This malware is a nuisance to many, but could mean big trouble for payments companies.
Criminals, much like legitimate businesses, know that the real money is in volume. They would rather have their malicious software on millions of computers than on just a few thousand. The wider the net, the more they stand to ensnare.
This concept is why ransomware—a type of malware that restricts access to data until a ransom is paid to unlock the data—experienced so much growth in 2017.
Typically, a victim unknowingly installs the malware via a phishing email. Once it’s loaded onto the computer or mobile device, the code triggers a message that appears on the screen demanding that a fee be paid, typically in Bitcoin, to free access to the user’s data.
Often, the fee is low enough that the victim can justify paying it rather than lose all of the data. Yet, the profit for a criminal can be immense. Data-security company Trustwave said in its 2015 Global Security Report that criminals might harvest a 1,425% return on their investment after buying exploit kits and other tools of the dark trade.
‘The Threat Is Real’
How much of a problem is ransomware and why should payments companies care?
In 2016, ransomware, at 22%, was the single most common incident engagement for NTT Security Corp., a Tokyo-based security-services firm that is part of the NTT Group. In the Americas, finance was the third most targeted industry. The manufacturing and education segments were numbers 1 and 2, respectively.
Earlier this year, antivirus specialist Kaspersky Lab reported that it detected 3.5 times more incidents of mobile ransomware installation packages in the first quarter than it had as recently as the fourth quarter of 2016.
“Ransomware will not go away,” says Gideon Samid, chief technology officer at BitMint, an Israel-based digital-currency developer. “It is such an effective tool because the price can be gauged. It can be so, so low for the victim, it can be a [reasonable] business decision to pay.” (Samid writes the “Security Notes” column for Digital Transactions.)
“They put out a dragnet, whatever they catch, they catch,” Samid says. “Their challenge is to find out how much they can ask of you.” Is it better to pay up and shut up rather than go to the Federal Bureau of Investigation? That’s often the decision victims have to make, he says.
Ransomware’s threat is pervasive and quick-acting. “The threat is real for any business,” says Robert Hotaling, vice president of information security at North American Bancard Holdings LLC, a Troy, Mich.-based processor.
The criminals’ usual method is to mask the victim’s data with encryption, then demand payment for the decryption key. “The encryption process runs so fast you do not notice it until it is too late,” says Hotaling. “It can significantly impact a business in the short term, or long term, if the merchant does not have adequate backups. Ransomware can put an entire company out of business.”
And there’s the unknown of what might happen to encrypted data. “At its core, ransomware seems innocent enough in that the data is not being exfiltrated,” says Marc Punzirudu, director of security consulting services at ControlScan, an Atlanta-based data-security provider. “But, you don’t know what’s happening to the data when it’s encrypted.”
Careful What You Open
Ransomware and its perils have the attention of the payments industry. “The ransomware phenomenon has certainly increased awareness while reinforcing focus on good security practices,” Hotaling says. “Targeted attacks are difficult to anticipate, which is why all firms should implement, and follow, strict cybersecurity programs. Internal controls and safeguards must be closely followed.”
Given the unpredictability of ransomware, adhering to a set of controls and policies is among the best countermeasures to the malware. Getting the word out to employees to ensure these measures are complied with is paramount, says Al Pascual, senior vice president and research director at Javelin Strategy & Research, a Pleasanton, Calif.-based payments-research firm.
“It needs to start with security-awareness training for employees,” Pascual says. “Educate them on the best practices on the information they share.”
That could involve teaching them about phishing emails. In the NTT Security report, the finance sector, at 15%, was the second-most targeted industry by phishing.
It’s especially insidious if the phishing email falls under the business email compromise definition. These emails may hide ransomware and other types of malware. They appear to be official looking, even mimicking a legitimate user in the organization to convince someone to wire money or download malware hidden in an attachment.
“Most of the ransomware being pushed down is not being installed via bugs in software,” says Karl Sigler, threat intelligence manager at Chicago-based Trustwave’s Spider Labs, a dedicated team that ferrets out malware and other digital malfeasance. “A lot of times [the criminals] just need to convince the user to open a document.”
Indeed, email spam is a popular way to deliver ransomware to individuals, Sigler says, adding, “We have seen a concurrent move to spam messages.”
In the business-to-business world, criminals may look for potential victims on social-media sites like LinkedIn.com, Pascual says. They choose a victim and send them an email that itself may carry the malware.
One bit of consolation is that the criminals behind the ransomware wave are opportunistic, so they aren’t necessarily targeting the payments industry any more than other segments.
Still, merchants served by the payments industry may be impaired by ransomware, too. A small business as well as a large one could be targets of this cyber-extortion. While larger organizations may have more money and staff to protect against ransomware, a small business, though its network is often simpler, usually lacks those resources. “They have a smaller user base, a smaller number of technological devices,” says Sigler. “That simplicity can bring security a lot quicker. Unfortunately, a lot of small businesses don’t have the know-how, the resources, or the people.”
To Pay Or Not To Pay?
Regardless of size, a company struck by ransomware has to decide if the fee should or should not be paid.
“In practice, so many victims are just paying up and not mentioning word of the crime,” Samid says. “For some merchants, if the ransom is not too much they will pay and keep doing business.”
Bitcoin is by far the preferred payment method. “Since Bitcoin is not tied to a real person and can be tumbled or washed, it will always be the payment of choice,” says Hotaling. “Google and iTunes gift cards as well as Ethereum are a small percentage of the ransomware payment infrastructure.”
Bitcoin’s popularity, however, has had some impact on ransomware payments. As use of the digital currency increases, the technology that tracks the transfer of Bitcoin—called the blockchain—is congested, slowing transactions sometimes for hours.
“In fact, there’s been so many delays that people paying by Bitcoin wouldn’t get the transactions into the ledger in time in order to make the cutoff set by the ransomware,” says Javelin’s Pascual.
One way to mitigate the potential impact of ransomware—besides not installing the malware in the first place—is to create backups of data.
“Backups are probably the most important thing that organizations can do to prevent the sort of damage that ransomware can wreak,” Sigler says.
The reason is that should ransomware make it into a network or device, a backup copy of the data can be restored, a practice that makes sense whether or not the ransom was paid.
“If you have good backups, have tested the recovery of that data, and if you have that process set up, you really can’t be held for ransom,” Sigler says. You have the data that you can restore on your own, he says.
Having a backup process, and adhering to it, is part of an effective countermeasure strategy. The other component, a proactive one, is education. “You need a combination of proactive controls and reactive controls in the event [ransomware] does happen,” Punzirudu says.
Another concern for the payments industry is the prevalence of mobile devices among employees and among merchants as point-of-sale acceptance points.
Generally, Sigler says, these bring-your-own-device computers will have a lot of the same protections that a device issued by an information-technology department would have. The key is to ensure they are segmented within the network, so if an individual Android or iOS smart phone gets ransomware, it can’t easily be transmitted to other devices.
“Segmentation and monitoring the networks for bizarre activity; these go a long way to reducing the risk,” Sigler says.
Another entry point for ransomware is a device linked to the Internet and networked in a configuration known as the Internet of Things, says Punzirudu. In IT parlance, these IoT devices are endpoints, where the network ends and human interaction initiates.
“Endpoint protection is extremely important,” he says. “For example, many of the companies I worked for in the past had a secure email client.” That type of email application makes it easier for technology administrators to monitor messages and attachments.
Companies and individuals will need to guard against ransomware for some time. Partly, that’s because some criminals don’t see ransomware as necessarily a criminal act, says Samid. One criminal told Samid that he viewed ransomware as akin to paying a toll. “Well,” Samid says the criminal told him, “that’s what we are. No damage done. Just forcing you to pay up.” That notion, Samid says, is really dangerous.
“From the point of view of the attacker, there is a sense of poetic justice,” Samid says. “They don’t do damage. No one loses their life savings. They see obscene profits of capitalistic merchants siphoned to the new world order or something like that.”
So what can organizations expect in the near term?
From a payments-company perspective, the attacks will become more sophisticated. “The attacks will get more difficult to detect and more advanced in their targeting of specific data,” says NAB’s Hotaling. “High-value industries will likely become more selectively targeted.”
Or, as Pascual puts it, ransomware is “pretty much here to stay.”