News

Analysis: The Shame of Ransomware

Ransomware attacks are booming, according to FBI data and a recent survey of MSPs. The problem is unlikely to diminish, but tools and methods for countering the digital extortion schemes are pretty well established.

• By Scott Bekker
• December 07, 2016

Ransomware has an outsized reputation as a security problem, and that's partly due to mystery. One reason the extent of the ransomware problem is hard to quantify is shame.

In his role running partner community and field marketing for SolarWinds MSP, Dave Sobel talks to a lot of managed services providers (MSPs) in person at shows.

"Just about every solution provider knows somebody who was affected by ransomware," Sobel says. "Everyone has a story. Either they've 'got a friend' or they are the 'friend.'"

In a mid-September public service announcement begging organizations to report ransomware incidents to law enforcement no matter the outcome, the U.S. Federal Bureau of Investigation went through a litany of reasons that companies stay quiet: "Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from backups may not feel a need to contact law enforcement."

Those who won't admit to ransomware attacks are in the overwhelming majority, according to "Datto's State of the Channel Ransomware Report 2016," a report released this fall based on a survey of 1,100 MSPs worldwide, but primarily in the United States, Canada, Australia and the United Kingdom. That report found that fewer than one in four respondents had reported ransomware attacks to authorities.

That piece of context makes U.S. authorities' ransomware figures that much more alarming. A U.S. government interagency technical guidance document for CIOs and CISOs said that an average of more than 4,000 ransomware attacks have occurred daily since Jan. 1, 2016. That's up 300 percent from 1,000 per day in 2015. Elsewhere, the FBI has been widely reported as saying it had received reports of total costs of mitigating ransomware at $209 million in the first three months of 2016 -- putting ransomware on track to generate nearly $1 billion in losses for the full year. That was a huge jump in damage estimates from the year before.

Datto's report showed small businesses getting hit hard. Nine out of 10 MSPs said they'd had recent attacks against small business clients, and about 40 percent of those had seen six or more attacks on clients in the last year. The CryptoLocker trojan was the most frequent culprit.

Regardless of whether they're telling authorities (the FBI requests reports at the Internet Crime Complaint Center, at IC3.gov), there's a fair amount of agreement on how to handle ransomware. While some organizations stockpile Bitcoin to be able to make payments in a pinch, the clear preference is to avoid infection in the first place through a combination of user training, which can be very effective; anti-spam tools, which can be less effective against spearphishing-style attacks; and regular security measures like keeping patches up-to-date, adhering to the principle of least privilege and application whitelisting.

A winning countermeasure is having solid backup and recovery and business continuity procedures in place should ransomware get through those other defenses. Last month, for example, Datto refreshed several products in its backup and recovery product line with what it calls ransomware protection -- technology to detect potential ransomware and allow MSPs to roll back to a last-known good configuration. The tools also work for backing up cloud products like Office 365, Google Apps and Dropbox, three applications that some of Datto's survey respondents noted had been hit by ransomware. Around the same time, Microsoft was plugging its Operations Management Suite and Azure Backup as solutions for ransomware woes.

Getting back to the Datto survey, a whopping 95 percent of respondent MSPs thought ransomware was becoming more frequent. It could be that things appear darkest before the dawn. More likely, as with most security ills, once a vector emerges, attackers never quit abusing it. The FBI recommends against paying the ransoms, even though they're usually less than $2,000, and most MSPs have figured out how to recover clients quickly using solid backup and recovery procedures.

As the hype settles down in the future, some see even successful ransomware infections becoming the technology equivalent of petty vandalism. Like a brick thrown through a storefront window with a ransom demand tied to it, the best approach is to ignore the demand, fix the window with reinforced glass, report the incident to police and insurance, and go on with your day.