Hackers are now stealing information, encrypting it, and holding it for ransom
Encryption hasn't left the news since June 2013, when National Security Agency surveillance programs were revealed to the public for the first time. From efforts to undermine encryption standards to the FBI's attempts to force backdoors into products, the list of encryption-focused headlines goes on.
As white-hat hackers repeatedly advise, encryption is your friend. But that doesn't mean it can't be used to harm people. Some hackers are starting to steal data, encrypt it, then demand a ransom in exchange for the unlocked information. The same tools used to prevent people from stealing information can also be used to make it harder to retrieve that data once it's stolen.
Kevin Haley, the director of Symantec's Security Response team, says these scams will become more common. "People have figured out that they can run a protection racket," he says. "They don't have to pretend or fool you. They'll take your files, encrypt them, and say if you pay up you'll get your files back. We saw a huge increase in 2014, we're going to see a lot more of that in 2015."
Symantec describes the growth to which Haley is referring in its twentieth Internet Security Threat Report, which was published earlier this morning:
Ransomware attacks more than doubled in 2014, from 4.1 million in 2103, up to 8.8 million. More concerning is the growth of file-encrypting ransomware (what Symantec refers to as “crypto-ransomware”), which expanded from 8,274 in 2013 to 373,342 in 2014. This is 45 times more crypto-ransomware in the threat landscape within a one-year span. In 2013, crypto-ransom- ware accounted for 0.2 percent (1 in 500) of ransomware and was fairly uncommon; however, by the end of 2014 it accounted for 4 percent (1 in 25) of all ransomware.Symantec says in its report that the best way for consumers to protect against schemes like this is to back up their data. That way they won't feel the need to pay up even when there's no guarantee the data will be returned if the ransom is paid. (What possible motivation would a hacker have to keep his word?)
As I wrote when Avast's study was first released:
There’s a clear disconnect between what people believe and what they actually do, at least so far as their personal data is concerned. It doesn’t matter if we’re talking about preserving that data or keeping it private; consumers are willing to talk the talk, but both Avast and Pew have shown that they won’t walk the walk.Something will have to change. Either people will have to act on their concerns and back up their data, or they'll have to accept the likelihood that someone will break into their computer, encrypt their files, and demand a ransom.
[illustration by Brad Jonas]