Many people are sitting ducks for ransomware. Two security firms recently published the results of surveys that showed people may worry about cybercrime, but they don’t do much to for protection, leaving themselves vulnerable. A study by U.K.-based Sophos, and another survey by Radware asked different questions about cybercrime and ransomware, but in each case found that, unlike businesses, individuals are all over the place when it comes to actually preparing for and preventing cyberattacks.
This also applies to cases in which data was held hostage by ransomware. An IBM Ransomware study of business and consumer knowledge focused on responses to ransomware threats. The study showed that in general, the average person has a lack of awareness of ransomware, little or no preparatory action, and unfounded confidence in their own knowledge of how to respond.
In the Sophos survey, the company found people in the United States, United Kingdom, Germany, Austria, and Switzerland are more concerned about cybercrime than more personal physical attacks. Regarding computer security issues, 63 percent worried about losing money, 61 percent about having their computers hijacked, and 58 percent feared losing control of their computers. In contrast, 46 were concerned with physical assault or stolen cars, 52 percent about home robberies, and 56 percent about terrorism.
For all their concern, however, the people surveyed were largely unaware of the severity of cybercrime risks. About half weren’t aware of email phishing — a primary gateway cyberattack — or if they did know about it, they didn’t think it was much of a threat. More than 30 percent either considered ransomware a low threat or said it was one they knew nothing about, even though ransomware is the greatest current problem.
“People understand how to protect their home or car — they feel they’ve got the physical world covered. Whereas cybercriminals are invisible and the virtual crime world is unpredictable and complicated, especially when it comes to cyber threats like phishing and ransomware,” said John Shaw, Sophos vice president, Enduser Security Group.
Who’s responsible for home network protection?
Radware took a different approach and hired Harris Polls to ask people who they thought should be responsible for protecting against Internet of Things botnet attacks and what they’d do if their personal data was held hostage for payment by a ransomware attack.
When Radware asked about botnets, the people surveyed stated that hackers can hijack digital devices in respondents’ homes to launch attacks over the internet. Radware then asked who they thought should be held responsible to prevent such attacks from happening (it was OK to give multiple answers). Of those who responded to the question, 69 percent thought the device manufacturers are responsible, 55 percent put the onus on internet and cell phone service providers, and 43 percent thought individuals themselves are responsible for keeping home networks and devices secure.
Would you pay a ransom for your personal files?
An interesting split occurred when Radware asked how much, if anything, respondents would pay to unlock their personal files if their data was held hostage by ransomware. While two-thirds of respondents said they wouldn’t pay anything, the responses broke out clearly by age groups. Younger people were more willing to pay and would pay more than older people.
In the 18-34 age group 37 percent said they’d pay, 34 percent of the 35- to 44-year-olds, 15 percent of the 45- to 54-year-olds, 14 percent of the 55- to 64-year-olds, and only 9 percent of the 65 years or older respondents would pay anything. Of those who said they would pay a ransom, the same inverse correlation appeared. Of those who would pay $200 or more to regain their data, that willingness ranged from a high of 21 percent of the 18- to 34-year-olds to a low of 3 percent of the 65 and older group.
Unaware, unprepared, and overconfident
IBM’s consumer ransomware survey found that only 31 percent of respondents had even heard of ransomware, while 75 percent were confident they could protect their data on their own computers and 67 percent believed they could protect their mobile devices. Overall, 59 percent had taken no action in the previous three months to protect their systems, although among the group who had heard of ransomware, the same proportion (59 percent) had taken proactive protection steps.
Breaking down what people said they actually did for preventive action, 71 percent of the respondents said that action consisted of not opening suspicious attachment or links in emails and texts. Other protective steps included changing passwords (59 percent) and avoiding public Wi-Fi access points (48 percent).
IBM security reported it saw a lot of action in the period around Black Friday and Cyber Monday as cybercriminals loaded malicious emails masked as coming from Amazon with links for deals or for package shipment tracking. As soon as someone clicked one of those links, Locky Ransomware was downloaded and quickly encrypted all files. That would be a Black Friday, indeed.
As in the Radware survey, the IBM study found that most people wouldn’t pay to get their data back. Breaking it down, they were willing to let health records and family photos stay locked up but 54 percent said they’d pay to get their financial records back. Also, like the Radware findings, IBM found Millennials were more likely than other age groups to pay a ransom. The IBM study found a greater willingness among parents to pay to free up digital photos (55 percent) than non-parents (39 percent).
When it came to payment, an interesting dichotomy arose. Most who said they’d pay put a limit of $100 on their willingness. However, cybercriminals usually demand between $200 and $10,000. According to IBM, while people say they’ll only pay a fairly small amount, they likely end up paying more. Data gathered from cybercriminal sources indicates a high “success rate” with ransomware. CryptoLocker operators claimed 41 percent payment rates in a Time article cited by IBM.
Because of anonymity and difficulty tracing payments, most ransomware demands payment in Bitcoin. Most ransomware sets a time limit for payment, often with a big ticking countdown clock on the computer screen. One issue that arises is that people who don’t know about or how to pay in Bitcoin sometimes lose their data by not paying on time even when they want to pay. As a result, some of the ransomware networks provide helpful information and links or even have customer support lines to help victims make the payments.
What you can do
If you’re concerned about the growing threats of botnets, malware, and ransomware, and you’re willing to take steps to protect yourself, you don’t have to keep bitcoin on hand to pay ransom for your computer and get your information back.
First, be sure to back up your data, locally and in the cloud. Back it up often, like clockwork. Only you can decide how often is often enough to back up your data — weekly or monthly backups are probably sufficient for most people.
Second, be sure you have, use, and update strong computer antivirus and security programs and be sure to use them with all computers that access your home network. Speaking of home networks, especially if you have smart home components, take the steps to find out how to protect your home computer network and any smart home connected devices in your home. Many malware and botnet attacks in 2016 got in through vulnerable smart home devices.
The last step is to be diligent about not being snagged by phishing campaigns. Inform or train other people with computer access in your home not to automatically click on any unexpected video, image, music, or document files sent via email or on social media, even if you know the people who sent them. Social media identity theft is way up, often specifically for the purpose of baiting the friends of the people whose IDs were stolen with phishing campaigns.
Precaution may not be fun, but it works.
If you are a cybercrime victim
If you are victimized by ransomware or other cybercrime or suspect you are, IBM recommended that you report the crime to the FBI’s Internet Crime Complaint Center. Just like on TV crime shows with kidnapping plots, the FBI strongly discourages people from paying ransom to free up your data, because even if you pay, there’s no guarantee you’ll ever see your files again.
- FBI: Deepfakes are being made using your data to apply for jobs
- Websites are constantly tracking you — but Firefox has a fix
- Twitter apologizes for personal data misuse with timeline alert
- Major Interpol operation nabs alleged scammers and cash
- Hackers just launched the largest HTTPS DDoS attack in history