Ransomware will “wreak havoc” on the United States’ critical infrastructure community in 2016, according to a report by the Institute for Critical Infrastructure Technology (ICIT).

ICIT’s”Ransomware Report” warned that unlike traditional malware actors, ransomware criminals can generate a steady revenue stream from targeting any system, whether it be mobile devices and personal computers or industrial control systems. ICIT says many of these devices are not secured “in the slightest” against a ransomware threat.

Ransomware is malicious software that allows a hacker to block access to a computer system, in effect holding it hostage, until a ransom is paid. Last year, Symantec reported a 250 percent increase between 2013 and 2014 in new crypto ransomware families on the threat landscape.

“New attacks will become common while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim,” the report stated. “’To Pay or Not to Pay’ will be the question fueling heated debate in boardrooms across the Nation and abroad. Ransomware is less about technological sophistication and more about exploitation of the human element. Simply, it is a digital spin on a centuries old criminal tactic.”

Ransomware attacks are both highly profitable and difficult to combat. Although the Department of Homeland Security's United States Computer Emergency Readiness Team, as well as the FBI and other law enforcement agencies, devote significant resources and expertise to mitigating attacks, the report states that “law enforcement has neither the time nor the resources to track down the culprits.”

 Encryption can also complicate detecting and responding to ransomware threats. Without a decryption key, many variants of ransomware are almost unbreakable. ICIT stated, “No security vendor or law enforcement authority can help victims recover from these attacks.”

To combat the proliferation of ransomware attacks, ICIT says responses will be largely situational. Possible responses include backing up systems, ignoring the ransom demand, or even paying the ransom. In addition, organizations need to train their employees to recognize and report threats.