I had the pleasure of hosting a panel of distinguished cybersecurity practitioners at CIANJ’s Financial Decision Makers Roundtable. The dialogue revealed the importance of prioritizing cybersecurity from the top-down and fostering a culture of awareness across the entire organization (not just the IT Department). The panelists aimed to dispel the myth that small and medium-sized businesses are somehow immune to cyber threats. To the contrary, all businesses are increasingly digitally dependent and therefore subject to dynamic cyber risks.
In New Jersey, cybersecurity is as much about economic security as it is about homeland security. For commerce and industry to thrive in the Garden State, businesses must maintain a high-level of confidence in the integrity and availability of their information and networked services. Consumers, likewise, are demanding higher and higher standards of data protection to prevent against identity theft and fraud.
In recognition of the economic importance of cybersecurity, Governor Chris Christie signed Executive Order 178 on May 20, 2015 to establish the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). The NJCCIC’s goal is to promote statewide awareness of cyber threats in real-time and the adoption of best practices. Our Cybersecurity Analysts monitor New Jersey’s diverse cyber threat landscape and report on best practices to help our citizens, businesses, and governments elevate the barriers to entry for cyber-criminals.
“To learn more about the NJCCIC, please visit cyber.nj.gov and sign-up for our communications. Also, check out our most recent blog posts on topics like cyber insurance, insider threat, and cyber extortion.”
RANSOMWARE: AN ENDURING RISK TO ORGANIZATIONS AND INDIVIDUALS
The NJCCIC assesses with high confidence that many businesses, schools, government agencies, and home users will remain at high risk of ransomware infections throughout 2016, as financially-motivated hackers continue to innovate and expand the targeting scope of their extortion campaigns. The most prevalent form of this profit-driven malware is known as crypto-ransomware, referring to the use of encryption to render files locked until a ransom is paid to release a decryption key. The observed increase in ransomware infections and development of new variants over the last two years illustrates the attractive incentives for criminal hackers, as the perceived return on investment outweighs the risk of attribution and prosecution. In recent months, several cybersecurity firms released threat predictions for 2016, with universal agreement that ransomware and other forms of cyber extortion would not only continue to increase, but expand into new digital territories. In addition to personal devices such as tablets and smartphones, criminal hackers will probably target other Internet-connected devices including home automation systems, smart appliances, vehicles, and medical devices. Likewise, business’ servers, websites, and cloud solutions are also at risk, particularly those who outsource data storage and management to third-party vendors with poor cybersecurity practices.
• The tactics used to distribute ransomware often involve cunning social engineering tactics, such as carefully crafted phishing emails, designed to manipulate as many unsuspecting victims as possible to maximize profit. Other infection vectors include exploit kits, drive-by downloads, malvertising, and botnets.
• The developers and propagators of ransomware are able to obscure their identities and reduce the likelihood of attribution using a variety of tactics. Most variants of ransomware now rely on the Tor anonymity network for command and control, as well as the use of cryptocurrency, namely Bitcoin, for anonymously accepting ransom payments. In addition to built-in anti-forensic capabilities designed to avoid detection and forensic examination, newer variants attempt to eliminate data recovery options by encrypting additional connected drives and network shares, deleting Shadow Volume Copies and system restoration points, and even overwriting free disk space.
• Demonstrating the effectiveness of ransomware and the damages a single campaign can inflict, the Cyber Threat Alliance reported that the CryptoWall 3.0 variant infected hundreds of thousands of victims worldwide and netted criminals $325 million in less than one year. In 2015, Microsoft reported that it had removed ransomware infections from 24,000 computers after updating malware signatures in its Malicious Software Removal Tool. Furthermore, in the 2015 Kaspersky Security Bulletin, the cybersecurity company reported the detection of ransomware on over 50,000 computers on corporate networks, double the amount they detected in 2014.
• There is an expanding marketplace for customizable, user-friendly ransomware tools, ransomware-as-a-service offerings, and affiliate programs that allow average users with limited technical ability to distribute malware and conduct for-profit cyberattacks. In 2015, a ransomware kit named Tox was released that allowed any Internet user to distribute and profit from ransomware. Although the developer of Tox ultimately put the kit up for sale fearing discovery by law enforcement, other hackers quickly filled the void by offering affiliate programs that promised shared profit to anyone who distributes the ransomware to more victims.
For many organizations, ransomware may not be entirely preventable; however, the impact of a successful infection can be greatly reduced if a robust data backup process is in place. Comprehensive data backups should be scheduled as often as possible and must be kept offline in a separate and secure location. The most effective method to prevent ransomware infections is to conduct regular training and awareness exercises with all employees to ensure users are proficient in safe Internet-browsing techniques and the ability to identify phishing emails.