Held for Ransom

Lynn Greiner, freelance IT journalist and regular contributor to InsightaaS
Lynn Greiner, freelance IT journalist and regular contributor to InsightaaS

Within the past month, several high-profile attacks have brought an increasingly popular form of malware into the public eye. It’s known as ransomware, and it encrypts the victim’s files, then demands payment for the key to decrypt them.

And people are paying – the Cyber Threat Alliance reports that people have paid over $325 million worldwide in hopes of recovering their files, with no guarantee that they’d actually receive the decryption key and recover their data. Some ransomware purveyors up the ante by giving victims a deadline, sometimes as little as 24 hours, and then double the ransom demand if they haven’t been paid in time. Others warn that after a specified period (perhaps a week or so), if the victim hasn’t paid, the decryption keys will be destroyed, and their files will be lost forever.

This malware has been around long enough that even payment methods has changed. Some early ransoms had to be delivered on prepaid credit cards. Today, victims are told to use Bitcoins, an untraceable virtual currency. Some attackers even helpfully provide step-by-step instructions on obtaining the Bitcoins.

Recently, things have been getting uglier. While early ransomware was spread arbitrarily, hitting whoever clicked on a compromised ad, or on a link in a phishing email, now the criminals are targeting organizations. According to security firm Kaspersky Labs, several strains of ransomware are deliberately hitting hospitals. In its ThreatPost blog, Kaspersky described two varieties, SamSam and Maktub, which, unlike the ransomware that infects user computers, are installed on unpatched servers. The post said:

“In the past, ransomware like CryptoLocker and TeslaCrypt required someone to open an email attachment or visit a site,” said Craig Williams, senior technical leader for Cisco Talos. “SamSam targets vulnerable servers. Those are always up and always potentially vulnerable.”

 According to Williams, SamSam is able to penetrate a hospital’s network by exploiting known vulnerabilities in a company’s unpatched servers. Once the attackers gain access to the network, Williams said, hackers identify key data systems to encrypt. “This isn’t like Jim in accounting having his laptop encrypted by ransomware. SamSam targets the servers and systems that run a hospital,” Williams said.

Nasty doesn’t even begin to describe these attacks. The ransomware, once installed, can encrypt a hospital’s patient records, its pharmacy files, even the files used to control medical equipment. Security firms believe that hospitals are being hit because of their relatively antiquated equipment and poor IT security, but that other industries will soon be targeted as well.

It’s a wakeup call for business. It’s easy to discount the odd encrypted endpoint, blaming it on a careless or uneducated user, but it’s a whole lot harder to ignore an attack that potentially puts you out of business by rendering servers useless. Malware authors and distributors are inventive; some attacks do not activate immediately, waiting until the affected system has been backed up, so when the victim tries to recover by restoring from backup, it simply starts the attack all over again.

Jerome Segura, senior security researcher, Malwarebytes
Jerome Segura, senior security researcher, Malwarebytes

Yet paying the ransom opens another door. Security firm Malwarebytes notes that once you’ve paid, you’re put on the “payers” list, and have a big fat target painted on you. I’ve seen reports of organizations that have been hit by ransomware several times, and continue to pay up each time – a nice revenue stream for the bad guys, who keep coming back.

The situation is bad enough that the US Computer Emergency Readiness Team (US-CERT) has published a set of recommendations for avoiding ransomware attacks. The sad thing is, none of them are rocket science. In fact, they’re things that every computer user, be it an individual or an organization, should be doing by default: keep systems up to date with patches and updates, do regular backups, save those backups offline, so the bad guys can’t encrypt them at the same time they encrypt the main system, don’t click on links in emails, or open strange attachments, keep security software updated (you *do* run security software, don’t you?) and browse the web carefully. All things we’ve heard over and over, and all things many users and organizations ignore, rationalizing with the thought that they’re not big enough to be worth attacking.

Well, guess what – no-one is too small, or too big. Ransomware is an equal opportunity assault. The crooks don’t care what they’re encrypting, they just hope that you care enough to want it back.

The relatively small amounts demanded (Malwarebytes said it’s usually in the neighbourhood of $US 500 per machine) may make it easier for organizations to simply pay and get back to business, but experts warn that this is likely to change as criminals deliberately target companies who can afford to pay big bucks to get back to work.

And if they don’t pay? In an article on Venturebeat, author Jack Danahy, cofounder and CTO of endpoint security company Barkly, said, “It is likely that attackers will make painful examples of organizations that cannot or will not pay to demonstrate the seriousness of their demands.”

Think about it. Those chosen as “examples” could be put out of business. In the long run, it’s much cheaper to beef up security, and security training, to make it harder for the bad guys to succeed. If it’s more trouble than it’s worth for them to prevail, they’ll look for another way to line their pockets. OK, that will likely generate different problems, but at least we’ll make the crooks work for their ill-gotten gains instead of handing them cash on a silver platter.

LEAVE A REPLY