Your computer has been locked. To unlock it, you are obliged to pay a fine of $500.
A day-ruining phrase like this is coming to a screen near you, and sooner than you might expect. One recent estimate says that even as malware attacks slowed, there were 638 million ransomware attack attempts last year, up from 3.8 million in 2015. Still, fresh research by AVG Business indicates 1 in 3 small businesses are still clueless about it.
Malware with names like Cryptolocker or Popcorn Time have enabled amateur hackers to operate what amounts to an old-fashioned extortion racket on a global scale, and a very lucrative one at that. According to IBM, cybercriminals are thought to have made an eye-watering $1 billion from ransomware last year. What’s more, half of the executives who paid up handed over more than $10,000 to the criminals and 20% over $40,000. It has been estimated that in the first half of 2016 alone, one gang of ransomware hackers made an estimated $121 million.
Some criminals give their victims a second option: Hack others and get them to pay up, and you get your data back.
Ransom-seeking coders and social engineers—the majority of them Russian speakers, according to Moscow-based Kaspersky Labs—initially targeted individuals. Then they moved on to small businesses, their corporate big brothers, and now hospitals, hotels, railways, the police, and government, where sensitive personally identifiable information is scarily abundant. More than a dozen hospitals have reported ransomware attacks in the past year, including Hollywood Presbyterian, which was told to pay $3.4 million if they wanted their data back. Last month, a police department in Texas reported that it had lost years of evidence after refusing to pay a ransom to hackers, while the Washington, D.C., police announced that it had discovered that many of the recorders for its CCTV cameras had been infected by ransomware, just days before the presidential inauguration. Earlier this month, the government of Licking, Ohio confirmed that its computer systems had been taken over by ransomware.
Despite the nature of these high-profile targets, an increasing number of ransomware attacks are being targeted at small businesses and startups, with ransoms ranging from $500 to $50,000. And the numbers are growing: Security firm Symantec estimates that the average ransom demanded in 2016 was $679, more than double the $295 demanded at the end of 2015. Small businesses can be better targets than bigger ones because they often don’t have skilled staff or the time and money to devote to cyber defense. Many don’t even realize the value of their own data. The research by IBM also suggests that executives are more liable to settle than individuals. In response, the FBI is urging victims to report attacks to them regardless of whether they paid so they can gain a better understanding of the scale of the threat in the U.S. and its impact on victims. Their advice is not to pay any ransom.
Ransomware attacks are rising on mobile devices too, and this week, researchers demonstrated a ransomware attack on a simulated water treatment plant.
If hackers don’t delete your data, they could leak it online or sell to the highest bidder. Another form of ransomware can take a screenshot or extract a particular file and upload it to the thief, who can increase the ransom based on what he sees. Or the ransom amount may start to increase the longer you take to pay it. Some cyber criminals have begun to give their victims a second option by turning them into hackers: Help install the same software on other peoples’ computers, and if those people pay up, you get your data back.
More worrisome, ransomware doesn’t take advanced technical skills to operate. The software can be bought off the shelf, or even rented: Ransomware-as-a-service allows criminals who don’t have the technical expertise to rent an existing botnet of infected computers that can be used to infect new computers. The criminals then get paid a commission on every successful ransom.
Mac OS and Linux users aren’t completely safe either, according to a new study by security firm PhishLabs. Though Windows is the most targeted operating system, more malware is being created specifically for OS X, Linux, and server operating systems. Ransomware attacks targeting Android-based mobile phones are still relatively rare, but they are also on the rise.
The so-called internet of things is also vulnerable, as are bigger things: This week, researchers at the Georgia Institute of Technology demonstrated a ransomware attackon a simulated water treatment plant.
If you haven’t protected yourself against it, a ransomware attack could mean life or death for your company. The U.S. National Cyber Security Alliance reports that up to 60% of hacked small and medium-size businesses go out of business six months after a cyberattack.
Rokenbok Education, a San Diego-based toy company, lost thousands of dollars while it struggled with an attack just before the holiday season started. Children in Film lost access to files stored on a cloud drive within 30 minutes of an employee opening an attachment they shouldn’t have opened on New Year’s Eve. It took a week to restore the data, even with backups. But there are no assurances: According to a report from security firm Kaspersky Lab, one in every five companies that pay ransom never get their data back.
“The basic problem is that small businesses don’t often have the knowledge or bandwidth to deal with cybersecurity.”
The surge in ransomware attacks and reports of big payouts appears to be driving a rise in cyberinsurance offerings, a development that could help shore up general cyber defenses. During a full-day workshop devoted to ransomware at this month’s RSA Conference in San Francisco, TechTarget reported, Jeremiah Grossman, chief of security strategy at SentinelOne, predicted that “there’s going to be professional ransomware negotiators” helping insurance companies in the future.
What hasn’t changed much—and isn’t likely to change in 2017—is how a computer is infected. Someone still has to open a dodgy email, visit an infected site, or download a dubious piece of software. Servers can be hosts, and by hacking into poorly protected internet-connected printers or even kettles, for example, criminals are finding clues to allow them to break into your systems.
“The basic problem is that small businesses don’t often have the knowledge or bandwidth to deal with cybersecurity,” says professor Mark Skilton, Warwick Business School, cybersecurity expert and author of The 4th Industrial Revolution: An Executive Guide to Intelligent Systems. “Even large retailers [and the police] with all the resources they have at their disposal can make silly errors that quickly become big mistakes.”
Ransomware has proved to be a formidable challenge for most anti-virus software. Mark suggests, “There are two things that you can easily do. Protect your own data like you would any other valuable thing that you own. Encrypt it so criminals can’t publish it online. The other approach is what I call the protection of the herd. Small business can’t always afford the IT systems they need to stay secure. So, use a good public cloud service to provide you with a remote backup.”
“It’s easy to over-compensate on cybersecurity,” he adds. “You also need to think about what is the proportional level for your company.”
Another solution is provided by sites such as No More Ransom, which is run by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, and two cyber security companies—Kaspersky Lab and Intel Security—with the goal of helping victims recover their data without paying a ransom. It also tries to educate users about ransomware and how to defend against it.
Still another solution is the free Windows app called RansomFree developed by the security firm Cybereason. This app protects a computer by watching for typical behaviors exhibited by ransomware behavior.
“Sometimes it’s the simplest things that offer the best protection against ransomware,” says Tony Anscombe, senior security evangelist at AVG Business. Anti-virus software is a good preventative measure, and making sure you regularly back up your data will reduce the impact if you are locked out of your systems.
Mark Skilton emphasizes the risk of “the human factor.” “Increase your employees’ awareness by asking them to think twice about clicking on links in a suspicious looking or unexpected email, especially if it’s purporting to have come from a more senior employee who happens to be on holiday,” he says. “Restricting who can see what on your system can also prevent malicious software from spreading. Don’t assume the brand-name internet-enabled printers or machines you buy are protected. Check first.”
Amid a growing wave of attacks, good cybersecurity for a small business isn’t very expensive. Being held for ransom is.