• United States



Are you prepared to handle the rising tide of ransomware?

Sep 02, 20144 mins
CybercrimeIT Leadership

Ransomware is on the rise, even as we tend to underestimate the risk

Have you dealt with ransomware or know someone who has? Is it something you take seriously?

I didn’t.

My exposure to ransomware was limited to reading about a friend helping a friend on Facebook. Aware of the threat, I never looked deeper to learn more about it. That is until Damballa (disclosure: Damballa is a recent client) released the State of Infections report for Q2 2014 (get the full report here ).

The report, also available in a concise infographic (here), is loaded with specifics and metrics on recent ransomware. The broader report held two key findings:  

  1. Ransomware is on the rise

  2. Infections continue to impact organizations of all sizes

Is ransomware the equivalent of a cyber stickup?

The Damballa report likens ransomware to a cyber stickup. The key difference from other malware is the total absence of stealth. Like a stickup, the purpose of ransomware is to surprise you, create fear, and take your money.

Unlike traditional malware, which relies on remaining stealthy while stealing data, ransomware is nothing short of a cyber stick-up. The malware takes your computer hostage, locks files, splashes fake legal warnings on the screen and tries to shock or shame you out of hundreds of dollars in ransom.

The comparison makes sense because it is a quick attack with a high payoff — as much as $1000 per victim. Even better (or worse), ransomware is removed from the need to physically threaten someone for their money, greatly reducing overall risk to the attacker.

Here’s the rub: even if you pay, you don’t necessarily recover from the attack. After all, what incentive does the attacker truly have to make you whole?

Ransomware on the rise

With quick payoffs, often in untraceable electronic currency, ransomware is on the rise. In fact, the FBI estimates that Cryptolocker alone took in $30 million in ransom just between September and December 2013.

As the Damballa report details, even the recent takedowns aren’t a cause to celebrate. As criminals learn from these early efforts, we can expect more.

This is to be expected. Threat actors are cunning human adversaries who can adapt. History tells us they will continue to upgrade, update and improve their malware. That doesn’t mean we should give. When the opportunity exists to go after the bad guys, we must seize it.

This is more of a rallying cry to change our approach and shift our tactics than it is a sign of submission.

While a single campaign won’t permanently change criminal or end-user behavior, one thing is certain – managing mass cyber  infections will become the norm in our interconnected world. Everyone has a stake in keeping the Internet safe, whether you’re an individual user or a large enterprise with hundreds of thousands of users.

What do we do about ransomware?

The Damballa report details a few key areas for improvement. Based on those suggestions, here are three considerations:

  1. Faster detection: we need better ways to rapidly detect ransomware (and other threats) with high fidelity to guide our actions.

  2. Improved cooperation & coordination: between organizations, sectors, and across the global nature of this crime. Ultimately it requires improved communication and transparency.

  3. Better response at the local level: to notify victims with responses designed to remove the malware while protecting their information.

The opportunity is to work together to advance each of these and share information in a way that reduces the effectiveness of ransomware.

Another finding: size doesn’t matter

Broader than ransomware, Damballa noted the rate of infection is not tied to the size of the organization. Nor is it static:

Infection rates vary greatly from enterprise-to-enterprise and from day-to-day. During Q2 2014, Damballa saw enterprises with 200,000+ devices experience only a handful of infections and those with under 600 devices have alarmingly high numbers of infections – and everywhere in between.

On any given day during Q2 2014, the ratio of active infected devices ranged from under .1% up to 18.5%. The following chart is an example of how the data can be extrapolated depending on the enterprise’s size.

This is more evidence that the cybercriminals are no longer focusing on large organizations. They are consistently targeting and attacking smaller organizations.

What steps are you taking?

Have you been hit by ransomware? Know anyone who has? What steps do you follow to be prepared? What would you do if you get attacked with ransomware?

Share your experience in the comments below and we’ll keep advancing this conversation.


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author