Ransomware is the latest tool in the cybercriminal’s arsenal, but it has, to date, largely been used to target consumers. Could it now be used to hit banks and other financial institutions too? We take a closer look.

In the last year to 18 months, ransomware has emerged as a serious tool for cybercriminals, and, in turn, developed into a growing concern for security-savvy citizens and business chief information security officers (CISOs).

Described by some as the virus ‘that blackmails you’, ransomware essentially blocks access to your files, while simultaneously demanding payment in return for restoring access. It’s a crude attack, but a very successful one that can earn cybercriminals big money.

A huge number of ransomware variants have come and gone in years gone by, from those that encrypt your hard drive in exchange for bitcoin payments, to others which simply try and scare the user into coughing up their money.

By far, the most dangerous type of ransomware this decade has been Cryptolocker, which has already infected over half-a-million PCs. It was also big enough for the FBI and Europol to get involved and they eventually brought down the criminal’s computing infrastructure behind the ransomware. Other variants have been nearly as successful – the spin-off CryptoWall generated over £200 million for one criminal gang, according to analysts.

To date, however, most victims have been random citizens, infected by a phishing email, spam or a fake software update. It may also arrive via a drive-by-download attack on a bogus or spoofed website.

Users usually come to be infected after clicking a link or opening an attachment, and the virus will then look to encrypt the hard drive. The ransomware alert will appear on screen and cannot be minimized. At this point, the attacker(s) will request a ‘modest’ amount of bitcoins – around £330 – for the files to be unlocked.

It’s a danger paying though, as there’s no guarantee the cybercriminal(s) won’t return for another payday. The best bet is to go back to your most backed-up files, despite what the FBI might say.

Most organizations are susceptible to ransomware

ransomware

Neil Douglas, a project delivery manager at the Edinburgh-based IT company Network Roi, recently helped a small business client whose server was hit by ransomware.

"We had to recover everything from back-up. We'd had a back-up two minutes before the infection, so the timing couldn't have been any better - but it did result in quite a bit of downtime," he told the BBC.

"You could risk paying them - but it's a bit like paying a blackmailer. We would only recommend it as a last resort. You don't know whether they'll come back for more; you don't know that they'll clear the infection."

It was indeed a case of ‘the last resort’ for Massachusetts’ Tewksbury Police Department, which eventually paid a ransom to cybercriminals when their main service was attacked and locked down by ransomware last year.

The Sheriff’s Office of Dickson County, in Tennessee, did the same when CryptoWall locked 72,000 autopsy reports, witness statements, crime scene photos and other documents.

Detective Jeff McCliss said in an interview with NBC Nightly News earlier this year: "It really came down to a choice between losing all of that data and being unable to provide the vital services that data would've assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.”

It’s certainly a big deal for all companies - a report recently published by the Australian government claimed that 72% of businesses experienced ransomware incidents in 2015, compared to just 17% two years ago.

The trend for ransomware attacks on banks

bitcoins

The question is: could ransomware be used to hit organizations that hold the most capital – i.e. the banks? Up until this point, the answer has been a straight ‘no’. Banking defenses are better than most other sectors, and the only ransomware to target banks was actually aimed at their customers, mainly through phishing emails.

For example, two years ago, the UK’s National Crime Agency warned of a Cryptolocker campaign targeting millions of bankers, infecting them with a phishing email falsely claiming that the individual ‘owed the bank’ more taxes, or had to pay some type of payment to the bank.

However, more latterly, there have been signs of change. Last month, researchers indicated that three Greek banks were targeted with bitcoin ransomware, with attackers from the Armada Collective requesting a grand sum of €21 million to decrypt the files.

And while it wasn’t strictly ransomware, an individual going by the name of Hacker Buba also demanded a ransom of $3 million after penetrating the defenses of a small bank in the UAE bank, InvestBank. He was eventually foiled, although his plan was to release customer data until payment was received.

These attacks are currently few and far between, but with ransomware authors creating new variants which target Windows and Mac, mobile devices, YouTube ads and now, according to security expert Brian Krebs, encrypt entire websites, you can be sure that bank defenses will be tested by ransomware for a long time to come. The one million dollar question is whether banks can do enough to keep them out.