If you aren’t scared of ransomware, you aren’t paying attention

May 8, 2019

What do the City of Atlanta, Hancock health, the Chicago Police Department, Boeing, and Finger Lakes Health all have in common? Ransomware. These extortion style attacks target small and large businesses, from government to healthcare and everything in between. In other words, it seems as if no one is safe when trying to protect sensitive and proprietary data from the rising trend of ransomware attacks. These ransom-style attacks are a persistent threat to many industries. CSO Online speculated the reason for this trending increase in ransomware attacks stemmed from a willingness to pay the ransom. Interestingly enough, KnowBe4 reports that the worst option for a company to choose when in a ransomware situation is to make the payment. So, you’re probably wondering why companies pay the ransom, right? To be blunt, it’s easy.

All you have to do is cough up the amount requested and, voilà, your files are no longer encrypted and business can go back to normal.

What is ransomware?

Ransomware is a type of malware that encrypts critical data with the purpose of blocking access to the victim's information in exchange for a ransom. Victims are exposed to malware in many forms, the most common of which is an email phishing campaign. However an attacker accesses a network, system or application, their end game is to encrypt important data. KnowBe4 says there are four potential responses once attacked. In order from best to worst they are:

  • Restore from a backup
  • Decrypt files on your own
  • Do nothing
  • Pay the ransom

How to identify a ransomware attack

KnowBe4’s Ransomware Hostage Rescue Manual offers some key insights to identifying a ransomware attack:

  • Are you struggling to open normal files?
  • Are you getting errors when you attempt to open files?
  • Does your network seem slower than usual?

These are all good indicators that you have been affected by a ransomware virus. The next obvious things that will happen are an alarming message about making payments, how to pay, and a countdown to payment being due.

Ransomware is not a new trend

According to Digital Guardian, the first known ransomware attack happened in the healthcare industry in 1989. For the skeptics, here are some facts reported by The Morning Paper: during a two-year period, $16 million in ransom payments were made by 19,750 clients. Though it is not new, it definitely has been made easier since the introduction of cryptocurrency payment options, such as Bitcoin.

A look at top ransomware groups

There are many ransomware organizations, but for the sake of your sanity, we will talk about one ransomware family and a method used by many families. Many in the industry use the malicious attackers’ preferred nomenclature of family, but we prefer to call them what they actually are—cybercriminal organizations.

Samsam

One of the main ransomware “families” calls themselves Samsam. Experts note that they are opportunistic attackers and primarily access their targets’ networks via unsecured remote desktop protocol (RDP) ports or shared or stolen admin credentials allowing access to virtual private networks (VPN). According to CSO Online, Samsam has been so successful because they keep their ransom prices low which entices people to pay the ransom to get their files decrypted. Because they are opportunistic, Samsam works a bit differently than other ransomware groups and are known to be as ‘nice’ as they can be for what they are. If deadlines and payments are met, Samsam will courteously decrypt the files and move on. Their M.O. has allowed them to extort $850,000 since December 2017.

Wannacry

Wannacry, while not a ransomware ‘family’, is a malicious worm used by many ransomware families to extort payment from their victims. Wannacry infects Windows-based servers and workstations, encrypts their files, and makes them inaccessible until payment is received. This ransomware trend consists of multiple components and starts off with an element known as a dropper. In their technical analysis article of Wannacry, LogRhythm explains that the dropper contains an encryptor, this encryptor contains a decryption application, which contains a password-protected copy of the Tor browser, and files with encryption keys. Wannacry made headlines in 2017 with several high-profile attacks, InfoSecurity Group reported that in 2017 they were able to make over $100,000 in profits in a small window of time.

 

A world map shows where computers were infected by Wannacry ransomware from its first recorded incident to May 2017, as recorded by MalwareTech.com/Screenshot by NPR.

 

Remember, these are only two of the many ransomware attack vectors and a small representation of the overall harm that has befallen hundreds of thousands of victims and the potential harm yet to come.

 

Famous ransomware attacks

 

Hancock Health

 

In January 2018, Databreaches.net broke the news of Hancock Health’s ransomware attack and attributed the hack to Samsam. This attack included 1,400 files where all names were changed to “I’m Sorry." Samsam accessed the hospital system via a business associate vulnerability, a remote access portal that was logged into with a third party’s username and password. The victim was given seven days to pay the ransom. Ultimately they paid $55,000 in order to regain access to their systems.

 

Finger Lakes Health

 

In March 2018 Finger Lakes Health, a three-hospital healthcare system located in New York also fell victim to a ransomware attack. Healthcare Informatics reported that the ransomware incident was first initiated on March 18, and after a week of downtime Finger Lakes Health paid their extortionists. Per Healthcare Informatics, who initiated the attack, the amount demanded, and the amount paid are all unknown. While systems were down, they were forced to revert to a pen-and-paper business model.

 

City of Atlanta

 

The most famous ransomware incident of 2018 was the City of Atlanta. The price of the ransom was set at $51,000 (or $6,800 per computer). After news broke of the initial attack, NPR reported that a media source tweeted out the unredacted ransom note. This prompted the attacker to take down the payment portal. CSO Online reported that Atlanta Mayor Keisha Lance Bottom said she “doesn’t want to put a Band-Aid on a gaping wound.” She’s right, the City of Atlanta is going to need much more than a Band-Aid to fix their problem. According to Data Breach Today, the attacker gained access to their system through an unknown attack vector, allowing them to eventually gain admin credentials and then was able to spread the malware onto a server. In the Data Breach Today article, information security researcher Kevin Beaumont notes the city left RDP port 3389 as well as server messaging block port 445 open to the Internet. Robert Graham, the head of Errata Security, believes the following:

 

They'll misinterpret what happens here. They frequently get individual desktops infected with ransomware, so they falsely believe they are on top of the situation. What happened in Atlanta is a wholly different attack, where ransomware spread to the servers," Graham says via Twitter. 
Asking how the ransomware got into the network is the wrong question, Graham adds.
" The question they should be asking is, once inside, how it spread. It spread because it got 'admin' credentials," he says. "The Samsam ransomware is notorious for this. It aggressively looks for admin credentials on any system it effects and uses them to spread to other systems on the local network." (Data Breach Today, March 2018)

 

The attack took down several municipal services, including the ability to pay bills, get water services at new homes, municipal courts have been closed, and the Wi-Fi has been turned off at the airport. Like Finger lakes health the attack also reduced Atlanta to pre-computing practices. Could this be worse? You’d hope not, but it can be. Graham said it best via Twitter: “Atlanta’s flaw is failing to do the very basics."

 

Check your organization for ransomware vulnerabilities

 

If it seems like there is a new ransomware attack every day, it is because there is. KnowBe4 recommends the following steps:

 

  • Defense: One of the best ways to protect files is by ensuring both vendors and technicians don’t have full access to your entire network and servers.
  • Software: Firewalls, security software, and powerful malware protection are your best friends, use them and keep them updated.
  • Backups: Backup solutions are key if you are attacked—have a plan. Try to ensure you have a redundant backup solution that is protected and accessible during the downtime.

 

How to protect yourself from ransomware

 

Defending an enterprise will continue to get more and more difficult with each passing day. These attacks aren’t going anywhere, so the best thing to do is to protect your company as best as you can. This includes implementing the steps listed above into your broader security strategy. Integration and knowledge are the keys to success when it comes to protecting yourself from ransomware attacks.