FTC Chair, Edith Ramirez believes that more needs to be done to deal with the ransomware threat and says defenses against ransomware must be improved.
At a recent forum event which examined the rise in the use of ransomware and the strategies that can be adopted by organizations to deal with the threat, Ramirez said ransomware is now “among the most troubling cyberthreats.” She also explained that the problem is unlikely to go away, so companies must improve their defenses against ransomware attacks.
Ransomware is used by hackers to encrypt data to prevent business and consumers from accessing their files. Powerful encryption is used and the attackers hold the only keys to decrypt the data. A ransom demand is then issued to supply those keys. Oftentimes, backup data is also encrypted leaving organizations with little choice other than to pay the ransom demand. More than 4,000 ransomware attacks are now occurring each day.
Ramirez believes that ransomware is simply the next step in the evolution of malware. While cybercriminals have used malware in the past to spy on companies and obtain sensitive data, the attacks are not always lucrative. When they are successful, it can take a long time to sell on stolen credentials and receive payment. Ransomware is different because attackers are paid much more rapidly. Furthermore, it is also possible obtain larger payments and it takes little in the way of skill to pull off a ransomware campaign. Attackers do not even need to develop their own ransomware. It can be “rented” under an affiliate model.
A successful ransomware attack on an individual can see the attacker obtain $200 to $500 dollars. A successful attack on an organization can net the attacker several thousand dollars. The ransomware infection of Hollywood Presbyterian Medical Center in California resulted in a ransom payment of $17,000 being paid to obtain the keys to unlock data.
The problem has now reached epic proportions. More than 93% of phishing emails are used to deliver ransomware, and criminals are creating malicious sites with increasing frequency. The use of malicious adverts to direct users to sites where ransomware is downloaded have also increased. Those adverts are even displayed on high profile “safe” websites through third party ad networks.
The FTC is trying to gather information that can be used to help keep consumers protected; however, the warnings from Ramirez should not be ignored. The FTC can take action against organizations that fail to protect consumers. As Ramirez clearly stated, “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might very well violate the FTC Act.” The failure to implement appropriate defenses against ransomware attacks could result in significant financial penalties being issued.