Ransomware in the Wild

AICPA

HIPAA s

S n

O o

ti C a z f i o SOC n r a S g e aicpa.org/soc4so r rv O ic ce e O vi rg er anizations | S

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild \\ Table of Contents

Table of Contents

Ransomware in the Wild 3 Ransomware Lifecycle 5 Industries Under Attack 6 State and Local Government Targets 6 No Ransomware Authority 8 To Pay or Not to Pay; That Is the Question. 8 Why Is Ransomware Proliferating Across the United States? 9 Should You Be Worried About Ransomware? 10 Ransomware Prevention 11 Conclusion 12 Need Help with Securing Your Business Against 12 Ransomware Threats?

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 3

Ransomware is an increasingly common The motivation behind the attacks is nearly type of malware that infects vulnerable always financial; the antagonists aim to computers, potentially infiltrating any com- extort cryptocurrency from the target after puter operating systems and encrypting the encrypting critical or sensitive files on the user’s files. A financial demand is declared compromised computing infrastructure. to regain access to data. Some of iterations Hacking groups prefer Bitcoin as it is rela- of malware are incredibly malicious, bypass- tively easy to clean this cryptocurrency and ing antivirus and potentially locking users move it around the blockchain network. out of the computer system. While it is not impossible to trace Bitcoin The impact of ransomware varies depend- transactions, there is still relative anonymity ing on the victim; it appears that bad actors in transferring Bitcoin into cash. There have and hackers are increasingly using malware been some successful occurrences of trac- to target businesses, organizations and local ing paid ransoms; recently, a ransomware authorities. However, despite the increase named “SamSam” was successfully traced to in higher-profile targets, it is important to two men operating inside Iran. The FBI remember that individual users can still be traced and located the addresses associated victims of ransomware. Because of this, it is with the Bitcoin wallets used in the extor- very difficult to accurately report on how tion by tracking the movement of the many individuals are affected and how Bitcoins over blockchain. many victims pay the ransom. Hackers have counteracted this by adapting Undoubtedly, ransomware has entered the their collection methods, using clustered common vernacular as awareness of Bitcoin wallet addresses to mask currency. ransomware has dramatically increased Although Bitcoin is the preferred payment over the past 5 years. Rarely a month passes method, there has been research conducted without a security incident triggered by a into the types of payments made for ransomware attack being reported in a ransomware. Cash, revenue generating newspaper or on TV. Ransomware has been premium telephone numbers and prepaid honed to serve in targeted, often coordinat- payment cards such as Paysafecard, Ukash ed attacks on established organizations, and MoneyPak are among the popular alter- governments and institutions located natives. around the globe.

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 4

A Brief History After the user had rebooted their computer a of Ransomware set number of times, victims were prompted with a demand for a licence fee payment in Ransomware is not a new phenomenon; in return for their locked out files. The user was fact, it only earned the name “ransomware” ordered to send money offshore to a in recent years. Previously, the attacks were Panama PO box in return for the unlock key. simply known as viruses or Trojan horses. The first documented evidence of a ransom- “The AIDS Trojan” was a very crude malware ware attack, one that encrypted files with which was easily fixed as it used symmetric the intention of blackmailing the victim for encryption (both public and private key were financial gains, was reported as early as stored on the infected computer), and fix-it 1989. tools were quickly released to fix the prob- lem. This ransomware, called “the AIDS Trojan,” pre-dates email and the internet as we know Fast-forward to 2013, when a huge spike in it today. It was distributed on floppy disk by ransomware attacks fuelled by the release of a hacking group posing as a fake company the notorious CryptoLocker malware. Cryp- called “PC Cyborg Corporation.” Once the toLocke was a highly sophisticated new mal- user loaded the fake application onto their ware using asymmetric encryption (only the computer, the user files were encrypted at a attacker has the private unlock key). The suc- specific trigger point written into the mal- cess of CryptoLocker spawned a vast ware. number of cloned ransomware programs, all using asymmetric encryption to deny a user access to their files.

Figure 1- An example of the Aids Trojan demand

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 5

The use of asymmetric encryption in targeted any individual’s computer with ransomware has continued from 2013 to operating system vulnerabilities, but today, the present day and includes some of the much of the evidence suggests that the most widely known ransomware attacks, aggressors are increasingly targeting US such as WannaCry, Emotet, Zeus, Petya and state and local government institutions as Kovter. Many of the early malware releases the rewards are potentially more lucrative.

Top 10 Malware - Breakdown

4% 6% Emotet WannaCry 19% 6% Kovter Zeus 6%

Dridex IcedID 7% 17%

Gh0st Mirai 10%

11% 14% NanoCore Pushdo

Figure 2 - Break down of the Top 10 Malware Attacks Source: https://www.cisecurity.org/resources/?type=post

Ransomware Lifecycle The study discovered the following seven stages of the ransomware lifecycle: In an in-depth study completed by the Inter- 1. Creation – the creation team will write national Journal of Computer Science and the malware and embed as much sophistica- Network Security, researchers found that tion into the program as possible to ensure the ransomware lifecycle is composed of the victims pay for the release of their files seven unique stages. When ransomware is 2. Campaign – the creators and/or cam- created and distributed, there is close paigners decide whom to target with the collaboration between the creator(s) and the ransomware. If individuals are targeted, the antagonist(s). The creator is the writer of the hacking group (campaigner) will target as malware, and a campaigner’s job is to many victims as possible, and if an institu- distribute the ransomware. tion is targeted, research may be conducted about the type of institution to hit and the likelihood of receiving the ransom

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 6

3. Infection– the ransomware malware pay- Compromising medical records, hospital load has infected the target, and its victims computer systems, or healthcare databases are commonly using computer infrastructure could cause chaos at a healthcare institution. that is not patched or updated with the latest security updates PheonixNAP have suggested “almost half of 4. Command and Control – at this stage, the the ransomware incidents reported in 2018 ransomware is activated over the internet. involved healthcare companies” and Some ransomware will catalog the contents ransomware infection rates at healthcare of the computer such as IP address, domain institutions increased 90% between 2017 name, operating system, installed browsers, and 2018. Cybercriminals will always target and anti-malware products lucrative victims and they have learned that 5. Search – the malware will scan the host healthcare providers are more likely to pay computer looking for valuable files such as the ransom if healthcare professionals are documents, spreadsheets, presentations, locked out of critical IT systems. images, network drives and databases 6. Encryption – the search results will gen- Financial institutions are another prime erate a list of files to encrypt; then, the target for ransomware; these businesses encryption software will start store highly valuable data ranging from bank 7. Extortion – at this stage the files are account information to Social Security num- encrypted, and a ransom is displayed on the bers. If this data were to become compro- victim’s computer. It will contain a message mised, it is unlikely a financial services com- stating that the user’s files have been pany will be able to function, which may encrypted and instructions of how to pay naturally increase the likelihood of ransom the ransom payments being made by these companies. Source: https://expert.taylors.edu.my/- file/rems/publication/105055_5256_1.pdf State and Local Government Targets Industries Under Attack Researchers have put significant work into The healthcare industry is a globally attrac- determining who exactly is targeted for tive target for ransomware creators, despite ransomware extortion. Recorded Future healthcare data’s protection under HIPAA investigated the recent trend of ransomware legislation; the rewards a successful mal- attacks that specifically targeted state and ware breach of healthcare infrastructure local government institutions in the United could be lucrative for the hackers. States. The researchers’ aim was to study

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 7

how ransomware attacks have changed It is estimated that over 170 county, city, or since 2013 and whether the number of inci- state government systems have been dents has increased in recent years. attacked since 2013, and we believe that this figure will continue to increase over the Unsurprisingly, they found that “ransom- coming years. The attacks so far in 2019 ware attacks on state and local governments illustrate the shift of ransomware attack are on the rise” with a steady increase targeting to public facilities. between 2016 and 2019. Interestingly, the research suggests that state and local gov- In May and June of 2019, the City of Balti- ernment institutions may not have necessar- more was targeted by a sophisticated ily been intentionally targeted, but instead ransomware attack that affected the majori- that “these attacks tend to be more targets ty of the city’s services. The ransom was set of opportunity.” at 13 Bitcoins (approx. $76,000 at the time). Multiple departments lost their email, phone The study found several important trends systems and payment systems used for gen- regarding the rise of ransomware: erating bills and processing property sales.

● In 2017, 38 state and local government The attack had a major impact on the city’s attacks were reported day-to-day functions; manual processes ● In 2018, 53 state and local government were reintroduced and thousands of local attacks were reported, a 39.47% increase residents were impacted. The incident made on the previous year global news especially when the city ● So far in 2019, 21 state and local announced “they would never pay the government attacks were reported up to ransom.” It is estimated that the seizure of April, with more than 63 projected for the city IT systems cost up to $18 million to entire year. repair, not to mention the significant trauma placed upon the employees and the resi- Another very important finding from the dents of Baltimore at the time. research was that state and local govern- ments were “less likely than other sectors to One of the very latest ransomware incidents pay the ransom.” although we suspect this started as recently as August 20th 2019, trend will change throughout the rest of which affected 22 municipalities in Texas 2019. This theory is supported by reports and resulted in swaths of local government that suggest 45% of ransoms have been paid organizations being unable to process every- for attacks so far in 2019. day transactions. The assailants set the

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 8

bounty at $2.5 million; the demand was This likely means that the number of inci- immediately rejected by the state of Texas. dents reported is lower than the actual number of occurrences. Failure to report by Systems that controlled birth and death affected institutions might be to protect certificates and some utility payments were reputations, maintain trust, or retain cus- taken offline by the breach. These systems tomer loyalty. were outsourced to a software provider that managed the IT systems. The attack hap- Whatever the reason, we should ask why pened at the IT provider’s data centers and there is less transparency in reporting affected multiple regional institutions, all of ransomware incidents. We often have to rely whom outsourced to the same provider. This on local news investigations or whis- highlights the criticality of choosing an out- tle-blowers to uncover ransomware victims. sourcing partner which has significant expe- Accurate ransomware reporting is even rience in cyber security and systems man- more difficult when you consider individual agement. users: John or Jane Doe who was scammed by an overseas fake software reseller. No Ransomware Authority Despite the harm that ransomware can One of the biggest challenges of under- inflict, relatively little is known about the standing the scale of ransomware attacks is prevalence and characteristics of such that we can never truly ascertain how accu- attacks in the general population. What pro- rately the number of incidents is reported. portion of users pay up? How do users We can question the preciseness of the perceive the risks? How do individual users statistics because there is no centralized respond to ransomware attacks? These are reporting authority that enforces notifica- all questions that would require detailed tion of a ransomware outbreak. research and investigation, but our current lack of insight is worth considering as it Businesses, governments and local munici- affects our understanding of the global scale palities currently have no legal obligation to of ransomware. report that ransomware has affected them. Unlike HIPAA legislation, which has clear To Pay or Not to Pay; That Is guidelines and rules about reporting data the Question breaches, this kind of compliance is not enforced for ransomware, and we rely on The decision to pay a ransom depends on victims coming clean and accurately report- many circumstances, including the type of ing the incident. data that has been encrypted and who has

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 9

been affected by the ransomware. There is If we examine the Lake City incident in more evidence to suggest that state and local gov- detail, it is suggested that they were advised ernments choose not to pay ransoms as by their insurance underwriters to pay the frequently as other victims, a fact that is ransom; Lake City was covered for ransom- often reported in the media during the news ware under its cyber-insurance policy, and reporting on ransomware incidents. their deductible payment was only $10,000! The senior leadership team believed that When considering the attacks like those in paying the ransomware would, in the long Texas and Baltimore, choosing not to pay term, save time and money. could leave local residents very angry, as they are unable to use the services they pay There is no doubt that deciding whether you for and they would be directly affected by should pay a ransom is an incredibly difficult the enormous bill to clean up the mess choice. Conventional wisdom might suggest through service cuts and cost savings in the that you should never pay the ransom; how- future. ever, when considering the recent Florida examples, you could argue that by paying However, it is estimated that one in five the ransom, both Lake City and Riviera City ransomware attacks on government institu- saved themselves a small fortune that would tions are paid and about 4% of domestic have gone to pay expensive security consul- cases are settled. In many of the ransom- tants to fix their problems. ware incidents discussed here, it turned out to be significantly more expensive to NOT Paying up does, however, play into the hands pay the ransom, with many organizations of the hackers, and demands for payment having to pay for expensive third party secu- may skyrocket if hackers are sure their rity consultants, IT server hardening, and victims will pay. Paying up is also only fixing additional insurance premiums. half the problem. Yes you may get your systems back, but the infrastructure will For the institutions who chose to pay the need an expensive overview, fixing, and ransom, the cost is also very high; Lake City redeployment to prevent it happening again. in Florida recently paid $500K in ransom and Riviera City, also in Florida, paid $600K. Why Is Ransomware Prolifer- However, it can be argued that paying the ating Across the United States? hackers prevented days, weeks, and months of critical system outages. Those figures also There are numerous examples of computer pale in comparison to potential costs to systems used by corporations, schools, rebuild affected infrastructure, considering

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 10

police and city governments being targeted Should You Be Worried About by ransomware and suffering extensive Ransomware? system outages. No matter what protections organizations It could be suggested that paying ransoms is employ to prevent ransomware, they should feeding this growth; the number of institu- still be concerned about their potential tions that are covered by cyber insurance exposure to risk. Hacking communities are has grown, building an estimated $7 billion actively developing new strains of malware, to $8 billion-a-year cyber insurance market not to mention sharing and trading the in the U.S. alone. source code on the dark web. Without a doubt, the sophistication of ransomware ProPublica has conducted extensive attacks is growing. research suggesting that insurance compa- nies are fueling the rise of ransomware Hackers are continuously looking for vulner- attacks by paying hackers. They also suggest abilities in operating systems and popular that hacking groups are deliberately target- applications, discovering backdoors and ing American companies that they know security flaws they can exploit with clever- have cyber insurance. In response to the ly-designed software. System administrators attacks on Baltimore, Atlanta and Lake City and security teams are firefighting detected at the 2019 United States Conference of threats, and the process of protecting com- Mayors, an official statement was released puter infrastructure can be time consuming “opposing the payment to ransomware and painstakingly difficult. attack perpetrators”. Organizations can implement the best This resolution is significant, as it is one of industry standard security practices, threat the first official statements identifying that detection systems, and hardware layer pro- ransomware is proliferating in the United tections, but a business’ IT security is only as States, and that ransomware is specifically strong as its weakest link. Unfortunately, the targeting local US government entities. The majority of ransomware is still propagated resolution warned against paying ransom- by user-initiated actions. Careless, acciden- ware attackers, as the practice encourages tal, or reckless actions by employees can continued attacks on other government leave the door wide open to a ransomware systems. They also strongly recommended attack. “standing united against paying ransoms in the event of an IT security breach.” This is where the expertise and professional- ism of a managed security service provider

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 11

can bolster the security of your business. patching. Windows 7 and Windows Server Whether you choose to implement security 2008 are phasing out of support in January recommendations or outsource your entire 2020, and all previous iterations are already IT department, the experts at Atlantic.Net no longer supported put your business first, securing your IT plat- ● Patching – Arguably, one of the best forms from the very latest and future methods to protect against malware is to threats. ensure that your infrastructure is patched to the very latest levels. This includes server Ransomware Prevention patching, Windows updates, firmware, and microcode updates To protect yourself from ransomware infec- ● Application Updates – software applica- tion, it is important to follow several security tions need to be updated too; this will help best practices to ensure that you are safe- to reduce vulnerabilities. Ensure that antivi- guarded. It is essential to be certain that rus is installed and updated daily to guaran- your infrastructure and network are in a tee the very latest threat prevention data- healthy state to give the best possible pro- bases are invoked tection from ransomware.ess. ● Training – Another key protection against ● System Inventory – One of the first steps ransomware is to train all employees about to follow, particularly if you are a business, is the risks of ransomware. This should help to complete an inventory of all your business them to understand what cybersecurity is assets. This will include all digital assets such and what to look out for in avoiding risks. as servers, desktops, laptops, network Common examples including being on the equipment, and digital infrastructure. Cata- lookout for phishing, scams, and fake web- loguing what assets you own will allow you sites to create a baseline to work from ● Backups – If the worst does happen and ● Risk Analysis – Conduct a cybersecurity you are impacted by ransomware, often the risk analysis using the baseline created with quickest resolution is to restore from the system inventory. This process will allow backup. Regular offsite backups should be you to identify security weaknesses and completed on a daily, weekly, and monthly create a priority list of what to fix first rotation to reduce the likelihood of the back- ● Run a Supported Operating System – It is ups also being infected important to be running a modern, manufac- ● Disaster Recovery – Create and test a turer-supported operating system. OS disaster recovery plan, including a scenario licencing can be expensive, but it is critical where a total outage is caused by ransom- to have supported operating systems, as you ware. This might be a high availability DR are then entitled to security updates and

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net Ransomware in the Wild 12

setup in a secondary site or with a cloud pro- evidence that suggests the hackers are shift- vider ing their focus towards creating ransomware ● Penetration Testing – This is a technique specifically targeted at institutions who are of testing external and internal computer more likely to pay. Hackers may “know” infrastructure against all known vulnerabili- which institutions are covered by cyberse- ties. Pen testing and vulnerability scanning curity insurance, and victims with insurance will generate a list of recommended fixes may be more likely to pay out. needed to harden the infrastructure Many technical, process and training safe- Conclusion guards can be introduced to help create a robust cyber security policy that should be The research we have undertaken is unani- implemented throughout the entire organi- mous in the opinion that ransomware is an zation. Each of these safeguards should be increasing threat. We have seen increases in reviewed and renewed annually, but it is also the number of ransomware attacks in the important to have a tried-and-tested busi- last few consecutive years. It would appear ness continuity and disaster recovery pro- that hackers are changing their methodology cess should the worst happen. to focus on ransomware (instead of other types of malware), as it is the most likely attack method to succeed. Need Help with Securing Your Business Against We have found evidence that suggests there Ransomware Threats? is a shift away from targeting individual users in blanket ransomware attacks, instead Atlantic.Net stands ready to help you choosing to target wealthy businesses, attain fast compliance with a range of healthcare, education, and local and regional certifications, such as SOC 2 and SOC 3, government institutions. Hackers choose to HIPAA, and HITECH, all with 24x7x365 target these institutions because it is likely support, monitoring, and world-class to have the biggest impact if the breach is data center infrastructure. For faster successful. application deployment, free IT architecture design, and assessment, As there is no reporting authority, reports of visit us at www.atlantic.net, call factual numbers of ransomware victims are 888-618-DATA (3282), or email us at very difficult to produce, and it is possible [email protected]. that only a fraction of the incidents are actu- ally being reported. We have also found

888-618-DATA (3282) Secure Cloud Services [email protected] Managed & Compliant Infrastructure www.atlantic.net