI or U.S. Secret Service.
For proper protection against ransomware, the FBI urges organizations to back up data regularly, verify the integrity of those backups and secure the backups. Organizations should also "ensure antivirus and antimalware solutions are set to automatically update and conduct regular scans."
As ransomware evolves, so does the fight against it
Customers should be looking at data protection vendors that offer integration with a malware detector, Buffington said. It's up to the backup vendors to form partnerships that will provide these built-in capabilities.
Just saying the product can help an organization recover from ransomware "is no different from saying you can recover from a forest fire or a server failure," Buffington said.
A ransomware infection can start a while before it shows itself to a customer. When ransomware slowly infects files over time, victims may actually back up the virus along with their data. Organizations should make sure to have smart backups and retention polices.
But Rhame said he thinks intentionally delaying is counterintuitive to what the criminals are after.
"It might be stealthy for a little bit, but ransomware actors seem pretty content with a fast turnaround," and figuring out quickly if the attack will make money, Rhame said. And if there is a delay in the notification to an organization, there's a good chance an antivirus program will pick up on it.
In 2017, Rhame said he thinks storage providers will be increasingly thrust into the limelight and a lot more vendors are going to provide reporting, which would aid protection against ransomware.
"I'm encouraging them to," Rhame said.
Buffington said one area to watch in 2017 is vendors integrating malware detection technology into the backup process. Many major backup vendors are looking at their role in ransomware mitigation, he said, but it's also on the customer to use the tools already provided.
The cloud can be key to recovering from ransomware
Two quick data protection steps for ransomware strategy
Network security tips for preventing ransomware