By all accounts, 2016 is shaping up to be the Year of Ransomware. Of course, ransomware is nothing new. Many people may still think of ransomware as the annoying pop up we have probably all seen at some point or another throughout the last decade – the fake FBI warning locking you out of your computer or some other nasty attack you had to research or find help to resolve or, worst case, pay a couple hundred dollars to remove.
But even those “nuisance” attacks in the early days of ransomware like Reveton and Angler were ridiculously profitable for the clever cybercriminals responsible. Early ransomware exploits were estimated to be generating millions of dollars per month in payouts. This inspired the new ransomware we see today.
More recent ransomware like Locky and now SamSam are just two examples of very aggressive variations of what we have seen in the past. Cybercriminals have moved on from the low hanging fruit easy targets (home users good for a couple hundred dollars to recover pictures of their grandchildren). New ransomware tools and tactics are targeting enterprise systems and much bigger pay outs. The FBI estimates that last year alone, ransomware losses totaled more than $24 million.
Forbes has estimated that the popular Locky ransomware has 90,000 new victims per day. This could mean as much as $32 million per month being generated in bitcoin ransom payments for those responsible. The makers of Locky are believed to also be operating a reseller or affiliate system where they are receiving a kick back from the profits others are gaining from the tool. Locky is most often spread by a simple phishing campaign delivering weaponized office documents that quickly infect the computer.
SamSam represents an alarming shift in targeting and tactics. This ransomware seems to be going after specific targets with potential for much bigger payouts such as the recent hospital attacks seen in the news. SamSam is an open source tool that targets, most often unpatched JBoss applications. Once inside the system, the infectious program charts a very destructive path through the network:
- First, SamSam looks for user credentials to escalate privileges for greater access.
- The next move is to locate and destroy networked backups (so the organization will be more motivated to pay up quickly).
- The malware will then spread to as many devices as possible on the network.
- Finally, with tentacles spread widely throughout the enterprise network, SamSam launches as simple, fast, hard to detect and hard to stop lockdown of as much of the network as possible.
These attacks are clever. But very simple and very effective.
Experts believe the next step for cyber criminals making millions of dollars on ransomware will be to merge new tools and tactics with old fashioned worm functionality. We expect to see even more agile, aggressive ransomware soon that can take on a self-perpetuating, almost automated strategy once inside the network. Drawing on how worm tools have worked in the past, we could see ransomware that can:
- Exploit unpatched vulnerabilities in common software and tools.
- Copy itself and spread rapidly.
- Infect files so deeply that it cannot be completely eradicated and hide to reinfect the same systems again in the future.
- Evade detection and response maneuvers, spreading quickly and difficult to stop.
- Piggyback on backdoors created by other malware.
- And even disrupt backup management systems to make even complete, uncorrupted backups difficult or impossible to reinstall.
Rapidly evolving, more aggressive and intrusive ransomware is the reality. But what is your organization’s real risk? A recent survey by HIMSS Analytics and HITNews revealed that up to 50% of hospitals know or suspect they have been the victim of ransomware in the past year – and another 25% admit to not really having any way of knowing! Obviously, the healthcare industry is at risk.
Small, Medium and Large Alike
Currently, ransomware is operating a somewhat perfect business model. For $10,000-$20,000, a small or medium-sized hospital will likely decide to just pay up and get their data back quickly. Targets are often small enough to be unable to respond quickly and effectively and the ransom demanded is often reasonable enough to make the expense of counter-measures and attempts at recovery cost prohibitive. Experts suspect that the evolution of the tools and tactics we have already examined will help cybercriminals target larger, more lucrative targets as well.
Once a Victim, Risk Increases
Debate rages as to whether it is wise to give in to the demands and pay to retrieve the data. Some victims have found that hackers have put a lot of time and effort into planning the perfect attack – but much less into the data recovery that happens after ransom is paid. Once your organization has coughed up the bitcoins, there is no guarantee that your data will be returned in full or in good order. I have seen ransomware that will offer to decrypt a few sample files for you for free to prove that your data will be returned properly – how’s that for customer service?!
Experts also suspect that paying the ransom only tells hackers that you are likely to pay again. There is nothing stopping them from targeting your organization again in the future. In fact, they have good reason to come back for more later. They may also be planting a backdoor or dormant vulnerability for the express purpose of returning for another hit down the road.
So if paying the ransom is no guarantee you’ll see your data again and could even make you an easy target for bigger, more costly future attack, how should your organization respond to the threat of ransomware? I recommend the information and suggestions recently released by the US Computer Emergency Readiness Team (US-Cert) here.
Educate Employees and Establish Policies to Avoid Trouble
Your employees can be your organization’s biggest vulnerability or your best line of defense. Teach them to avoid dangerous emails, attachments, and links. Share our March IT Security tip to remind them what to watch for – and then keep reminding them often of these risks.
Encourage employees to ask if they are uncertain of an email that seems to have come from a colleague. While not a ransomware case, an excellent example is the phishing/social engineering hack of the Bonnier Group where an accounting employee transferred $1.5 Million dollars to a Chinese bank at the apparent request of the CEO. When the employee received a second request, he became suspicious and called to confirm – only to find out the CEO had not sent the requests. If in doubt, just ask!
It is also important that employees be encouraged to report any suspicious emails or attachments or anything they may have inadvertently clicked on. Employees must be assured that they will not be punished for making a report – the sooner you are made aware the better. And, if paranoid or suspicious employees over-report, your time is better spent investigating false alarms than responding to a surprise attack.
Your organization may also be wise to invest in a file sharing tool to avoid emailing files between employees altogether. Giving employees a tools for accessing shared data and instructing them just to never share via email and to never connect a USB or removable device alleviates the guesswork and diminishes risk.
Don’t overlook physical security as well. Create and enforce policies requiring guests to sign in and out of your facilities. Teach employees to recognize and prevent “tailgating” so that they are not inadvertently admitting someone unauthorized into restricted areas. It is always best to err on the side of caution and question anyone who is unfamiliar or seems out of place. With a strong, never to be bypassed physical security policy in place that creates a culture that values personal as well as digital security, employees are free to question without feeling “rude” or appearing unwelcoming.
It may save you a little time when you’re asked to help or troubleshoot to give yourself or another member of the IT team blanked administrative privileges. But this only makes your credentials more tempting and valuable to hackers and tools like SamSam. Grant access and system privileges only on an as-needed basis.
Patch, Update, and Scan
Don’t overlook network security basics. Keep tools patched and updated. Once a patch is released, assume that a potential vulnerability in your system has just been broadcasted to cybercriminals. Hackers will act fast to take advantage before many users will install the patch or make the update. Cybercriminals make the best use of their time by targeting popular software and tools. They know that, even when vulnerabilities are patched, many users will be slow to update giving hackers a window of opportunity to take advantage – this is called a zero-day attack. Adobe Flash, for example, has been plagued with attacks and vulnerabilities. The company is working fast to catch up to patches being exploited by Cerber ransomware but is still a rich target for zero day attacks. It is important to be aware of common vulnerabilities and reported weakness in the tools your organization uses. You should have a process to regularly patch and update systems but also to respond quickly to urgent updates that are made available to avoid becoming a target of opportunity.
Performing regular vulnerability scans will also help you detect weak areas. This is just best practices for system maintenance but, without an executable plan to regularly see to updates and perform critical scans, this is easily back-burnered in many organizations. In addition to up to date anti-virus, every desktop and laptop in your organization should be running updated anti-malware tools. It would be worth the time and effort now to inventory all the machines on your network and make updates.
Ransomware is really a no-win scenario that is best avoided, as we have seen. But even your best efforts may not avoid every threat. Regular, complete, off-site or off-line data backups can be the key to avoiding a costly ransom demand. Backups stored or accessible on the same systems that may be affected by ransomware will likely be useless if your organization is attacked by a newer form of ransomware.
To be effective, your backups must be consistent, up to date, and maintained securely away from the original data source. Of course, performing regular back ups also protects your organization from other security threats and even physical dangers like fire or a natural disaster.
Plan your organization’s restoration process well in advance. Wherever your backup is maintained, have a plan for quickly recovering and restoring that data. In the event of an attack, your response time will be critical to minimizing the attack and costly down time. To be prepared, it is vital that you document this restoration process and practice it as well.
Business Continuity Plan
In the recent HIMSS/HIT News survey 20% of respondents admitting to not really having a BCP in place. On top of that, 50% reported that they were “unsure” whether they would pay a data ransom. Part of the BCP needs to include how to quickly determine whether or not to pay up. Some of these respondents may have meant by their reply that the decision could not be made until the extent of an attack was determined but, more likely, many of the respondents were indicating that their organization’s BCP, if one exists at all, does not specifically address ransomware. With the increasing risks, your BCP must be updated immediately to consider and address your strategy for reacting to a ransomware attack.
Your BCP’s Ransomware Strategy should include:
- Parameters for deciding whether or not to pay. This decision needs to be made quickly, you cannot weigh the pros and cons with a ransom demand on the table and your data locked down.
- Identify, inventory, and locate critical data. Ensure that everything necessary for recovery is included in your regular backups. You must also know exactly where this data is stored to be able to quickly assess the extent of a ransomware attack’s reach.
- Identify what data is recoverable and who needs the data as part of their daily functions.
- If you are willing to pay, decide in advance how much your company’s data is worth versus what will be lost is down time or in the restoration process. For a healthcare organization, you may also need to understand what data, if compromised, poses actual danger to patients.
- Decide who you will call if assistance is needed in responding to a ransomware attack or any other type of security incident. To respond quickly to a large or complex attack, you must have incident response experts on speed dial, preferably waiting on the other end with an understanding of your network and your BCP.
- If you have cyber insurance, understand what is covered and what you need to document to make a claim. Does your policy cover a data ransom situation? Do you need cyber insurance to cover a data ransom situation or any other potential cyber incident?
All indications are that ransomware is on the increase – in size and in scope. If you are in the healthcare industry, you could be especially at risk. The time to get ahead of the potential risks is now.