Monthly Archives: February 2017

Survey: Half of small firms hit by ransomware, paid an average $2,500 in 'ransom'

Larry Ponemon

We are pleased to present the findings of The Rise of Ransomware, sponsored by Carbonite, a report on how organizations are preparing for and dealing with ransomware infections. As of September 2016, the Justice Department reported more than 4,000 ransomware attacks daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.

You can read the full research at Carbonite.com.  Here is a summary:

We surveyed 618 individuals in small to medium-sized organizations who have responsibility for containing ransomware infections within their organization. These individuals, as revealed in this study, dread a ransomware infection and many of them (59 percent of respondents) would rather go without WiFi for a week than deal with a ransomware attack. Furthermore, 77 percent of respondents believe that those who unleash ransomware should pay for the crime. Specifically, 47 percent of respondents say criminals should face criminal prosecution and 27 percent of respondents say they should be subject to civil prosecution.

There is a significant gap between the perceptions of the seriousness of the threat and the ability of a company to prevent ransomware in the future. While 66 percent of respondents rate the threat of ransomware as very serious, only 13 percent of respondents rate their companies’ preparedness to prevent ransomware as high.

Fifty-one percent of companies represented in this research have experienced a ransomware attack. The following explains how these companies were affected.

  •  Companies experienced an average of 4 ransomware attacks and paid an average of $2,500 per attack.
  • If companies didn’t pay ransom, it was because they had a full and accurate backup. Respondents also believe a full and accurate backup is the best defense.
  • Companies suffered financial consequences such as the need to invest in new technologies, the loss of customers and lost money due to downtime.
  • Cyber criminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. Respondents believe the cyber criminal specifically targeted their company.
  • Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
  • Companies were reluctant to report the incident to law enforcement because of concerns about negative publicity.

Following are the key takeaways from this research.

 Many companies think they are too small to be a target. Perceptions about the likelihood of an infection affect ransomware prevention and detection procedures. Fifty-seven percent of respondents believe their company is too small to be a target of ransomware and, as a result, only 46 percent of respondents believe prevention of ransomware attacks is a high priority for their company. Despite not being a high priority, 59 percent of respondents believe a ransomware attack would have serious financial consequences for their company and 53 percent of respondents would consider paying a ransom if their company’s data was lost (100 percent – 47 percent of respondents who would never pay a ransom).

 Current technologies are not considered sufficient to prevent ransomware infections. Only 27 percent of respondents are confident their current antivirus software will protect their company from ransomware. There is also concern about how the use of Internet of Things connected devices will increase their risk of ransomware.

 Inability to detect all ransomware infections puts companies at risk. An average of one or more ransomware infections go undetected per month and are able to bypass their organization’s IPS and/or AV systems, according to 44 percent of respondents. However, 29 percent of respondents say they cannot determine how many ransomware infections go undetected in a typical month.

 One or more ransomware attacks are believed to be possible in the next 12 months. Sixty-eight percent of respondents believe their company is very vulnerable (30 percent) or vulnerable (38 percent) to a ransomware attack. Relative to other types of cyber attacks, 67 percent of respondents say ransomware is much worse (35 percent) or worse (32 percent).

 The severity and volume of ransomware infections have increased over the past 12 months. Sixty percent of respondents say the volume or frequency of ransomware infections have significantly increased (22 percent) or increased (38 percent). Fifty-seven percent say the severity of ransomware infections have significantly increased (18 percent) or increased (39 percent) over the past 12 months. In a typical week, the companies documented in this research have experienced an average of 26 ransomware alerts per week. An average of 47 percent of these alerts are considered reliable.

 Negligent and uninformed employees put companies at risk. Fifty-eight percent of respondents say negligent employees put their company at risk for a ransomware attack. Only 29 percent of respondents are very confident (9 percent) or confident (20 percent) their employees can detect risky links or sites that could result in a ransomware attack.

 To prevent ransomware infections, employees need to become educated on the ransomware threat. Fifty-five percent of respondents say their organizations conduct training programs on what employees should be doing to protect data. However, only 33 percent of respondents say their companies address the ransomware threat.

 Most companies experience encrypting ransomware. Fifty-one percent of respondents had a ransomware incident within the past 3 months to more than one year ago. Eighty percent of respondents say they experienced encrypting ransomware and 20 percent of respondents say their company experienced locker ransomware. These companies have experienced an average of 4 ransomware incidents. Most respondents (59 percent) believe the cyber criminal specifically targeted them and their company.

 The consequences of ransomware are costly. The top consequences of a ransomware attack are financial. Attacks required companies to invest in new security technologies (33 percent of respondents), customers were lost (32 percent of respondents) and lost money due to downtime

(32 percent of respondents). Moreover, the ransomware incident is believed to make their company more vulnerable to future attacks (49 percent of respondents).

By far, most ransomware incidents are unleashed as a result of phishing and insecure websites. Forty-three percent of respondents say the ransomware was unleashed by phishing/social engineering and 30 percent of respondents say it was unleashed by insecure or spoofed websites. Desktops/laptops and servers were the devices most often compromised at 55 percent and 33 percent of respondents, respectively.

 According to 56 percent of respondents, the compromised device was used for both personal and business purposes. The compromised device infected other devices in the network (42 percent of respondents) and the cloud (21 percent of respondents).

 Many companies paid the ransom. Forty-eight percent of respondents say their company paid the ransom. The average payment was $2,500. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. The ransom was most often paid using Bitcoin (33 percent of respondents) or cash (25 percent of respondents). Fifty-five percent of respondents say once the payment was made, the cyber criminal provided the decryption cypher or key to unlock compromised devices.

 Attackers demand speedy payment. Forty-six percent of respondents say the attacker wanted payment in less than two days. Only 16 percent did not place a time limit for payment.

 Data was exfiltrated from the compromised device. Fifty-five percent of respondents say with certainty or it was likely that the ransomware exfiltrated data from the compromised device(s). On average companies spent 42 hours dealing with and containing the ransomware incident.

 Full and accurate backup is a critical ransomware defense. Fifty-two percent of respondents did not pay the ransom because they had full backup (42 percent of respondents). Sixty-eight percent of respondents in companies that experienced a ransomware incident say it is essential (30 percent) or very important (38 percent) to have a full and accurate backup as a defense against future ransomware incidents.

 Fear of publicity stops companies from reporting the incident to law enforcement. Despite the FBI’s pleas to report the incident to law enforcement, 49 percent of respondents say their company did not report the ransomware attack. As shown in Figure 16, the primary reason was to avoid the publicity.

Read the rest of this research at Carnbonite.com.

Treason, arrests, a suspicious death, the vanishing executive order — Trump's cyber-mystery

Bob Sullivan

A suspicious death related to a British spy. Accusations of treason.  Arrests — including one, during a meeting, where the suspect was marched out with a bag over his head.  Election interference and ‘Kompromat.’

These are some of the things that, while hanging in the air, weren’t mentioned in the Trump administration’s first cautious steps into managing the cyberworld this week.

Like almost everything in the cyber-spook world, the Trump Administration’s first step into computer security is now shrouded in mystery, intrigue and speculation.

Trump’s team trotted out a series of experts and officials on Tuesday — including former New York City Mayor Rudy Giuliani — at an event marking an executive order Trump planned to sign. It was to be a sign that Trump wanted to get tough on computer security.

Then, without explanation, the order signing was canceled, leaving cyber-folks to do what they often do best: Guess at what it all means.

On the surface, Trump’s executive order and the spy-novel-like intrigue happening in Russia’s cyberworld have nothing to do with each other.  It’s hard not to connect them, however.

Here’s a quick scorecard to catch you up on what’s going on.  Three, or possibly four, Russians with ties to law enforcement have been arrested and charged with treason.  One suspect was grabbed at a meeting and had a bag thrown over his head in a clear show of force.

Another suspect, Ruslan Stoyanov, was a researcher at respected antivirus firm Kaspersky, and previously worked in Moscow’s cybercrime unit. He had stopped crime rings that were targeting Russian banks. I have been told he is accused of snooping on and sharing data with outside entities — perhaps the U.S., though that isn’t clear. My source requested anonymity, but others have confirmed that basic story.

Brian Krebs has painstaking amounts of additional detail on that here.

It’s easy to connect these arrests with the accusations of Russian meddling into U.S. elections, but there are other explanations.  For one, Russian officials are upset that secret information keeps making its way to a blog called Shaltay Boltay (Humpty Dumpty) in Russia that’s a bit like Wikileaks.

Meanwhile, a former KGB official was found dead a few weeks ago in his car under mysterious circumstances. The man, Oleg Erovinkin, was reportedly a source for Christopher Steele, the former British spy who authored the notorious dossier of allegedly embarrassing information about President Trump.

When Trump assembled the folks who will be in charge of making U.S. computer systems safer, none of this came up.

On the surface, a draft version of the order that was widely shared showed it would primarily call for a 60-day review of the most critical U.S. networks, including military command and control systems.  It also asked for a review of America’s cyber enemies; a review of computer security education; and asked for proposals to create incentives for private firms to improve their security.

It is unclear why the president didn’t sign the order as planned.

The draft order got, expectedly, mixed reviews from industry.

“What I like about it is that it creates a sense of urgency and seriousness that we really have to double down on security,” said Eric Geisa, vice president of products at Tempered Networks, discussing the draft order.

Morey Haber, vice president of technology at BeyondTrust, was far more critical.

“We already do all this (vulnerability assessment). The only difference is that it’s (to be) reported to the president,” he said.  Prior to BeyondTrust, Haber spent 10 years as a contractor providing vulnerability assessment to the Department of Defense.  “It ignores attack vectors that have actually been exploited before. It’s almost a knee-jerk reaction, similar to ban of certain countries for immigration.”

Haber pointed out that most hacks involve the human element, like an employee responding to a phishing email.

“We should be making sure the front doors are locked before we change the combination on the safe,” he said. “We are targeting the wrong things here. We do need to look at these things, but this is not typically how attacks have occurred. We should be targeting the lowest hanging fruit, like phishing emails, USB sticks left in parking lots.”

Perhaps because of this kind of feedback, the order was delayed.  Or something entirely unrelated is the cause.

Geisa said this moment in time gives the administration an opportunity to succeed where others have failed.

“This isn’t something new. After the (Office of Personnel and Management) hack Obama signed an executive order…but what I’ve seen from the government in the past is you get high-level guidelines, but there isn’t a lot of of prescriptions. They might say you need to encryption, or example. Well, no kidding,” he said. “The time is now to get very specific.”

The Internet has suffered from a “fundamental flaw” since its earliest days, he said —  the use of IP addresses to authenticate computers, which makes it easy for machines, and criminals, to lie about who they are. Changing that will require a very heavy-handed implementation of new protocols that define how computers talk to each other.  Perhaps Trump’s administration could lead that charge, Geisa said.

On the other hand, it’s important to understand how different Internet security is from other kinds of security.  The “weapons” of cyberspace are mainly controlled by civilians. Instead of bombs stored in silos that the government can secure, ‘cyber-bombs’ can be hacked servers, private computers, even webcams — as we all learned last year when an army of zombie webcams knocked a large portion of the Internet offline.  They cannot be secured without massive efforts and cooperation by private industry.

And that brings us back to the Russian hacks.  I’ve spent years attending international security conferences where the real work of rescuing the Internet happens.  Naturally, private firms are reluctant to share information with government officials and with each other — many see this very expensive and difficult research as competitive advantage.  Still, informal exchanges happen all the time. Secret cyberheros rescue us from digital doomsdays on a regular basis, in conversations we’ll never hear about or see in a press release.  Often, these involve “hackers” with a past, who have spent time in the murky world between white and black hat. That’s precisely why they know what’s going on.  But that can also make them very “shy” when speaking to law enforcement.

You can bet Russian cyber-experts are getting more shy by the minute. That hurts everyone except the criminals.

But it’s a good reminder of how hard U.S. officials must work to keep the information flowing between private industry and government workers fighting to keep our water dams and power grid safe.   That’s going to take a lot more than an executive order.