Information security stakeholders' first "to do" item in the New Year is to predict threats that are likely to materialize during the coming 12 months. Based on discussions with clients, colleagues and a review of the relevant literature, we will most likely see an increase in vulnerabilities related to the "Internet of Things" and threat of ransomware. Although it's highly doubtful that financial advisors or their firms have to worry about their brand new WiFi enabled refrigerator being hacked — at least from a professional standpoint — ransomware is another story.
Ransomware, as its name implies, or more specifically, cryptographic ransomware, is software that holds your personal or financial data for ransom by encrypting it and asking you for money to give it back. Advisors and clients need to be informed about this threat and how to minimize the related impact of losing their personal or financial data.
That stakes are considerable. According to the FBI, cybercriminals collected US$209 million through ransomware strategies in the first quarter of 2016 alone. That total is expected to hit US$1 billion for 2016 as a whole. Malicious email is the primary method of attack that ransomware actors use. PhishMe, a U.S. firm focused on helping companies and their employees manage phishing threats, has estimated that 91% of recent cyberattacks originated from an email.
What's most frightening is that the response rate of such attacks was about 31%. According to a survey conducted by Malwarebytes Corp., a U.S. firm that develops anti-malware software, almost two-fifths of businesses in the U.S., Canada, the U.K. and Germany were hit by ransomware attacks last year. Approximately 80% of the time, the targets were mid-level managers or higher.
Ransomware mainly targets users who rely on Microsoft Corp.'s Windows operating system, who account for 90% of the PC market. U.S. tech conglomerate Cisco Systems Inc. named ransomware as "the most profitable malware ever" in 2016. A quick look at its business model makes it easy to understand how this threat rose to the top of the "malware-chain." Ransomware is characterized by low payouts (average of US$300), high payout rates and anonymous payment collection (bitcoin; see my last column).
It's the perfect recipe for disaster: a high-impact threat with a cheap recovery method that affects a high percentage of people in a position of power. This combination makes it exceptionally hard and economically inefficient for authorities to track perpetrators.
Why ransomware phishing works
Phishing emails exploit curiosity by spoofing legitimate entities such as banks or your internal IT department. They encourage you to click on a link that redirects you to a compromised website or attachment (usually a macro that you'll need to enable), which then runs malicious code on your computer. The enticement strategies the phishers use are astonishing and anyone could be fooled. One of the latest technique uses a Word document with "encrypted" content. Once you open the document, you're asked to run the macro to "decrypt" the text.
Buy why are Phishing strategies so effective? Because we're human and what drives us is curiosity — even if it means opening a shady email. Curiosity accounts for 13.7% of the reasons people give as to why they were duped. Fear comes in second at 13.4%, followed by urgency, at 13.2%, as many of us will go to substantial lengths in our professional lives not to lose their jobs because of poor performance and missed deadlines.
Security stakeholders thus need to prioritize preparation and prevention. Preparation means doing regular backups and properly controlling network access and use. Backups will help you recover data in the form they were, before they were encrypted, and sound management of access rights will help limit the spread of the ransomware on your network. As for prevention, your team members will need to control attachments on emails they receive and secure their endpoints.
Multiple technical solutions can also be used. These include antivirus programs and next-generation firewalls. That said, the best prevention remains education: be suspicious about any unsolicited emails. If you're not 100% sure about an attachment, don't hesitate to ask your IT department. They will thank you.
That said, I wish you and your clients a happy and ransomware-free 2017.