1 Executive Summary
Ransomware is, without any doubt, one of the hottest topics in cybersecurity these days. Attacks such as the ones of the WannaCry and the Petya ransomware have affected a large number of organizations and gained widespread attention in the public.
That growth has not been a surprise. Analyzing the security intelligence threat reports for the year 2016, such as IBM’s X-Force, Symantec’s ISTR, Verizon, McAfee and NTT Security, security vendors give ransomware its appropriate street-cred. In the preceding years, they forecasted that ransomware will continue to grow in the near future. Rightfully so, they were accurate in that assumption. Ransomware has increased as a means of criminal activity and potentially also part of nation-state attack, so has its global reach, ransom amount, and its impact.
Ransomware by all means is not discriminatory towards its victims. Since cybercriminals who engage in this illicit activity are motivated by profit, they aim to attack as many end-users as they can. While there are also more targeted attacks based on ransomware against large corporations, the general approach is on widespread attacks. The strategy behind ransomware is – aside from potential nation-state attacks such as the one suggested behind Petya – clearly profit-driven. Criminals are generating income in a business model that is low-risk to them.
While the target of attackers is earning money by ransom, the damage to the victims might be far bigger. When looking at the recent WannaCry ransomware attack, which paralyzed healthcare institutions, financial organizations and other business, but also held individuals’ data hostage, on global scale, there was damage up to risking the life of patients in affected hospitals. Such concrete physical risks, the loss of access to data, and reputation risk can be far higher than the amount of ransom to pay. However, payment neither guarantees that access to data is given back nor does it protect systems from outage by ransomware and the related consequences – such as non-operational hospitals.
Paying ransom thus can’t be the solution. Organizations must defend themselves against ransomware and prepare for rapid recovery in case they are hit. The still existing reluctance to implement appropriate security measures in place, both at the enterprise level and the individual level, is the main cause of ransomware attacks reaching such devastating scale. However, it is not easy to identify the appropriate measures for both defense and recovery – countering ransomware is not a simple thing to do.
The purpose of this Advisory Note is to understand ransomware and the rationale of the attackers as well as the global distribution of ransomware attacks. Ransomware is here to stay and will keep increasing in the future. Ransomware attacks will most likely cause even more harm in future, unless appropriate security measures and policies are implemented. Furthermore, this report delivers insight in how to better prepare for and respond to ransomware attacks.