To Pay or Not to Pay: Ransom-Based Threats on the Rise

Even though C-suite executives are unlikely to have full visibility to every security threat, one in seven respondents in the 2016 Executive Application & Network Security Survey reported that they experienced a ransom attack in the past year. More than half (54%) admitted to paying a ransom.

Across industries and geographies, the propensity to send funds could reflect a strong desire to make the threat “go away” by simply giving in to the demands. That action may have the unintended-and undesirable-consequence of inviting continued ransom threats. If word gets out on the “dark web” that a company paid, it can expect to receive additional threats from the same or different attackers. After all, negotiating with criminals can become a proverbial slippery slope.

Businesses facing growing threats from ransom-based attacks could be categorized into two primary “flavors”:

* Ransomware – in which attackers typically use malware to encrypt critical data, making it unusable until the user complies with instructions to make a payment via Bitcoin. One of the latest varieties to emerge is Ransom32, which is ransomware as-a-service that gives cyber criminals a jumpstart on holding victims’ information hostage.

* DDoS for ransom – in which attackers send their target a letter that threatens a DDoS attack at a certain day and time unless the organization makes a payment (usually $2,000 to $10,000) via Bitcoin. Often hackers will launch a small-scale attack as a preview of what could follow.

Previous Radware research revealed an increase in ransom-oriented attacks, which accounted for about one-quarter of motivations in 2015 (versus 16% in the prior year). In the full-length 2015-2016 Global Application & Network Security Report, Radware predicted that ransomware and DDoS for ransom schemes would continue to affect everything from traditional enterprises to cloud companies. The findings of the most recent Executive Survey underscore the validity of that prediction.

November 2015, the Swiss-based encrypted email provider experienced consecutive attacks initiated with a ransom request by hacker group The Armada Collective. Hoping to stop the attacks, ProtonMail paid  ransom, only to see the attacks continue with volumetric and burst attacks combining application and network vectors.

The Kansas Heart Hospital in Wichita learned a similar lesson in May 2016. Having fallen prey to ransomware, the hospital paid the ransom to get its files back. Instead, it received only “partial access,” along with a demand for more funds. The hospital declined the second request. Its experiences were the latest in a string of ransomware attacks targeting hospitals and health systems across the U.S.

How can you detect a fake ransom letter?

The Armada Collective normally requests 20 Bitcoin (approx. $6,000 US Dollars at the peak of the attacks), while other campaigns have been asking for amounts above and below this amount. Fake hackers request different amounts of money. Low Bitcoin ransom letters are most likely from fake groups who are hoping their price point is low enough for someone to pay rather than seek help from professionals.

Check Your Network

Real hackers prove their competence by running a small attack while delivering a ransom note. If you can see a change in your network activity, the letter and the threat are probably genuine.

Look for Structure

Real hackers are well organized. Fake hackers, on the other hand, don’t link to a website. Nor do they have official social media accounts.

Consider Other Targets

Real hackers tend to attack many companies in a single sector. Fake hackers are less organized, targeting anyone and everyone in hopes of making a quick profit. Contact peers or information sharing organizations in your industry to see if there is a more widespread campaign underway.

What now?

While it is impossible to predict the next target of a ransom group, organizations need to proactively prepare their networks and have an emergency plan in place for such an incident. If faced with a threat from a blackmail group, it is important to take the proper steps to mitigate the attack. Organizations under attack should consider:

* A security solution that can protect an infrastructure from multi-vector attacks, including protection from network and application-based DDoS attacks, as well as volumetric  attacks that can saturate the Internet pipe.

* A cyber-security emergency response plan that includes an emergency response team and process. Identify areas where help is needed from a third party.

* Monitoring security alerts and examining triggers carefully. Tuning existing polices and protection to prevent false positives and allow identification of real threats when they    occur.