Police in Maine whose shared server was infected by ransomware last week chose to pay $300 to the perpetrators rather than risk losing their internal files or spend more money and time to try to work around the cyberattack. In a similar attack in Massachusetts, local police paid $500 ransom to the hackers to regain control of their data.
Attacks involving ransomware, in which malware restricts users' access to their own computer files, are on the rise, according to the Federal Bureau of Investigation. Once spread primarily by e-mails with malicious attachments, ransomware is increasingly infecting users in so-called "drive-by" attacks via compromised Web sites.
In these most recent cases, ransomware known as "megacode" infected the IT systems of police departments in Lincoln County, Maine, and Tewksbury, Massachusetts. In both instances, police were able to regain access to their data after paying ransoms using the digital currency Bitcoin, which ensures greater anonymity in online transactions.
Other Costs Beyond Ransom
"The average case of a ransomware attack can be quite damaging given that the target of an attack is typically the company's intellectual property," Andrey Pozhogin, Senior Product Marketing Manager for Kaspersky Lab North America, told us. "There are a number of ways things can go wrong even if the company decides to pay the ransom."
Among those potential problems are actions by a system administrator -- or bugs in the malware itself -- that can make encrypted data unrecoverable. Organizations attacked by ransomware might also have to contend with costly downtime, IT infrastructure damage, legal fallout caused by data losses, or damaged relationships with partners and customers.
Despite these possible risks, only 37 percent of businesses globally -- and just 28 percent of businesses in North America -- say they believe ransomware represents a serious threat.
Kaspersky Labs on Monday also announced that it had worked with a group of leading IT companies in an effort coordinated by Interpol to disrupt a criminal botnet known as Simda. Distributed via infected Web sites that redirect users to exploit kits, Simda is believed to have infected some 770,000 computers around the world, with most of the victims located in the U.S.
Cellphones Also at Risk
"Ransomware has been around for several years, but there's been a definite uptick lately in its use by cybercriminals," the FBI noted in an online update in January. It added that ransomware has also become a growing threat to cellphones by locking down users' devices and demanding payments to unlock them.
Botnets are often used to help spread ransomware, according to the FBI. For example, a multinational law enforcement effort last year that helped to disrupt the botnet GameOver Zeus also led to the seizure of command and control servers for a ransomware known as Cryptolocker. GameOver Zeus was blamed for millions of dollars in losses globally to businesses and individuals, and computers infected by the botnet were often also infected with Cryptolocker.
The FBI recommends that people protect themselves against ransomware by making sure they are using updated antivirus software, automated patches, strong passwords and pop-up blockers. It also advises people not to open attachments or URLs in unsolicited e-mails and to download software only from known and trusted sources. Regular backups and offline data storage can also help avoid the potential for damage from ransomware.
Paying Not an Option
Ryan Merritt, Malware Research Lead at Trustwave, told us that, "Ransomware infections are not typically the result of a targeted attack. More often we see them as part of larger campaigns where botnets are used to spam out phishing e-mails containing malicious links and/or attachments that include the initial stages of the malware. Having defenses already in place prior to this type attack is arguably even more critical than other types of attacks since your remediations options are much more limited once infected by ransomware."
Merritt said while tempting, paying the ransom should never be considered as a viable option because that helps the hackers improve their methods and can lead to more advanced attacks and techniques in future versions of the rasomware.
"We have witnessed the rapid maturation of ransomware from hollow cosmetic threats to advanced levels of encryption," he said. "It is not improbable to assume that this quick rise is in part due to the success rates the criminals have enjoyed in monetizing their exploits. Cutting off the attacker's cash flow by not paying the ransom may be our most effective way to combat this class of attack."