FTC focuses on combatting ransomware

Ransomware, where a hacker commandeers a user's computer files and threatens to permanently delete them unless an extortion payment is made, is on a sharp uptick and now ranks "among the most troubling cyberthreats," the head of the Federal Trade Commission is warning.

FTC Chair Edith Ramirez addressed the issue at a recent forum that the agency convened to examine the spread of ransomware and explore strategies to combat the crime.

"The spate of ransomware incidents are escalating at an alarming rate," Ramirez says, citing an estimate from the Department of Justice that incidents of ransomware, now averaging some 4,000 a day, have increased 300 percent in the past year.

"The financial motivation for ransomware attacks suggests that the threat is unlikely to go away any time soon," she says, warning businesses to step up their own defenses to ensure that they are protecting their users from online scammers. The agency has already brought dozens of enforcement actions against companies for failing to adopt what it considers reasonable security protections.

Ramirez and some industry experts see ransomware as the latest evolution of malware, but with a notable twist. For years, scam artists have been flooding the Internet with malicious sites and bombarding users with emails aimed at infecting computers, but the payoffs have been a dubious proposition.

"The problem with ransomware is that it really has the highest monetary value for adversaries," says Craig Williams, Global Outreach Manager at Cisco Talos, the networking giant's security research arm.

"Over the last five or 10 years we've moved from a period where an attacker was making a couple of dollars per user to where now they're making a couple hundred per user, and tens of thousands per compromised business," Williams says. "It's really put things on an economic scale that we've just simply never seen before."

The examples of high-profile victims of ransomware are mounting. Ramirez cites the revelation earlier this year that the Hollywood Presbyterian Medical Center coughed up around $17,000 (paid in Bitcoin) to the perpetrators of an attack who were holding its computer systems hostage. Weeks later, MedStar was hit with a ransomware attack that crippled 10 Washington, D.C.-area hospitals. The list goes on.

Individuals, businesses and government agencies are all potential targets for ransomware attacks, which can come in the form of targeted phishing emails or, increasingly, through malicious advertising hosted on otherwise benign websites, complicating the job of a CISO trying to whitelist sites deemed safe for use within an organization's network.

"The reason why people are so scared about malicious ad campaigns is because they're delivering ransomware to trusted websites, or what the user believes is a trusted website," says Joseph Opacki, vice president of threat research at PhishLabs, an antiphishing firm.

On the email front, Ramirez notes that ransomware has become a core component of phishing campaigns, to the point where an estimated 93 percent of all phishing emails contain some sort of ransomware encryption.

And phishing itself is changing, as well, with ever-more sophisticated criminals sending out polished emails going after specific targets through spear-phishing campaigns." Before, they used to rely on spam email to deliver ransomware, but as spam filters have gotten better at blocking these messages, some attackers have turned to spear-phishing, targeting specific individuals or organizations," Ramirez says.

FTC warns companies to stay vigilant against ransomware attacks

As a consumer-protection agency, the FTC is on a fact-finding mission to learn more about how ransomware perpetrators are conducting their attacks, building on its existing efforts to combat malware.

But as the commission works to raise awareness of the evolving threats associated with ransomware, Ramirez is also putting companies on notice that they need to stay vigilant and protect their users from known vulnerabilities, or potentially face regulatory scrutiny.

"Through our enforcement we aim to ensure that companies make truthful recommendations about their privacy and security practices and that they provide reasonable security for consumer information," Ramirez says.

"One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including from malicious software," she adds. "A company's unreasonable failure to patch vulnerabilities known to be exploited by ransomware might very well violate the FTC Act."