Back in early February, staff members at a hospital located in southern California began noticing issues in their IT system. The Hollywood Presbyterian Medical Center subsequently launched an investigation and determined that ransomware had infected its computers. To prevent the spread of the infection, the hospital temporarily suspended its IT system. That decision caused several departments to shut down, patients to be diverted to other hospitals for treatment, and staff members to process all remaining registrations/log-ins via paper and fax. After working with law enforcement for several weeks, Hollywood Presbyterian agreed to meet the attackers' demands and pay the ransom fee of 40 BTC (approximately US$17,000). It's possible the attack may have cost the hospital even more as a result of degraded productivity and lost customers. If the incident at Hollywood Presbyterian is any indication, ransomware is on the rise. Indeed, Blue Coat Systems' 2015 Mobile Malware Report names ransomware as the top malware threat targeting mobile devices today, with crypto-malware attacks having jumped 159 percent in April alone, per Enigma Software's findings. Part of the reason behind this growth is the emergence of ransomware-as-a-service (RaaS). By now, ransomware has become so commoditized that criminals wishing to infect unsuspecting users don't need any technical expertise. All they need to do is purchase ransomware code off the dark web, incorporate the malware into a phishing email template, specify to which targets they would like it sent, and wait for the money to roll in. Travis Smith, a senior security research engineer at Tripwire, feels it is this comparative ease of use that makes RaaS more profitable than other commoditized forms of malware.
"Monetizing spamware or stolen data requires more time and expertise than ransomware and involves higher risks of being detected by law enforcement. In addition, the rise of anonymous cryptocurrency, such as Bitcoin, has made it easier than ever for attackers to infect a machine with ransomware. The success of ransomware has made it possible for cyber criminals to make hundreds or thousands of dollars per infection, and they get paid immediately."
Given the growing profitability of RaaS, we can't expect ransomware attacks to subside in the near future. Organizations must brace themselves for that likelihood by preparing for a potential ransomware infection. Specifically, companies should review their disaster recovery program and determine whether they can rely on backups in the event of a ransomware attack. Smith explains further:
"For many organizations, ransom decisions come down to the most cost effective plan of action. If systems and data can be restored quickly from backup with minimal data loss, then not paying a ransom demand is a viable option. However, in order to be confident enough to ignore ransom demands, IT teams need to continually test backups to ensure all critical business data is being captured and that the backups are viable."
Backups might protect an organization's critical data, but restoring from a backup presents its own challenges. Above all, data restoration takes time, which more than likely means service interruptions for critical business systems. As a result, if organizations are to protect themselves against losses in productivity following a ransomware infection, they must plan out every step of the backup process to make sure the business gets back up and running as soon as possible. Smith couldn't agree more with this point.
"Organizations have to take the next step and verify they can restore critical business systems quickly to minimize downtime and service interruptions. For most security teams, this means they will need to practice – a process that takes both time and resources. However, this investment can pay significant dividends in the event of a ransomware infection. Planning and testing a streamlined backup process can reduce the cost and risk associated with restoring data. If organizations make these investments, ransom demands can become irrelevant."
For information on how organizations can mitigate the risks of and respond to a ransomware infection, please click here. Additional information pertaining to the threat of ransomware can be found here.