Ransomware Part 3, Threats and Culture

In part three of the series of articles about Ransomware, we examine the threat of ransomware looking at some of the industries and look at some reasons why some areas are affected more than others. We also review culture and see if this has any effect on ransomware mitigation

In previous articles we wrote about ransomware, what it is and some brief history, next we will look at the general threat with ransomware and how it is increasing, we will briefly look at some sectors (mainly the health sector) and what we should be doing to mitigate the problem to include looking at the culture of the organisation and staff as well as technical implementations.

 

Threat of Ransomware

The threat of becoming infected with Ransomware is real and based on the number of unique samples per day and, it is steadily increasing. (Kroustek, 2016)

A large problem with ransomware is that it does not just target home computers, ransomware in general seems to target small and medium sized businesses (SMB’s) these can be generally seen as an easy target as they are less likely to have adequate network security protection in place. But it is not only these smaller companies, Hospitals, Banks and even police networks have been infected already!
The FBI in a news article released in 2015 state that “Businesses, financial institutions, government agencies, academic institutions, and other organizations can and have become infected with it as well, resulting in the loss of sensitive or proprietary information, a disruption to regular operations, financial losses incurred to restore systems and files, and/or potential harm to an organization’s reputation.”(FBI.gov, 2015) Newer versions of ransomware are now also targeting mobile phones and tablets, demanding payments to unlock those devices also.
There are also obviously benefits from not targeting specific industries – to widely spread and inflict the ransomware payload on as many organisations as possible.

Health Sector

If we look at any industry or sector there are obvious signs of an increase in the likeliness of becoming infected, but since we have heard of so many being reported to have been attacked, lets briefly look at hospitals in particular!
Over the last few weeks from writing this article (March 2016) a number of Hospitals have been hit with ransomware, there was a hospital in LA and two further Hospitals Germany and then a fourth in Canada, all being affected in as many weeks. The LA hospital, in Hollywood reportedly paying out a whopping US $17,000 to regain access to their files, the initial demanded amount said to have been considerably higher at over 3 million dollars!, DigitalTrends estimated the initial demand at 3.4 million(Mogg, 2016), where CNBC.com estimated it at 3.7 million US dollars(Balakrishnan, 2016). SCMagazine.com reported of two Hospitals in Germany which were also affected but it did not mention whether the ransom was paid or how much was demanded.(Millman, 2016).
In an interview with DW.com, a representative for the hospital said “We haven’t received a concrete demand for money, but we’ve seen these pop up windows that appear if you don’t stop the ransomware on a computer” They also mentioned that when they identified what was happening that they “pulled the plug on everything” but a number of systems went offline to include an email server, two weeks afterwards the hospital were still advising patients to call or send faxes as the email servers were still not functioning (Steffen, 2016).

A fourth hospital in Ottawa, Canada was hit with ransomware on several of its computers, SC Magazine, quote Kate Higgins, a hospital spokesperson as saying “The Ottawa Hospital has an enterprise backup system and backs up all systems and data in accordance to defined business requirements. Recovering from a malware incident is one such requirement” she further states that no payment was made. (Metzger, 2016)

Medstar in Columbia have also had to take systems offline in Baltimore due to ransomware around the 28th of March 2016 (Gallagher, 2016)

So why the health sector?

Although not generally targeting specific industries, we can definitely see some trends arising especially with the amount of hospitals being effected, are they actually being targeted, or is there just a lack of security and defences in place?….. Well one thing is for sure that where there are patients at risk (not from the ransomware! but instead from IS systems going offline) that which could result in the death of a patient, they are more likely to pay, this given with the fact that previous hospitals have in fact paid means that they start becoming targeted. if we examine the previous cases of effected hospitals with Ransomware, we can see that they have been paying out, making them attractive targets – a article on arstechnica.com states that Medstar paid out a whopping €17,000 in March – but the article further states that sources say it was actually much more! (Gallagher, 2016)

How are hospitals getting targeted then?

As stated earlier, ransomware is not specific in the target system, But it generally is delivered from a source – in a lot of cases this can be from compromised websites or phishing emails – this is where the targeting can come from.

In the article previously cited (ARS Technica.com), the author states that the CISCO threat research body (CISCO Talos Research) that a number of healthcare providers were infected via web servers running JBoss and that it was due to this vulnerability that the ransomware spread. the article further identified that the healthcare seemed to have the most amount of vulnerable systems, they state that hospitals are susceptible, “not because the attackers set out to target healthcare specifically, but because of the types of applications used by hospitals and healthcare networks. Wilson believes that the ransomware developer simply scanned for vulnerable servers on the Internet, and most of the ones that were discovered were at healthcare organizations” (Gallagher, 2016)

Talos state that they are examining a strain of ransomware which was targeting vulnerable servers which appeared within the health industry. This new form of ransomware is called SamSam gets launched and spreads via compromised servers using JBoss and other environments.(“Cisco Talos Blog: SamSam: The Doctor Will See You, After He Pays The Ransom,” 2016)

It’s not just Health Care, all areas even government and police force systems have been infected!

It is not all hospitals, Lincolnshire County Council was hit with a UK £1million demand in January of this year according to the BBC, it was not reported that they paid, saying that only a few systems were affected to include library systems. A spokesperson, Mrs Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years.”(“Lincolnshire County Council hit by £1m malware demand – BBC News,” 2016)
There has even been several police stations affected with ransomware, article from the Boston Globe refer to Tewksbury Police Department being hit, receiving a ransom for $500 dollars, it also refers to the Swansea Police Department falling victim in 2013 and paying up $750 dollars to regain access to their data.(Bray, 2015)

To give an estimate of the abundance of ransomware attacks, In 2014 during a nine-month period, the FBI received 1,838 complaints about ransomware, and it estimates that victims lost more than $23.7 million.(Nakashima & Zapotosky, 2016)

What about Ireland

Although not as widely reported in Ireland, that is not to say that we are not falling victim to our fair share of being hit with ransomware attacks, a rec

Figure 4 Sunday-Independent 06.03.2016 Retrieved from Zinopy.ie

Figure 4 Sunday-Independent 06.03.2016 Retrieved from Zinopy.ie

ent article by the independent.ie stated that Gardai confirmed that Ransomware attacks are now “rampant” in Ireland and that they are aware of “incidents in relation to a ransom being demanded from businesses” the report further states that businesses have been asked to pay demands greater than €20,000 Euros to gain access to their data (O’Regan, 2016). Another article informs us that “Ireland is in the grip of a ransomware wave, with businesses, public bodies and ordinary citizens being attacked relentlessy” and that the numbers of attacks have increased in volume and intensity, the report also illustrates a report from Data Solutions where they found that 23pc of Irish companies had experienced some form of ransomware attack (Weckler, 2016).

 

Zinopy.ie also state that they have “seen a significant escalation in the number of Irish organisations, including Public Sector organisations, that have been affected by Ransomware attacks in the past few weeks and months”. (Zinopy.ie, 2016)

Anti-Ransomware / Lack of protection?

Organizations are complaining about the lack of protection against ransomware, looking at specialists for advice, guarantees and relevant protection methods.
As always, prevention is better than the cure but, similar to the problems with viruses and other forms of malware, new strains are constantly being created, some of these are polymorphic (shapeshifting) which means that mitigation applications need constant signature updates to be able to identify mitigate the threat.
There are some products coming to market aimed at protecting against ransomware – one such program which is in beta form called ‘Anti-Ransomware’ from Malwarebytes, here on their page they cite that “Malwarebytes Anti-Ransomware uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files. It has no shot at encrypting. And it does not rely on signatures or heuristics, so it’s light and completely compatible with antivirus”.(Kleczynski, 2016). This and other similar programs bound to come to the market may help mitigate some or even all of the problems, but ransomware, together with other forms of malware show the need to whitelisting software instead of blacklisting (but that’s another article within itself!)

Other products are designed to pretend that your system has already been infected to evade attack. An example of this is has been investigated by the researcher Sylvain Sarméjeanne where he has been working on some methods to evade the locky ransomware variant, in his article on lexis.com, Sylvain introduces several methods, to include setting the system language to Russian where it does not infect these systems, but due to the fact that most users (including myself) don’t speak Russian this is not an option, another option is to add a registry key HKCU\Software\Locky as this is a key which is created upon infection but if the key already exists he says that it terminates immediately without infection!(Sarméjeanne, 2016)

Because Ransomware works because of the potential to loose data and continuity, looking at the the availability of data and systems is paramount, one needs to identify the Recovery Point Objective (RPO – to what point data / systems must be brought back online to) and Recovery Time Objective (RTO – how long one has to get back to a working system) then the methods can be chosen to mitigate the risks alongside any potential anti-ransomware or ‘Vaccines’! as if it does not work it will be these recovery options that you will be faced with. So adequate backup systems and procedures need to be in place. Because SMB’s and home users are less likely to have these they are quiet often the ‘target’.

US-cert.gov state that a reason why ransomware is so effective is that it instills “fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware” (Us-Cert.gov, 2014)

Is it ultimately a culture problem then?

ABC – Attitude, Behaviour and Culture – can we change this to reduce the risk?

Attitude, Behaviour and Culture

Attitude, Behaviour and Culture

An area which keeps raising its head when it comes to any form of security is culture, the technical instruments which we can apply will only work so well, with an attack vector like ransomware which may be lurking as a download or an attachment in any email or website to which we are in contact with, we need to also look at the individuals who interface with them – the end users.

A report by Michael Ferguson about the amount of ransomware attacks which hit Autstralia in 2014 is a very interesting read. In his article, the author illustrates that out of 2 million instances of Cryptolocker detected in October 2014, that sixty percent was detected in Australia alone, with the same percentages detected in November and December, sixty percent of the total 1.2 and 1.05 million instances worldwide!.
In his article the author analyses the Australian market based on the attitudes of the ‘average Australian Business Executive’ with regards to their appetite for risk. After analysing the market, he believes that the top 5% are risk averse, 10% minimal and 40% cautious. The author further analyses other markets, for example he states that in 2013 estimates for the value of credit card fraud, that Australian cards were worth 2.8 times the value of American cards to which he mentions that it is possibly not down to the balance on the card but instead possibly due to the safety measures in place (or lack thereof). Michael points out several conclusions as to why Australia was subject to such large percentages of successful attacks to include that

  • Corporate Australia was still in a state of growth and development, meaning Australia was risk hungry, and hadn’t aligned itself with the robust security standards provided for us.
  • Organizations, have yet to adopt a Threat / Risk centric approach to how they can protect the intellectual property we have worked so hard to develop and accept this as a Focus of Interest to the attacker.

(Ferguson, 2015)

So as well as implementing backup strategies and technologies, don’t forget the ‘soft’ approach – change the culture within the organisation!.

Links to previous Articles:

Ransomware – Part 2: from Knights to the International Aids conference and beyond

Ransomware – Part 1, What is Ransomware

 

References (All Ransomware Articles)

Balakrishnan, A. (2016). The hospital held hostage by hackers. Retrieved March 15, 2016, from http://www.cnbc.com/2016/02/16/the-hospital-held-hostage-by-hackers.html

Bitcoin.org. (2016). Bitcoin. Retrieved from https://bitcoin.org/en/

Bray, H. (2015). Tewksbury police pay bitcoin ransom to hackers – The Boston Globe. Retrieved March 22, 2016, from https://www.bostonglobe.com/business/2015/04/06/tewksbury-police-pay-bitcoin-ransom-hackers/PkcE1GBTOfU52p31F9FM5L/story.html

Cisco Talos Blog: SamSam: The Doctor Will See You, After He Pays The Ransom. (2016). Retrieved April 9, 2016, from http://blog.talosintel.com/2016/03/samsam-ransomware.html

FBI.gov. (2015). FBI — Ransomware on the Rise. Retrieved March 14, 2016, from https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise

Ferguson, M. (2015). Why was Ransomware So Successful in Australia? ~ Security, So What? Retrieved March 16, 2016, from http://www.securitysowhat.com/2015/04/why-was-ransomware-so-succcess-in.html

Finkle, J. (2016). Mac ransomware caught before large number of computers infected | Reuters. Retrieved March 15, 2016, from http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX

Gallagher, S. (2016). Two more healthcare networks caught up in outbreak of hospital ransomware | Ars Technica. Retrieved April 9, 2016, from http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/

Kaspersky.com. (2016). What is Ransomware? | Prevention & Removal | Kaspersky Lab US. Retrieved March 14, 2016, from https://usa.kaspersky.com/internet-security-center/definitions/what-is-ransomware

Kirk, J. (2014). “Reveton” ransomware upgraded with powerful password stealer | PCWorld. Retrieved March 14, 2016, from http://www.pcworld.com/article/2466980/reveton-ransomware-upgraded-with-powerful-password-stealer.html

Kleczynski, M. (2016). Introducing the Malwarebytes Anti-Ransomware Beta | Malwarebytes Labs. Retrieved March 16, 2016, from https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Knowbe4.com. (2016). AIDS Trojan or PC Cyborg Ransomware. Retrieved March 14, 2016, from https://www.knowbe4.com/aids-trojan

Kroustek, J. (2016). Ransomware on the rise – how to protect your devices and data. Retrieved March 14, 2016, from http://now.avg.com/ransomware-on-the-rise-how-to-protect-your-devices-and-data/

Lincolnshire County Council hit by £1m malware demand – BBC News. (2016). Retrieved February 1, 2016, from http://www.bbc.com/news/uk-england-lincolnshire-35443434

McAfee Labs. (2015). Meet “Tox”: Ransomware for the Rest of Us – McAfee. Retrieved March 15, 2016, from https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/

Metzger, M. (2016). Canadian hospital infected with ransomware – SC Magazine UK. Retrieved March 22, 2016, from http://www.scmagazineuk.com/canadian-hospital-infected-with-ransomware/article/484003/

Millman, R. (2016). Ransomware holds data hostage in two German hospitals – SC Magazine UK. Retrieved March 15, 2016, from http://www.scmagazineuk.com/ransomware-holds-data-hostage-in-two-german-hospitals/article/479683/

Mogg, T. (2016). Hollywood hospital pays $17,000 to ransomware hackers | Digital Trends. Retrieved March 15, 2016, from http://www.digitaltrends.com/computing/hollywood-hospital-ransomware-attack/

Nakashima, E., & Zapotosky, M. (2016). These hackers can hold a town hostage. And they want ransom — paid in bitcoin. – The Washington Post. Retrieved March 22, 2016, from https://www.washingtonpost.com/world/national-security/these-hackers-can-hold-a-town-hostage-and-they-want-ransom–paid-in-bitcoin/2016/03/18/1a2e2494-eba9-11e5-bc08-3e03a5b41910_story.html

O’Regan, M. (2016). Hackers demand €20k as firms hit by “ransomware” – Independent.ie. Retrieved March 15, 2016, from http://www.independent.ie/irish-news/hackers-demand-20k-as-firms-hit-by-ransomware-34515040.html

Peters, S. (2015). Police Pay Off Ransomware Operators, Again. Retrieved March 14, 2016, from http://www.darkreading.com/attacks-breaches/police-pay-off-ransomware-operators-again/d/d-id/1319918

Sarméjeanne, S. (2016). Abusing bugs in the Locky ransomware to create a vaccine (update 2) – Lexsi Security Hub. Retrieved April 9, 2016, from https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create-a-vaccine/?lang=en

Steffen, S. (2016). Hackers hold German hospital data hostage | Germany | DW.COM | 25.02.2016. Retrieved March 15, 2016, from http://www.dw.com/en/hackers-hold-german-hospital-data-hostage/a-19076030

Us-Cert.gov. (2014). Crypto Ransomware | US-CERT. Retrieved March 16, 2016, from https://www.us-cert.gov/ncas/alerts/TA14-295A

Weckler, A. (2016). Stand and deliver – the ransomware wave ravaging Irish SMEs – Independent.ie. Retrieved March 16, 2016, from http://www.independent.ie/business/technology/stand-and-deliver-the-ransomware-wave-ravaging-irish-smes-34526253.html

Young, A., & Yung, M. (1996). Cryptovirology: Extortion Based Security Threats and Countermeasures. Retrieved March 22, 2016, from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3120&rep=rep1&type=pdf

Zinopy.ie. (2016). Irish Government hit by new wave of ransomware attacks – Zinopy. Retrieved March 15, 2016, from http://www.zinopy.ie/news/irish-government-hit-new-wave-ransomware-attacks/

Posted in Ransomware, Security Attacks, Vulnerabilities and tagged , , .