Evolving ransomware trends

01 August 2017

By David Navetta, Kristopher Kleiner and Erin Locker of Norton Rose Fulbright.

The Wannacry and Petya ransomware attacks have captured headlines over the last few months and represent the latest in an increasing trend for attackers to use ransom demands as a means by which to monetize companies’ system vulnerabilities. Ransomware is a type of malware designed to prevent or limit users from accessing their systems, either by locking a user’s screen or their files until a ransom is paid. 

The most common variant of ransomware, crypto-ransomware, accomplishes his by encrypting files using a strong encryption algorithm and then forcing users to pay the ransom to get a decryption key to reverse the file encryption.

The increasing prevalence of ransomware is often attributed to two contributing factors: 1) the availability of anonymous crypto-currencies and 2) the diminishing value of personal information on the black market. 

First, using crypto-currencies like Bitcoin, attackers are able to receive payment without compromising their anonymity. By using disposable email accounts and periodically changing bitcoin wallet addresses, tracing communications and bitcoin payments becomes nearly impossible and significantly reduces the risk of law enforcement intervention. 

Second, because of the explosion of data breaches over the past few years, the availability of sensitive personal information, such as social security numbers or financial account information, on the black market has exploded, pushing down the value of this information. As a result, the economics appear to be driving the motivations of these attacks. Why focus on stealing personal information from a company’s network and then trying to resell it at diminished prices when, instead, the attacker can simply encrypt the company’s data and have them pay (often a higher price) to restore access to their data?

Historically, ransomware attackers tended to take a scattershot approach—infecting a large number of individuals and demanding a relatively low ransom amount, often only a few hundred dollars, to restore access to affected files. Recently, however, the approach for some of these attacks has shifted. Rather than infecting a large number of people at random, some attackers appear to be taking a more directed approach at higher value targets and demanding higher ransoms—sometimes into the hundreds of thousands or even millions of dollars. In these higher value attacks, the ransomware infection tends to be a small part of a broader attack strategy, which often includes first encrypting or destroying backups and may also involve exfiltrating data for resale and/ or fraudulent use. 

This is a noticeable shift in criminal behavior and corporates are well advised to have a clear strategy in place to deal with this evolving risk. Cyber insurance is one such solution mitigating the effect of ransomware by providing cover for the demand and associated investigatory costs. In next month’s issue Norton Rose Fulbright will detail the key factors to consider in both your short-term and long-term response.

For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.