A hacker took control of a computer network at the San Francisco Municipal Transportation Agency in November. The day after Thanksgiving, reports Popular Mechanics, ticketing kiosks on the San Francisco light rail went offline as agency screens displayed, “You Hacked, ALL Data Encrypted. And it turns out the most surprising thing about this incident is that it hasn't happened before. It's hard to get precise numbers on cyberattacks, since they rely on disguising themselves, but available data for ransomware paints a grim picture. A June 2016 study by Osterman research and security firm Malwarebytes found that 47 percent of U.S. Among U.K. respondents, 12 percent had been hit at least six times. Globally, 37 percent of organizations paid. Of the more than 2.3 million users of Kaspersky Labs security products who encountered ransomware between April 2015 and March 2016, almost 87 percent were at home. No word on how many paid up, but with ransoms averaging a few hundred dollars, and ransomware proceeds estimated at $209 million for the first three months of 2016, it was probably quite a few.
” writes Andrew Howard, chief technology officer at Kudelski Security, in an email. Attacks are brilliantly simple: A computer user falls for a phishing email or stumbles on a corrupted web page, and a malicious piece of software downloads. It encrypts (or otherwise blocks access to) the computer's files, and the infection spreads from that computer to any other computer connected to it. The hacker announces him- or herself, provides a method of contact and promises the decryption key in exchange for payment, typically in a digital “cryptocurrency” like Bitcoin or MoneyPak, which is harder to trace than cash. The sheer volume of attacks is staggering. U.S. Homeland Security estimates an average of 4,000 per day in 2016, up 300 percent from the previous year. “Instead of having to steal data and sell it or rent out botnets to other cybercriminals, ransomware offers direct payment,” Opacki writes in an email.
“You infect a computer and the victim pays you. This is not a new concept. Early versions of the scheme date back to 1989, when hackers distributed the AIDS Trojan horse through snail mail via infected floppy disks. The program, believed to be part of a global extortion scheme, encrypted part of a PC's root directory. That malware pioneer was quickly defeated. But decades have fine-tuned both delivery and encryption methods. Nolen Scaife, information-systems doctoral student at the University of Florida (UF) and research assistant at the Florida Institute for Cybersecurity Research, says ransomware is a tough adversary. “Defending against this kind of attack is tremendously difficult, and we are only now starting to see plausible defenses for ransomware,” Scaife writes. Ransomware attacks “differ slightly each time they occur,” he explains, making them difficult to detect and disable. Further complicating matters, ransomware activity in a system can resemble legitimate actions an administrator might perform.
Scaife's team at UF developed a ransomware-detection program called CryptoDrop, which “attempts to detect the ransomware encryption process and stop it.” The less data the malware can encrypt, the less time spent restoring files from backup. But reversing the encryption is a different story. According to Scaife, well-designed ransomware can be unbreakable. “The reliability of good cryptography done properly and the rise of cryptocurrency have created a perfect storm for ransomware,” Scaife writes in an email. Hollywood Presbyterian Medical Center in Los Angeles held out for almost two weeks before paying 40 bitcoins (about $17,000) to decrypt its communications systems in February 2016. The hacker never had access to patient records, reports Newsweek's Seung Lee, but staff were filling out forms and updating records with pencil and paper for 13 days. In March, ransomware hit networks at three more U.S. Ottawa, Ontario; and another Ontario hospital had its website hacked to infect its visitors with the malware.
Hospitals are perfect victims, security expert Jérôme Segura told CBC News. Same with law enforcement. At least one of the five Maine police departments hit by ransomware in 2015 was running DOS, the chief told NBC. Police departments are popular targets. And while the irony of the situation is lost on no one, police are as likely to pay as anyone else. A New Hampshire police chief who couldn't bear it got a bright idea: He paid the ransom, got the key, and cancelled payment; but when his department got hit again two days later he just forked over the 500 bucks. A school district in South Carolina paid $8,500 in February 2016. The University of Calgary paid $16,000 in June, explaining it couldn't take risks with the “world-class research” stored on its networks. In November, a few weeks before the light-rail hack, an Indiana county paid $21,000 to regain access to systems at its police and fire departments, among other agencies.
|