Ransomware programs like TorrentLocker and CryptoWall have been targeting small and medium-sized businesses (SMBs) with simple, yet effective strategies. With TrendMicro reporting that over the summer of 2015 67.23% of victims of CryptoWall-infected emails were SMBs. Victims of TorrentLocker were 46.36% SMBs. Followed closely by consumers who made up 42.15% of victims. Many of these strategies to infect victims are seeing the resurgence of older practices in the cybercriminal playbook. Including Word macros infected with malicious visual basic for applications, or VBAs, hiding in attached documents. Often these are disguised as PDFs or Word documents attached in emails. Something so every day that most employees do not even think twice in how it could be potentially dangerous. A fact that many cybercriminals have taken notice of and are now exploiting.
Part of this weaponization has to do with the fact that Word documents and PDFs usage is so widespread and dated that they are not scrutinized in the same manner as newer security threats are investigated. In the presence of Cloud storage, zip files, and the Internet of Things, many organizations are spending their attention on securing their computer networks against the threats of tomorrow and forgetting what has already been learned. This is not to say that organizations should not take steps to prepare for future security threats, but that maintaining the security of a computer network is just as crucial as developing new security measures.
However, what has been seen is that ransomware has found an appealing target in SMBs. Most of this has to do with several factors. The first being that SMBs cannot afford to take the loss of their data once it becomes encrypted by a ransomware program like TorrentLocker or CprytoWall. So when a SMB does find itself the victim of a ransomware attack, they find themselves unable to perform the day-to-day tasks that are essential to their organization. Imagine if UPS or Fedex found their customer mailing information encrypted and unable to be accessed? For many SMBs that kind of attack leaves them crippled and at the mercy of whatever demands of their attacker. In contrast, larger companies or corporations have additional resources to fall back on, such as a dedicated IT staff, or a wealth of funds that can let them weather a ransomware attack. SMBs simply do not have access to this same set of resources. The second factor being that SMBs are less likely to take steps to prevent cyberextortion such as performing routine backups or investing in security software. This can be due to lacking the necessary funds to invest in a proper security program or technological illiteracy. For cybercriminals, SMBs have proven to be less resilient to ransomware and as a result have earned ransomware creators an impressive profit.
So how do the creators and users of ransomware prove to be so adapt at infecting their victims? Most of it has to do with being very skilled at knowing their targets. Social engineering is a technique cybercrimnals use to trick victims into allowing the criminal access to the information they need. What ransomware users have proven adept at is using social engineering skills to localize their attacks and make them seem like legitimate emails so that potential victims will open the infected files. TorrentLocker has proven the most effective in this endeavor by having emails use the pretense of being a courier service, such as Turkish Cargo, or posing as major businesses like Telecom Italia Mobile. In other cases TorrentLocker has even used CAPTCHA fields to verify that it is a human user about to be infected so that it evades web reputation filters. So by hiding as seemingly everyday services or by adopting expected measures used by trusted sites, ransomware is able to slip by what many expect in a malicious email or website.
Small and medium-sized businesses have become a prime target for ransomware users. Between not having the funds to survive a cyber-attack and lacking dedicated IT staff, SMBs have fallen victim to social engineering techniques used to localize delivery methods for ransomware like TorrentLocker and CryptoWall. Ways are available to mitigate and avoid such attacks. SMBs can make data backups a routine part of their business practice. So in the event that they do fall prey to ransomware, they will only lose as much data as has been made since the previous backup. Additionally, SMBs can invest in educating their employees on how to spot suspicious emails and having a company policy of forwarding any suspicious link to a system administrator. Ransomware can be crippling to small and medium-sized businesses, but with the right precautions this nightmare can be turned into a manageable nuisance.