Michael J. Armstrong and Tejaswini (Teju) Herath are associate professors in the Goodman School of Business at Brock University.
October is Cyber Security Awareness Month and started with tantalizing reports that Internet giant Yahoo was secretly searching customer e-mails on behalf of American spy agencies. But in recent press releases from the FBI, Ontario Provincial Police and Interpol, it is the soaring frequency and sophistication of ransomware that is highlighted.
Typical hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then find customers to buy that data.
Ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.
This summer, ransomware forced the University of Calgary to pay $20,000 to unlock its employee e-mail system. And last month, a U.K. software services provider reportedly paid $31,500 to decrypt one of its servers.
Since CryptoLocker, a program that targets computers using Microsoft Windows, first appeared in 2013, ransomware attacks have soared. Cybersecurity firm Kaspersky Lab found ransomware on 50,000 corporate computers in 2015, double that of 2014.
The FBI estimated more than $209-million was paid in U.S. ransoms in the first three months of 2016, versus only $25-million for all of 2015. Check Point Software reported a 30 per cent increase in ransomware attempts in August alone.
A survey of 540 international firms conducted this summer by Osterman Research on behalf of anti-ransomware provider Malwarebytes found that nearly 40 per cent had paid ransomware in the previous year.
About 37 per cent of ransom demands fell between $1,000 and $10,000, and 25 per cent exceeded $10,000. Canadian managers apparently felt the most confident about countering ransomware; but once infected, Canadian firms were three times more likely to pay the ransom.
Ransomware's sophistication is growing alongside its frequency. Ransomware "worms" like ZCryptor can spread themselves across networks, rather than needing a ride on infected e-mails.
Some ransomware specialists are selling their services to organised crime. This crime-as-a-service business model allows criminals to outsource their technology needs.
What might come next? Imagine ransomware combining with state-sponsored hacking. Host countries might give, or sell, permission for ransomware hackers to attack rival countries' computers. These cyber privateers could plunder commerce abroad, without the host country's direct involvement. Think of regional rivals like Israel and Iran, or North and South Korea.
The Internet of Things might expose physical targets to ransoming. Control systems for factories and utilities are increasingly online. What if ransomware locked them off? If businesses begrudgingly pay thousands to recover e-mails, imagine what they'd pay to restart assembly lines.
Or how about virtual protection rackets? Instead of one-time ransoms to remove encryption, users might be "convinced" to pay ongoing fees for the "service" of avoiding encryption.
To defend themselves, computer users need to do the basics. Run antivirus programs to detect threats. Keep operating systems and applications updated. Think before clicking on unexpected e-mail attachments.
Users should also backup files regularly. If ransomware strikes, backups allow ransom-free system recovery. But keep them on removable drives, to prevent their infection too.
Infected users can also try decrypting files with tools from sites like NoMoreRansom.org. But these might work only on the simplest cases.
Software makers should do more to facilitate these safe-computing practices. For example, Windows now offers self-updating antivirus protection by default. That's great, but unfortunately the system also makes it harder to create backups on removable drives.
Business insurers could also play a role by requiring that corporate systems be updated and backed-up to qualify for coverage.
Because ransomware ignores borders, law enforcement needs to co-operate across jurisdictions. Last month's Interpol-Europol Cybercrime conference was a good step in this direction. If foreign hackers can effectively "tax" domestic businesses, ransomware will become a national security issue. So governments may need to negotiate agreements similar to those covering seaborne piracy.
Finally, firms might consider keeping key systems physically disconnected from the Internet, as some military computers always have been. Just because anything can be online doesn't mean everything should be. Remember, there are all kinds of yahoos out there.