By Kim Ann King

Malware is growing more sophisticated and complex, which in turn is creating more IT and business insecurity. For example, in the past, employee education about the dangers of opening emails from unfamiliar sources and clicking external links went a long way toward mitigating potential problems. And if someone did click on a link, the malware typically would encrypt only the files on the user’s desktop.

Now, ransomware is locking down entire IT infrastructures, making whole networks completely unusable. The recent spate of attacks on hospitals is an indication of just how far, and how low, malicious hackers will go. In March of this year alone, there were at least a dozen hospitals or hospital chains afflicted with ransomware, leading some facilities to declare emergencies and turn away patients because hospital personnel were unable to access records.{ad}

This uptick in ransomware even led to a rare joint cyber alert from the U.S. and Canadian governments, warning businesses and organizations, and recommending that they not pay the demanded ransom because there is no way to guarantee cyber criminals will release the data once they receive payment, which is usually demanded in largely untraceable bitcoin.

Let’s quickly look at why this is such a problem.

First, there are very few barriers to starting a ransomware business. The start-up costs are minimal, and attackers are able to write their own malicious code or even buy “ransomware-as-a-service” on the black market. With minimal up-front investment required, there is little risk to cyber thieves, yet the returns are potentially massive if they’re successful at attacking lucrative targets. According to an FBI official quoted in a CNBC article, in 2015 there was a reported loss of more than $24 million as a result of ransomware attacks.

In that same article, Matt Devost, CEO of FusionX, a unit of Accenture, states that the “most lucrative potential victims have a specific set of characteristics. They will typically hold critical information and infrastructure, have weak and vulnerable security programs that can easily be exploited, and have the ability to pay the ransom. Small- to medium-size U.S. hospitals have proven to be a sweet spot in ransomware in 2016 because they often have a poor security infrastructure in place and are willing to pay to retrieve patient data, get back online quickly, and prevent reputational damage.”

Second, phishing schemes are way too successful. Like malware-based ransomware, phishing is becoming more sophisticated all the time. In April, the FBI warned of a dramatic increase in email scams targeting businesses. Criminals are no longer simply sending poorly written fraudulent emails that employees can easily distinguish from legitimate messages. Instead, they are employing “spear phishing” techniques that involve researching the email recipient, perhaps by looking at his or her social media accounts, and then using this knowledge to customize the scam email to make it more plausible.

The FBI says a frequent scam is for criminals to assume the identity of …

{vpipagebreak}

… an executive, reputable business or even a government agency in an email to an employee with a seemingly reasonable request to send money. This is where malware, ransomware and phishing come together: Phishing attacks often give criminals entry into IT systems, which then allows malware and ransomware to spread and lock down the entire IT infrastructure. 

The bottom line is this: Everyone is at risk — government agencies, health-care organizations, small-to-midsize businesses, nonprofits, and large enterprises. Everyone. Although authorities tell businesses not to pay ransoms, many do out of desperation, making these attacks even more attractive.

The best approach in the fight against ransomware is to help customers prepare ahead of time, rather than trying to clean up the mess after it happens.

Ready, Set, Defend

Kim Ann King serves as VP of Marketing at EiQ Networks, a pioneering security services provider, where she is responsible for all of EiQ’s global marketing efforts. She was previously the CMO of SiteSpect, a web and mobile optimization solutions provider, where she was responsible for brand awareness, demand generation, and organizational enablement initiatives that drove customer acquisition and retention. An award-winning marketer, King is also the author of The Complete Guide to B2B Marketing. Follow Kim on Twitter: @kimannking