Ransom where?

Holding data hostage with ransomware

May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries.

This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves.

1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/.

2 Ransom where? | May 2019

A brief history of ransomware

The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks. Over the next few years, ransomware attacks were present but not yet a significant problem because cybercriminals were missing three key elements:

A clear strategy to either unencrypt or destroy the files and data they demanded 1 money for.

2 The ability to communicate anonymously.

3 An untraceable method for the victim to pay the ransom.

With those limitations, cybercriminals settled for leveraging exploitable vulnerabilities in software and human error to install malware onto devices through anti-virus scams to steal sensitive credentials and personal information to sell for profit. Then in 2006, the Archiveus Trojan changed the realm of ransomware. When downloaded, it encrypted all files found in the “My Documents” folder of the user’s computer. To regain access to these files, victims were directed to specific websites to make purchases, thus paying the ransom.3

The introduction of bitcoin in 2008 was a significant turning point in the world of cyberextortion. This new digital currency enabled cybercriminals to carry out attacks and receive virtually untraceable ransom payments. Now cybercriminals had the freedom to get creative with their attacks and up the ante. After several iterations of ransomware strains, CTB-Locker or CryptoLocker in 2013 fulfilled the other two missing elements. Cybercriminals could now execute powerful ransomware extortion plots. The CTB stands for “Curve, TOR and Bitcoin,”2 which provided “fast secure encryption of file content, a means for anonymous communication through ‘The Onion Routing’ (TOR) protocol, and bitcoin enabled secure, untraceable crypto-cash transactions.”

With organizations’ and supply chains’ increased reliance on networks and connected devices, the scale and effect that a ransomware attack poses can elevate any organization to the level of a potential target.

2 Edith Cowan University. “Ransomware: Emergence of the cyber-extortion menace” 2015; https://ro.ecu.edu.au/cgi/viewcontent. cgi?article=1179&context=ism. 3 Computer Business Review. “The History of Ransomware” Feb. 23, 2018; https://www.cbronline.com/news/the-history-of-ransomware. 3

Lockton Companies The prevalence of ransomware

The FBI launched the Internet Crime Complaint Center (IC3) to track cybercrime and ransomware attacks and provide information to people and organizations about how to protect themselves against these crimes. Since launching in 2000, IC3 has received reports of over 4 million cybercrime events, with cyberextortion on the rise. In 2018, ransomware attacks reported directly to the IC3 accounted for roughly $3.6 million in losses for the targeted organizations.4 While the financial loss reported may seem low, it is important to note that it is common for many organizations to pay ransoms and not report that they have fallen victim to ransomware attacks.

Ransomware attacks are becoming more aggressive as well. Cybercriminals are These attacks are increasing at doubling and even tripling the demand if the such a fast pace that researchers at ransom isn’t paid within the specified time frame. This method of cyberextortion has Cybersecurity Ventures predict that evolved into a multimillion-dollar enterprise “a new organization will fall victim to for cybercriminals, with global ransomware ransomware every 14 seconds in 2019, costs expected to reach roughly $12 billion by 5 the end of 2019 and $20 billion by 2021.5 and every 11 seconds by 2021.”

GLOBAL RANSOMWARE DAMAGE COSTS

$25,000,000,000

$20,000,000,000

$15,000,000,000

$10,000,000,000

$5,000,000,000

$0 2015 2017 2018 2019 2021 Source: Cybersecurity Ventures for global ransomware damage costs data.

4 Federal Bureau of Investigation. “2018 Internet Crime Report” 2019; https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf 5 Cybersecurity Ventures. “Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021” Oct. 19, 2018; https:// cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/ 4 Ransom where? | May 2019 What role does cyber insurance play?

Organizations need to have appropriate protection in place to guard against ransomware attacks. This extends further than implementing anti-virus, anti-malware software and backups to securing the longevity of the entity. Phishing scenarios are highly leveraged to initiate ransomware attacks and are commonly “designed to trick a user into providing Office 365 account credentials”6 to breach a system. These attacks go beyond demanding ransoms and often come with several damages and associated expenses, including:

“damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.”5

Cyber insurance can reduce the likelihood of a company exhausting all of its resources to investigate and recover from an attack. In the event of a ransomware attack, cyber insurance would cover the ransom demand and extra expenses, including forensics and investigation, up to the specified cyber policy limit. The value that cyber insurance provides is demonstrated through the extensive core insuring agreements and enhancements available in the marketplace, such as:

„„ Network security liability. „„ Data recovery.

„„ Privacy regulatory proceeding. „„ Business interruption and extra expense.

„„ Breach response costs. „„ Dependent business interruption.

„„ Cyberextortion reimbursement. „„ Reputational harm.

„„ Hardware replacement (bricking).

Coverage enhancements like dependent business interruption offer coverage to companies for damages caused by third-party vendors because of a cyber event like ransomware. Lockton sees firsthand the value that cyber insurance affords our clients against damages and costs incurred due to ransomware attacks, like Ryuk and WannaCry, providing coverage for expenses reaching upward of $4.5 million cumulatively. Lockton has secured exclusive amendatory endorsements with many of the large cyber insurance carriers to ensure that our clients receive optimal coverage options.

Ransomware attacks come with hefty price tags and considerable business interruption. For the past 30 years, ransomware has adapted to defensive strategies time and time again, with cybercriminals exploiting numerous avenues to carry out attacks. From social engineering and phishing attempts to infected websites, the threat becomes more sophisticated by the minute. Its advancement is impacting a growing number of industries, shifting the likelihood of an attack from an “if” to a matter of “when.” Organizations should shift their focus from a recovery stance to a proactive one to develop the appropriate prevention and contingency plans.

6 Baker Hostetler. “2019 Data Security Incident Response Report” April 2019; https://www.bakerlaw.com/press/bakerhostetlers-5th- annual-data-security-incident-response-report-highlights-collision-of-privacy-cybersecurity-and-compliance-details-efforts-to-minimize-risk 5

Lockton Companies TIMELINE BIGGEST RANSOMWARE AND MALWARE ATTACKS TO DATE

DATE STRAIN EVENT INDUSTRY 2012 Reveton Trojan that fraudulently claimed to be law PUBLIC SECTOR — Metropolitan Police enforcement and shut users out of their Service (London) devices until the demand or “fine” was paid. September 2013 CryptoLocker Trojan used to target devices running Microsoft AEROSPACE AND DEFENSE — NASA Windows, using the Gameover Zeus virus GOVERNMENT — Health and Human delivered through spam messages. The virus Services managed to infect roughly 500,000 computers around the world. Cybercriminals were able to extort roughly $1 million within a six-month period. February 2015 TeslaCrypt A CryptoLocker variant, notorious for COMPUTER GAMING AND SOFTWARE infecting computer gamers, downloaded from an infected HTML webpage and not only encrypted the gamers’ data and ancillary files but also other files found on their devices in exchange for ransom. Extortion payments totaled roughly $76,522. 2015 SimpleLocker Targeted Google Android OS device users to COMMUNICATION SERVICES — Google encrypt the SD cards under the guise that the user had committed a crime. The virus demanded payment in exchange for access to the user’s data as well as not reporting the user to the authorities. February 2016 Locky A targeted attack that delivered malicious HEALTHCARE — Hollywood code through a phishing email with a Microsoft Presbyterian Medical Center Word document or JavaScript attachment. Once downloaded, it aggressively attacked critical backup systems and files, thus making it more difficult for data recovery methods to be successful. The virus encrypted the entire system and demanded a ransom for the hospital’s computer files to be returned and regain access to systems. November 2016 HDDCryptor Encrypted the entire local and networked MUNICIPAL TRANSPORTATION — San drives through modifying the master boot Francisco Municipal Transportation records (MBRs) of an entire transportation Authority system. This left train station gates open and ticket machines out of order, even displaying messages that passengers could ride for free. May 2017 WannaCry Exploited a code developed by the NSA HEALTHCARE — Britain’s National called EternalBlue and gaps in the Server Health Service Message Block (SMB) Protocol (used for AEROSPACE AND DEFENSE — Boeing printers, file sharing and remote access) patching for devices running Windows 7 OS. TELECOMMUNICATIONS — MegaFon in The ransomware was circulated via email, and Russia once in the system, the virus encrypted files on AIR FREIGHT AND LOGISTICS — FedEx the hard drive, preventing user access on that device and any other device connected to the AUTOMOBILE MANUFACTURERS — Nissan, Renault network in exchange for ransom to be paid in bitcoin. This attack managed to hit more than EDUCATION — Universities in China 300,000 computers in total and is believed to PUBLIC SECTOR — Police Authorities in have been linked to the Lazarus Group — with India, China connections to the North Korean government. 6 GOVERNMENT AGENCIES — Russian Interior Ministry ELECTRONICS Ransom where? | May 2019

DATE STRAIN EVENT INDUSTRY June 2017 NotPetya* An iteration of a previous version, Petya, that TRANSPORTATION AND LOGISTICS — was released in March 2016 and encrypted the Maersk hard drive and data on the targeted computer PHARMACEUTICALS — Merck running Windows OS. The virus displayed a message to the user explaining that they CONSTRUCTION — Saint-Gobain needed to pay a ransom to access their data. FOOD PRODUCTS — Mondelez The virus was delivered through an attachment International, Inc. in an email under the guise of a résumé to TNT get the user to click on it, open the PDF and AIR FREIGHT AND LOGISTICS — Express (FedEx) agree to the subsequent Window User Access Control prompt. The virus got its name from NUCLEAR ENERGY — Chernobyl the 1995 James Bond film, GoldenEye. Nuclear Power Plant NotPetya, a new, more powerful version of MANUFACTURING Petya, aimed to encrypt everything, not just PROFESSIONAL SERVICES the hard drive on the device. This virus spread without the assistance of spam or social engineering attempts. The virus overwrote the master boot record, successfully locking the users out of their devices. This is believed to be a targeted attack by Russia and is known as a “watering hole attack,” which infected a website used with a common accounting software used in the Ukraine in combination with EternalBlue. This attack is notable for the following reasons:

„„ Not only did it encrypt the entire device, but it destroyed the data and hardware as well, thus leaving the hardware “bricked.” „„ While a ransom was demanded, there was no tangible way to pay the ransom. „„ Biggest malware attack by impact. Total damages to date are estimated at $10 billion or more. June 2017 Bad Rabbit Like NotPetya, this was considered a “watering MEDIA OUTLETS — Interfax News hole attack” where the virus used a fake Agency (Russia) Adobe Flash installer update that downloaded from infected websites that users commonly visit. Once users launched the download, the virus locked the user out of the device and demanded that the ransom be paid within 40 hours. January 2018 SamSam Exploited vulnerabilities in the Remote Desktop HEALTHCARE — Allied Physicians of Protocol (RDP) or Java-based File Transfer Michiana, Hancock Health, Allscripts Protocol (FTP) servers on devices running Healthcare Solutions Windows OS to gain access to the network MUNICIPALITIES — City of Atlanta and run malware on the system. This strain encrypted systems and files and demanded a ransom to regain access to patient files, warrants and pending court cases. Essentially, the criminals behind SamSam purchased credentials off the darknet to gain access to systems through RDP or FTP. This ransomware attack has managed to collect roughly $850,000 in extortion payments and created damages expected to exceed $30 million.

7

Lockton Companies DATE STRAIN EVENT INDUSTRY August 2018 Ryuk Tailored attack primarily in the United States, WATER UTILITY — Onslow Water and unique because of how it was deployed. Sewer Authority (ONWASA) Cybercriminals sat within the network of DATA CENTER AND CLOUD SERVICE organizations for as long as a year to gather PROVIDER — Data Resolution, LLC the information necessary to execute their attack. The virus used the Emotet and Trickbot Trojans to deliver the malware through a phishing email. This email contained a Microsoft Office document attached that contained malicious code. Once opened, the code executed and downloaded the Emotet Trojan. This Trojan spread throughout the network and downloaded the Trickbot Trojan, which attacked the memory and stole credentials. This virus strain encrypted the network drives, wiped shadow copies on the endpoint and disabled the Windows System Restore option for the end user. This attack is notable for the highest ransom demand in history in the amount of $145,000 in bitcoin, approximately $700 million in USD. More victims are being discovered as information about this strain develops. The actors behind the attack have garnered roughly $4 million in ransom payments. January 2019 LockerGoga While information on how the virus has spread METALS AND MINING — Norsk Hydro is still developing, this strain encrypted all ASA devices on the network, disconnected them, IT SERVICES — Altran Technologies changed user and admin passwords, and locked down the devices. The virus attacked CHEMICAL MANUFACTURING — Hexion, the Windows Boot Manager, responsible for Momentive starting the device’s operating system, and has been used to halt manufacturing operations. With this strain, there is currently no known way of decrypting systems and files, and the variants “do not allow an infected system to function well enough for the victim to pay the ransom or use a decryption tool.”7 The full extent of the damage this strain has created is ongoing, but it has already created nearly $40 million in damages.

*This strain is not defined as ransomware and is instead identified as wipeware; however, this strain is notable for its scale and impact.

7 Trend Micro. “What You Need to Know About the LockerGoga Ransomware” March 20, 2019.; https://www.trendmicro.com/vinfo/us/ security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware

8 Ransom where? | May 2019

WHITE PAPER SOURCES

Ball, Tom. 2018. “The History of Ransomware — Computer Australian Information Security Management Conference, Business Review.” Computer Business Review. Feb. 23. 47–56. doi:10.4225/75/57b69aa9d938b. https://www.cbronline.com/news/the-history-of-ransomware. Kujawa, Adam. 2019. “Ryuk Ransomware Attacks Businesses Center for Internet Security. “Ransomware: Facts, Threats, over the Holidays.” Malwarebytes Labs. Malwarebytes. and Countermeasures — CIS.” 2017. CIS. May 18. https:// Jan. 8, 2019. https://blog.malwarebytes.com/cybercrime/ www.cisecurity.org/blog/ransomware-facts-threats-and- malware/2019/01/ryuk-ransomware-attacks-businesses-over- countermeasures/. the-holidays/.

CyberPolicy. 2019. “Cyber Insurance to Protect Your Business Lohrmann, Dan. 2019. “Ransomware Attacks Becoming More from Ransomware Attacks — CyberPolicyTM.” Cyberpolicy. Widespread, Destructive, Expensive.” Govtech.Com. https:// com. https://cyberpolicy.com/threats/ransomware. www.govtech.com/blogs/lohrmann-on-cybersecurity/ ransomware-attacks-becoming-are-more-widespread- Cybereason Security Team. 2019. “Triple Threat: Emotet destructive-and-expensive.html. Deploys TrickBot to Steal Data & Spread Ryuk.” Cybereason. Com. 2019. https://www.cybereason.com/blog/triple- Maley, Bob. 2019. “Weighing the Options: The Role of Cyber threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk- Insurance in Ransomware Attacks — Help Net Security.” Help ransomware. Net Security. March 27. https://www.helpnetsecurity. Digital Guardian. 2019. “A History of Ransomware Attacks: com/2019/03/27/role-of-cyber-insurance-in-ransomware- The Biggest and Worst Ransomware Attacks of All Time.” attacks/. March 28. https://digitalguardian.com/blog/history- ransomware-attacks-biggest-and-worst-ransomware-attacks- Morgan, Steve. 2018. “Global Ransomware Damage Costs all-time. Predicted To Reach $20 Billion (USD) By 2021.” Cybercrime Magazine. Oct. 19. https://cybersecurityventures.com/global- Dobran, Bojana. 2019. “27 Shocking Ransomware Statistics ransomware-damage-costs-predicted-to-reach-20-billion- That Every IT Pro Needs To Know.” PhoenixNAP Global IT usd-by-2021/. Services. Jan. 31. https://phoenixnap.com/blog/ransomware- statistics-facts. Panda Security 2017. “Panda Security Warns of a New Phase in Cybertheft.” March 29. https://www.pandasecurity.com/ Espinosa, Christian. 2018. “Alpine Security.” Alpine Security. mediacenter/panda-security/whitepaper-financial-sector/. Dec. 27. https://www.alpinesecurity.com/blog/cyber- extortion-ransomware-vs-extortionware. Panda Security. 2018. “3 Types of Attacks with Ransomware: Cyber-Theft, Extortion, and Sabotage.” March 29. https:// Federal Bureau of Investigation. “Ransomware Prevention www.pandasecurity.com/mediacenter/security/types- and Response for CISOs.” FBI. July 14, 2016. Accessed March attacks-ransomware/. 28, 2019. https://www.fbi.gov/file-repository/ransomware- prevention-and-response-for-cisos.pdf/view. Panda Security. 2018. “No Kidnapping, No Ransom.” Panda Adaptive Defense 360. March 29. https://www.pandasecurity. Federal Bureau of Investigation. “Protecting Your Networks com/mediacenter/src/uploads/2018/07/Whitepaper- from Ransomware.” 2019. Accessed April 1. https://www.fbi. rasomwareEN.pdf. gov/file-repository/ransomware-prevention-and-response- for-cisos.pdf/view. Perlroth, Nicole, and David E Sanger. 2017. “Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool.” The New Federal Bureau of Investigation. 2019. “2018 INTERNET York Times, May 12. https://www.nytimes.com/2017/05/12/ CRIME REPORT.” 2019. Accessed May 3. https://pdf.ic3. world/europe/uk-national-health-service-cyberattack.html. gov/2017_IC3Report.pdf. Poon, Linda. 2018. “When Will Cities Take Cyber Threats FireEye. 2017. “Effective Ransomware Responses: Seriously?” CityLab. CityLab. May 3. https://www.citylab. Understanding Ransomware and How to Successfully com/life/2018/03/atlanta-city-hall-cyber-attack-ransomware- Combat It.” March 26. https://www.fireeye.com/blog/ cesar-cerrudo/556703/. products-and-services/2017/09/effective-ransomware- responses.html. Savage, Kevin, Peter Coogan, and Hon Lau. 2015. “The Evolution of Ransomware.” https://www.symantec.com/ Greenberg, Andy. 2019. “Meet LockerGoga, the Ransomware content/dam/symantec/docs/security-center/white-papers/ Crippling Industrial Firms.” WIRED. WIRED. March 25. https:// the-evolution-of-ransomware-15-en.pdf. www.wired.com/story/lockergoga-ransomware-crippling- industrial-firms/. Weagle, Stephanie. 2016. “The Links Between Ransom, Ransomware and DDoS Attacks.” Neptune Web, Inc. Sept. 14. Hampton, Nikolai, and Zubair Baig. 2015. “Ransomware: https://www.corero.com/blog/759-the-links-between- Emergence of the Cyber-Extortion Menace.” ransom-ransomware-and-ddos-attacks.html.

9

Lockton Companies TIMELINE SOURCES

Antova, Galina. 2018. “What the Onslow Water and Sewer Franceschi-Bicchierai, Lorenzo. 2015. “Even NASA Got Authority Can Teach About Responsible Disclosure | Infected With ‘CryptoLocker’ Ransomware — Motherboard.” SecurityWeek.Com.” Securityweek.Com. 2018. https://www. Motherboard. VICE. June 5. https://motherboard.vice. securityweek.com/what-onslow-water-and-sewer-authority- com/en_us/article/jp59v8/even-nasa-got-infected-with- can-teach-about-responsible-disclosure. cryptolocker-ransomware.

Aparna Banerjea. 2018. “NotPetya: How a Russian Malware Fruhlinger, Josh. 2017. “Petya Ransomware and NotPetya Created the World’s Worst Cyberattack Ever.” @bsindia. Aug. Malware: What You Need to Know Now.” CSO Online. 27. https://www.business-standard.com/article/technology/ Oct. 17. https://www.csoonline.com/article/3233210/petya- notpetya-how-a-russian-malware-created-the-world-s-worst- ransomware-and-notpetya-malware-what-you-need-to- cyberattack-ever-118082700261_1.html. know-now.html.

Boeck, William A. 2017. “What You Should Know Gallagher, Sean. 2016. “Ransomware Locks up San Francisco About the WannaCry Ransomware Attack.” Public Transportation Ticket Machines.” Ars Technica. Ars Locktoncyberriskupdateblog.Com. http:// Technica. Nov. 28. https://arstechnica.com/information- locktoncyberriskupdateblog.com/2017/05/15/what-you- technology/2016/11/san-francisco-muni-hit-by-black-friday- should-know-about-the-wannacry-ransomware-attack/. ransomware-attack/.

Brewster, Thomas. 2019. “Mistaken For North Koreans, Henley, Jon, and Olivia Solon. 2018. “‘Petya’ Ransomware The ‘Ryuk’ Ransomware Hackers Are Making Millions.” Attack Strikes Companies across Europe and US.” The Forbes, Feb. 20, 2019. https://www.forbes.com/sites/ Guardian. The Guardian. Feb. 15. https://www.theguardian. thomasbrewster/2019/02/20/mistaken-for-north- com/world/2017/jun/27/petya-ransomware-attack-strikes- koreans-the-ryuk-ransomware-hackers-are-making- companies-across-europe. millions/#526ae76075f4. Humphrey, Amanda. 2018. “ONWASA: Hackers Targeted Burgess, Matt. 2017. “The Bad Rabbit Malware Was Disguised Water Utility.” The Daily News. The Daily News. 2018. https:// as a Flash Update.” Wired.Co.Uk. WIRED UK. Oct. 25. https:// www.jdnews.com/news/20181015/onwasa-hackers-targeted- www.wired.co.uk/article/bad-rabbit-ransomware-flash- water-utility. explained. Hudson, Jeffrey. 2018. “Cyber-Criminals Target Critical Utility Catalin Cimpanu. 2019. “Ryuk Ransomware Gang Probably in Hurricane-Ravaged Area.” Onwasa.Com. Oct. 15, 2018. Russian, Not North Korean.” ZDNet. ZDNet. Jan. 11, 2019. https://www.onwasa.com/DocumentCenter/View/3701/Scan- https://www.zdnet.com/article/ryuk-ransomware-gang- from-2018-10-15-08_08_13-A. probably-russian-not-north-korean/. Kaspersky.Com. “TeslaCrypt Ransomware Attacks.” 2019. Crowe, Jonathan. 2019. “2019 Ryuk Ransomware Attacks, https://usa.kaspersky.com/resource-center/threats/ Why They’re Different and How to Avoid Them.” NinjaRMM. teslacrypt. January 4, 2019. https://www.ninjarmm.com/blog/ryuk- ransomware-attacks-newspapers-msp-dataresolution/. Kilpatrick, Harold. 2018. “5 Most Dangerous Ransomware Strains.” PC World. https://www.pcworld.idg.com.au/ CSO Online. 2018a. “What Is WannaCry Ransomware, How article/643777/5-most-dangerous-ransomware-strains/. Does It Infect, and Who Was Responsible?” CSO Online. Aug. 30. https://www.csoonline.com/article/3227906/what- Krebs, Brian. 2019. “Cloud Hosting Provider DataResolution. is-wannacry-ransomware-how-does-it-infect-and-who-was- Net Battling Christmas Eve Ransomware Attack — Krebs responsible.html. on Security.” Krebsonsecurity.Com. Jan. 2, 2019. https:// krebsonsecurity.com/2019/01/cloud-hosting-provider- Davis, Jessica. 2019. “Michigan Practice to Shutter dataresolution-net-battling-christmas-eve-ransomware- after Hackers Delete Patient Files.” HealthITSecurity. attack/. HealthITSecurity. April. https://healthitsecurity.com/news/ michigan-practice-to-shutter-after-hackers-delete-patient- Liviu Arsene. 2017. “Keranger: The First ‘in-the-Wild’ files. Ransomware for Macs. But Certainly Not the Last.” Macworld. Oct. 26. https://www.macworld.com/article/3234650/ Ducklin, Paul. 2014. “CryptoLocker Wannabe ‘Simplelocker’ keranger-the-first-in-the-wild-ransomware-for-macs-but- Scrambles Your Files, Holds Your Android to Ransom.” Naked certainly-not-the-last.html. Security. Naked Security. June 6. https://nakedsecurity. sophos.com/2014/06/06/cryptolocker-wannabe- Nakashima, Ellen. 2018. “Russian Military Was behind simplelocker-android/. ‘NotPetya’ Cyberattack in Ukraine, CIA Concludes.” The Washington Post, Jan. 12, 2018. https://www. Duo Security. “Researchers Still Unraveling LockerGoga washingtonpost.com/world/national-security/russian- Ransomware.” 2019. Decipher. March 28. https://duo. military-was-behind-notpetya-cyberattack-in-ukraine- com/decipher/researchers-still-unraveling-lockergoga- cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a- ransomware. b85626af34ef_story.html?utm_term=.bc44910f0a8d.

10 Ransom where? | May 2019

National Cyber Security Center. “NCSC.” 2019. Ncsc.Gov.Uk. Vigliarolo, Brandon. 2017. “Gallery: 10 Major Organizations https://www.ncsc.gov.uk/section/information-for/public- Affected by the WannaCry Ransomware Attack — Page sector. 11.” TechRepublic. https://www.techrepublic.com/pictures/ gallery-10-major-organizations-affected-by-the-wannacry- O’Donnell, Lindsey. 2019. “Ransomware Behind Norsk Hydro ransomware-attack/11/. Attack Takes On Wiper-Like Capabilities.” Threatpost.com. Threatpost. March 27. https://threatpost.com/lockergoga- Villeneuve, Nart. 2015. “TeslaCrypt: Following the Money Trail ransomware-norsk-hydro-wiper/143181/. and Learning the Human Costs of Ransomware « TeslaCrypt: Following the Money Trail and Learning the Human Costs Palmer, Danny. 2017a. “WannaCry Ransomware Was the of Ransomware.” FireEye. May 15. https://www.fireeye.com/ Biggest Challenge of the Year, Says Cybersecurity Centre.” blog/threat-research/2015/05/teslacrypt_followin.html. ZDNet. ZDNet. Oct. 3. https://www.zdnet.com/article/ wannacry-ransomware-was-the-biggest-challenge-of-the- Ward, Mark. 2014. “Cryptolocker Victims to Get Files Back year-says-cyber-security-centre/. for Free.” BBC News, Aug. 6. https://www.bbc.com/news/ technology-28661463. Panda Security. 2019 “Ransomware in City Hall — Panda Security Mediacenter.” 2019. Panda Security Mediacenter. ZDNet. 2017b. “Bad Rabbit: Ten Things You Need to Know March 27. https://www.pandasecurity.com/mediacenter/ about the Latest Ransomware Outbreak.” ZDNet. ZDNet. malware/ransomware-in-city-hall/. Oct. 25. https://www.zdnet.com/article/bad-rabbit-ten- things-you-need-to-know-about-the-latest-ransomware- Panda Security. 2019. “An Attack with the New outbreak/. LockerGoga Ransomware in Norway.” March 21. https:// www.pandasecurity.com/mediacenter/news/lockergoga- ransomware-norway/.

Perekalin, Alex. 2017. “Bad Rabbit: A New Ransomware Epidemic Is on the Rise.” Kaspersky.com. Kaspersky Lab. Oct. 26. https://usa.kaspersky.com/blog/bad-rabbit- ransomware/13106/.

Ragan, Steve. 2018. “SamSam Explained: Everything You Need to Know about This Opportunistic Group of Threat Actors.” CSO Online. April 18. https://www.csoonline.com/ article/3263777/samsam-explained-everything-you-need-to- know-about-this-opportunistic-group-of-threat-actors.html.

“The Ransomizer.” 2011. Ransom Where Logo. The Ransomizer. 2011. http://www.ransomizer.com/.

Security Response Attack Investigation Team. 2018. “SamSam: Targeted Ransomware Attacks Continue.” Symantec.Com. 2018. https://www.symantec.com/blogs/ threat-intelligence/samsam-targeted-ransomware-attacks.

Staff, WIRED. 2018. “The Untold Story of NotPetya, the Most Devastating Cyberattack in History.” WIRED. WIRED. Aug. 22. https://www.wired.com/story/notpetya-cyberattack-ukraine- russia-code-crashed-the-world/.

Trend Micro. “TeslaCrypt Ransomware Devs Close Shop, Gives Away Master Key for Free — Security News — Trend Micro USA.” 2019. Trendmicro.com. https://www.trendmicro. com/vinfo/us/security/news/cybercrime-and-digital-threats/ teslacrypt-ransomware-closes-gives-away-master-key-for- free.

Us-Cert.Gov. “SamSam Ransomware | US-CERT.” 2018. https://www.us-cert.gov/ncas/alerts/AA18-337A.

11

Lockton Companies • R • • RR R

LOCKTON.COM

oton n ll rights resered KC: 56822