May 08, 2019//Ellen Neveux
What do the City of Atlanta, Hancock Health, the Chicago Police Department, Boeing, and Finger Lakes Health all have in common? Ransomware. These extortion style attacks target small and large businesses, from government to healthcare and everything in between. In other words, it seems as if no one is safe when trying to protect sensitive and proprietary data from a ransomware attack.
These old-timey ransom-style attacks are a persistent threat to many industries; up 12 percent from 2016, according to the 2017 Symantec ISTR Special Report on ransomware. CSO Online speculated the reason for this increase in attacks stemmed from a willingness to pay the ransom. Interestingly enough, KnowBe4 reports that the worst option for a company to choose when in a ransomware situation is to make the payment.
So, you’re probably wondering why companies pay the ransom, right? To be blunt, it’s easy.
All you have to do is cough up the amount requested and, voila, your files are no longer encrypted and business can go back to normal.
Ransomware is malware that is delivered to a victim’s device or devices on a breached network. Victims are exposed to malware in many forms, the most common of which is an email phishing campaign. However, an attacker accesses a network, system, or an application their end game is to encrypt important data. KnowBe4 says there are four potential responses once attacked, in order from best to worst they are: restore from a backup, decrypt files on your own, do nothing, or pay the ransom.
KnowBe4’s Ransomware Hostage Rescue Manual offers some key insights to identifying a ransomware attack. Are you struggling to open normal files? Are you getting errors when you attempt to open files? Does your network seem slower than usual? These are all good indicators that you have been affected by a ransomware virus. The next obvious things that will happen are an alarming message about making payments, how to pay, and a countdown to payment being due.
Ransomware is not a new trend
According to Digital Guardian, the first known attack happened in the healthcare industry in 1989. For the skeptics, here are some facts reported by The Morning Paper: during a two-year period, $16 million in ransom payments were made by 19,750 clients. Though it is not new, it definitely has been made easier since the introduction of cryptocurrency payment options, such as Bitcoin.
A look into ransomware criminal organizations
There are many organizations, but for the sake of your sanity, we will talk about one ransomware family and a method used by many families. Let’s be frank, many in the industry use the malicious attackers’ preferred nomenclature of family, but we prefer to call them what they actually are—cybercriminal organizations. They are nothing but racketeers and extortionists.
One of the main ransomware “families” calls themselves SamSam. Experts note that they are opportunistic attackers and primarily access their targets’ networks via unsecured remote desktop protocol (RDP) ports or shared or stolen admin credentials allowing access to virtual private networks (VPN). According to CSO Online, SamSam has been so successful because they keep their ransom prices low which entices people to pay the ransom to get their files decrypted.
Because they are opportunistic, SamSam works a bit differently than other ransomware groups and are known to be as ‘nice’ as they can be for what they are. If deadlines and payments are met, SamSam will courteously decrypt the files and move on. Their M.O. has allowed them to extort $850,000 since December 2017.
WannaCry, while not a ransomware ‘family’ is a malicious worm used by many ransomware families to extort payment from their victims. WannaCry infects Windows-based servers and workstations, encrypts their files, and makes them inaccessible until payment is received. This ransomware consists of multiple components and starts off with an element known as a dropper. In their technical analysis article of WannaCry, LogRhythm explains that the dropper contains an encryptor, this encryptor contains a decryption application, which contains a password-protected copy of the Tor browser, and files with encryption keys. WannaCry made headlines in 2017 with several high-profile attacks, InfoSecurity Group reported that in 2017 they were able to make over $100,000 in profits in a small window of time.
Remember, these are only two of the many ransomware attack vectors and a small representation of the overall harm that has befallen hundreds of thousands of victims and the potential harm yet to come.
Notable ransomware attacks
In January of 2018, Databreaches.net broke the news of Hancock Health’s ransomware attack and attributed the hack to SamSam. This attack included 1,400 files where all names were changed to “I’m Sorry.” SamSam accessed the hospital system via a business associate vulnerability, a remote access portal was logged into with a third-party’s username and password. The victim was given seven days to pay the ransom. Ultimately they paid $55,000 in order to regain access to their systems.
Finger Lakes Health
In March of 2018 Finger Lakes Health, a three-hospital healthcare system located in New York also fell victim to a ransomware attack. Healthcare Informatics reported that the ransomware incident was first initiated on March 18, and after a week of downtime Finger Lakes Health paid their extortionists. Per Healthcare Informatics, who initiated the attack, the amount demanded, and the amount paid are all unknown. While systems were down and they were forced to revert back to a pen-and-paper business model.
City of Atlanta
The most famous ransomware incident of 2018 was the City of Atlanta. The story of their attack broke the morning of March 22. The story is still developing, but what we know is that in the early stages of the breach, it was thought to be the workings of SamSam; however, Cisco’s Talos security group believe that it was not SamSam because this attack seems calculated and “highly targeted” which is not SamSam’s M.O.
The price of the ransom was set at $51,000 (or $6,800 per computer). After news broke of the initial attack, NPR reported that a media source tweeted out the unredacted ransom note. This prompted the attacker to take down the payment portal. It is unclear if payment is even an option at this point for Atlanta.
CSO Online reported that Atlanta Mayor Keisha Lance Bottom said she “doesn’t want to put a Band-Aid on a gaping wound.” She’s right, the City of Atlanta is going to need much more than a Band-Aid to fix their problem. According to Data Breach Today, the attacker gained access to their system through an unknown attack vector, allowing them to eventually gain admin credentials and then was able to spread the malware onto a server. In the Data Breach Today article, information security researcher Kevin Beaumont notes the city left RDP port 3389 as well as server messaging block port 445 open to the Internet. Robert Graham, the head of Errata Security, believes the following:
They’ll misinterpret what happens here. They frequently get individual desktops infected with ransomware, so they falsely believe they are on top of the situation. What happened in Atlanta is a wholly different attack, where ransomware spread to the servers,” Graham says via Twitter. Asking how the ransomware got into the network is the wrong question, Graham adds. ” The question they should be asking is, once inside, how it spread. It spread because it got ‘admin’ credentials,” he says. “The SamSam ransomware is notorious for this. It aggressively looks for admin credentials on any system it effects and uses them to spread to other systems on the local network.” (Data Breach Today, March 2018)
The attack took down the ability to pay bills, get water services at new homes, municipal courts have been closed, and the Wi-Fi has been turned off at the airport. Like Finger Lakes Health the attack also reduced Atlanta to pre-computing practices.
Could this be worse? You’d hope not, but it can be. Graham said it best via Twitter: “Atlanta’s flaw is failing to do the very basics.
If it seems like there is a new ransomware attack every day, it is because there is. KnowBe4 recommends the following steps:
Defense: One of the best ways to protect files is by ensuring both vendors and technicians don’t have full access to your entire network and servers.
Software: Firewalls, security software, and powerful malware protection are your best friends, use them and keep them updated.
Backups: Backup solutions are key if you are attacked—have a plan. Try to ensure you have a redundant backup solution that is protected and accessible during the downtime.
According to Fortinet’s guide, How to Close Security Gaps to Stop Ransom and other Threats, defending an enterprise will continue to get more and more difficult with each passing day. They also stress the idea that these attacks aren’t going anywhere, so the best thing to do is to protect your company as best as you can. This includes implementing the steps listed above into your broader security strategy. Integration and knowledge are the keys to success when it comes to protecting yourself from ransomware attacks.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.