Ransomware – whereby criminals steal data and threaten to destroy it unless demands for money are met – is a key strategy for hackers, but risk managers can take steps to prevent such attacks

Part of a technology risks series supported by


Ransomware is an increasingly common threat whereby hackers and criminals take possession of data through encryption and threaten to release or destroy it unless their demands for money are met. Although it originated in the 1980s, since 2012, the phenomenon has been amplified.

“This is due in part to the increasing monetisation of cyber crime,” says Gareth Evans, director at security consultancy KCS IS.

“Rather than thinking of cyber crime as hacking, as kids in their basement doing this for fun, [this should be recognised] as something undertaken by organised criminals to make money.”

Companies spent an estimated $114bn (€102bn) dealing with malware-related cyber attacks in 2013, according to research by Microsoft and the IDC. The study states that losses caused by data breaches may be as high as $350bn. Often, criminals exploit security loopholes with the aim initially of stealing intellectual property or data and selling that on. However once the information has been sold, the money pot has run out. Ransomware is another way of keeping the funds coming in.

“It takes some effort to get this kind of malware past corporate security and on to systems and so criminals want to maximise their profits,” says Evans.

“Once they have sold what they have copied and stolen, they will somehow encrypt or put that data beyond use – effectively denying a company access to its own data – unless, of course, the board decides to pay.

“To accomplish this, criminals use highly sophisticated algorithms, which are very resistant to cracking.”

As good as their word

The key to the continued success of these attacks, says Evans, is that when the ransom is paid, the criminals are as good as their word: the data is released and the company can carry on as normal.

“By doing this, they encourage people to pay,” he adds. “when word gets around that if you pay, you will be all right and you will get the keys to the digital safe back, companies will hand over money more freely.”

Just what a difficult position such an attack can put them in. They may have gone to great lengths to encrypt and protect data they see as valuable, such as credit card numbers. However other, more mundane aspects have been neglected, and when hackers take control of the day-to-day data that companies rely on – such as sales and purchasing data or email systems – it paralyses them.

Knocking out a global law firm’s email system, for instance, could cost thousands of euros quickly. According to Solutionary’s Global Threat Intelligence Report, it can typically cost firms $3,000 a day for up to 30 days to mitigate and recover from malware attacks – and that covers only consultants, PR crews, incident response teams, mitigation software and other immediate investments, not lost revenue from systems downtime or lost productivity.

“All organised criminals have to do is stop a business running to force it to meet their demands,” says Evans. “There are even types of malware that will change only the way in which computers access the internet, meaning that the organization will be bombarded with pop-ups or otherwise disrupted until it pays up.”

The problem for corporate security and risk management is that the malware is encrypted and by the time it is on the corporate system, it is already too late.

“Unless the company has a supercomputer in the basement, it has little chance of cracking the encryption,” says Evans. “Even the national Security Agency would struggle.

“The only solution is to prevent the malware from infiltrating the IT system in the first place.”

The criminals are winning

To do this, risk managers and IT staff must encourage an enterprise-wide approach to cyber security and make sure everyone knows what not to do. The key is to use secure devices and to be careful online and with email – but even this may not be sufficient.

“Malware will get through typical virus protection systems,” says Evans. “It is important to rethink the way in which cyber crime is approached – Hollywood may have created a picture that hackers are young computer geniuses as portrayed in The Matrix or Die Hard. However, they are not; they are criminal gangs. And, at the moment, they are winning.

“To stop them, what firms need to remove the capacity for human error. In most walks of life, that cannot be achieved, but within IT, it can. Better security systems can be designed and this needs to happen now.”