WatchPoint Security Blog

Ransomware: The Threat is Real

Written by Greg Edwards | March 30, 2016

2016 will be remembered as the year of Ransomware.  We have already seen two major hospitals literally shut down for days by cyber criminals that held their data hostage, including patient records. The first was LA’s Hollywood Presbyterian Medical Center and most recently Methodist Hospital in Henderson, Kentucky.

 Apr 6, 2016 UPDATE: MedStar Health, with 24,000 employees, turns away patients after likely ransomware cyberattack

$10,000 Demanded from Small Business

Last weekend The Hard Times Café in Rockville, MD shut down to rebuild its computer network because attackers locked all of the businesses files and demanded $10,000 to release them.  The owner, Bob Howard refused to pay and had his computer techs rebuild everything.  When asked by a reporter what he would like to say to the attackers Bob replied: “I don’t think I would say anything, we would communicate in a different way.”  He went on to say “The FBI confirmed once this happens, you got two choices.  Pay em, or just start from scratch and trash everything you have and just rebuild your whole network.”

Ransomware attacks are nothing new, starting with CryptoLocker in 2011, and evolving to CryptoWall and most recently Locky and TeslaCrypt.  The Darknet allows attackers to remain anonymous and take payments via BitCoin.

What changed?

Since these encryption malware variants have existed since 2011, why am I saying 2016 will be the year of Ransomware?  The reason is in the tactics and amounts being demanded.  In 2011, the amounts being demanded were less than $500.  Some cyber criminals were and still are using a shotgun approach to infect as many people as possible to try to collect a small amount.  Other attacks are becoming much more targeted.  Criminals are singling out businesses to attack.  If you are singled out and don’t have incredibly sophisticated offensive and defensive cyber security systems, you will be infected.  This isn’t a scare tactic; it is the unfortunate truth.  The criminals that attacked The Hard Times Café demanded $10,000.  $10,000 will become the new starting point for the demands. 

 “The ransomware is that good... To be honest, we often advise people just to pay the ransom.”

Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office

Exfiltration

Hackers with a modest level of expertise know how to exfiltrate the most valuable asset in any company, the data on their network.  Businesses don’t think about the value of that data until they are faced with not being able to access it, or the FBI informs them all of their customer’s information is available for sale on the Darkweb.  Exfiltration is the term used to copy data from one network out to another network.

Combined and Coordinated

When cyber criminals combine and coordinate data encryption and exfiltration, the dollar amount of the ransoms being demanded will skyrocket.  Let me paint an ugly picture:

You get a notice similar to the Locky BitCoin notification above.  Rather than simply unencrypting your files, the notification has a warning that if you don’t pay, your customer files will be sold to the highest bidder, and a news story will be released to the local media.  There is a link that shows you a snippet of the files referenced.  If they are really good, the cyber criminals will snap a picture with your webcam to include and prove they are serious.

As a business owner myself, this is a scary scenario.  I would personally much rather have my client files destroyed and everything wiped out than have them released.  The reputational hit and personal humiliation would be atrocious. 

It has already happened

Fortune magazine called it The Hack of the Century.  This scenario sounds like something from the movies.  And in fact, a movie studio was the first victim of this kind of attack.  Sony Pictures had almost this exact situation happen to them in 2014.  The attackers didn’t want money, though.  The hackers demanded “We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.”

The real threat is to businesses with less than 300 employees.  Cyber criminals know these are the easy targets.  Fortune 500 companies are spending tens of millions of dollars to protect themselves.  As an attacker, it only takes a few wins to make thousands of dollars a week.  Who do you think they are going to go after? 

Top 5 Recommendations

What does this mean for businesses around the world?  It means that cyber security is the number one risk to your business.  If you aren’t taking serious action already, you need to.  It doesn’t necessarily mean spending a lot of money.  You just need to take a few steps to make yourself as hard a target as possible.

Below are my top 5 recommendations for businesses without million dollar cyber security budgets:

  1. If you don’t have cyber liability insurance, get it, now. Having cyber liability insurance won’t save you the emotional stress of telling your best clients that all of their personal information was released because you didn’t protect it.  But, like having your house burn down, at least you will have the money to rebuild.
  2. Patch! Unpatched software is the number one way for you to get infected.  Patch management is a simple, inexpensive step that is the best thing you can do to make yourself a harder target.
  3. Enforce password complexity, password expiration and lockout policies. This forces employees to use good passwords and change them regularly.  The lockout policy stops brute force attacks.  Use a program like LastPass or 1Password for all of your online passwords.
  4. Change default passwords. This sounds like a no-brainer, but lots of “dumb” devices on your network are not so dumb, and will allow an attacker access.  Start by inventorying all of your connected devices like IP cameras, scanners, copiers, and phone systems -anything that is connected by wire or wirelessly to your network.  Log in to them and make sure the username password combination is not admin/password.  This applies to routers and firewalls as well.
  5. Hire professionals. At a bare minimum, you should at least understand what the risks are.  Most IT firms will do a low-cost vulnerability scan to let you know where you stand and recommend steps to secure your network.

What is WatchPoint?

WatchPoint uses a unique tripwire system that puts simple sensors (Watchpoints), on your network to detect when an attacker or rogue user is somewhere they shouldn’t be.  It is like having a home security system with window, door and motion sensors everywhere.  Those sensors are backed up by a recording system that records every move made on the network.  When a sensor is tripped, you simply use the recording system to play back exactly what happened and determine in a matter of seconds the root cause.

Contact us to see how a simple WatchPoint sensor disguised as a Microsoft Word file works.  When someone opens the Microsoft Word document you create, you will get an email alert.  Try it!