As we look back at the year that was, one cannot ignore the growing prominence of Ransomwar
The first major publicized ransomware attack of 2016 came on February 16th when an employee of the Hollywood Presbyterian Medical Center clicked a link in a phishing email which initiated a ransomware infestation that quickly forced the IT staff to shut down the network. Hospital staff members were limited to the use of pen and paper for basic medical record keeping and the hospital was forced to divert hundreds of patients to nearby hospitals and cancelled most treatments. After consultation with both the LA police department and the FBI, the hospital administration paid the attackers a ransom of $17,000 in bitcoin currency after the IT department failed to restore the encrypted data from backup. Prior to the HPMC incident, two other hospitals were infected just days before including a Methodist Hospital in Henderson, Kentucky, which was forced to shut down their systems for an entire weekend. In each of prior attacks the hospital was able to restore their systems rather than pay the ransom.
The year appears to be closing in the same eventful fashion as it began. Just recently, thousands of San Francisco commuters got to ride for free as a result of a ransomware attack on the San Francisco Municipal Transportation Agency which took its light rail transit system offline for more than 24 hours. Although the MTA’s internal computer system and email systems were down, actual transit service was not affected. In addition to its light rail service, the MTA also operates busses, street cars and the city’s infamous cable cars. All of these vehicles culminate in completing over 735,000 trips per day.
The attack involved a variant of the well-known HDDCryptor malware which subsequently infected computers throughout the MTA enterprise. The afflicted machines involved office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. Of the roughly 8,500 boxes residing on the network, the worm managed to infect 2,112 machines.
The desktops of all of the devices displayed the same ransom note:
“You Hacked, ALL Data Encrypted. Contact For Key (cryptom27@yandex.com) ID:601."
Indeed, all of the data residing on the infected machines was encrypted with the hackers demanding 100 bitcoin which translates to over $75,000. The extortionists offered to decrypt one machine for one bitcoin to prove that the restoration was possible. Administrators of the MTA refused to cooperate and instead opened the fare gates on Friday and Saturday as a precaution to minimize any possible impacts to customers while their IT team furiously began restoring all files from backups. By Sunday everything was fully operational and administrators assured the public that no critical data files were stolen or compromised which was a worry early on. "We never considered paying the ransom. We have an IT team on staff who is able to fully restore all our systems," said San Francisco Municipal Transportation Agency spokesman Paul Rose.
It is not uncommon for the cybercriminals behind these attacks to offer interviews to online journals that cover hacking and bitcoin news events. In an interview with cryptocoinnews.com, the cybercriminals behind the attack claimed that their malware does not directly target any set organization and that the MTA network infection occurred as a resulting openness of the MTA network.
As fascinating as these stories are, the statistics behind these high profile attacks are astounding.
One of the drivers of this recent wave is the rise of Ransomware as a Service in which cyber wannabees have an instant business model with little investment. RaaS is highly organized and structured much like a traditional multi-level marketing company. Distribution channels are organized by a boss or kingpin. The structure is then organized in a tiered hierarchy of 10-15 affiliates per boss. Current estimates are that bosses can earn about $90K on an average annual basis while affiliates take in an average of $7,200 annually. Basically, an affiliate downloads a malware package from the Dark Web for a cost between $40 to $400. As an example, Cerber, one of the most active ransomware rings operating today, afflicted 150,000 Windows users in July of 2016 alone. According to Check Point, revenue estimates are somewhere around $280K for revenue sharing plans between authors, bosses and affiliates.
Unfortunately, the year isn’t over yet and IT leaders know that they must face more challenges next year in fighting this cyber threat. The good news however is that for now, a thorough and well organized backup plan is still the best remedy against an attack.
When planning for the year ahead, you might want to check out our white paper, Effectively Managing Cyber Security: Top 5 Smart Moves. The paper talks about how to protect against the top 5 IT security threats with best practices tips and considerations.