{"id":3171,"date":"2017-01-03T00:00:00","date_gmt":"2017-01-03T00:00:00","guid":{"rendered":"http:\/\/otava.test\/ransomware-facts-and-figures\/"},"modified":"2017-01-03T00:00:00","modified_gmt":"2017-01-03T00:00:00","slug":"ransomware-facts-and-figures","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/ransomware-facts-and-figures\/","title":{"rendered":"Ransomware and healthcare: What you need to know"},"content":{"rendered":"

\"RansomwareRansomware was\u00a0officially a\u00a0billion dollar crime<\/a>\u00a0in 2016, with more than 4,000 attacks since Jan. 1<\/a> and at least 25 variants of ransomware discovered. Researchers have predicted they would\u00a0discover more than 100 variants before year\u2019s end. And as of August, Malwarebytes research uncovered 40 percent of businesses in four countries experiencing an attack in the past year. One third of those businesses attacked lost revenue as a result.<\/p>\n

<\/span>Who are the victims?<\/span><\/h2>\n

Healthcare and financial services are the most popular enterprise targets, although no one is immune. These industries critically depend on up-to-date records to conduct business, hence, they have been more frequently targeted. Hospitals<\/a>\u00a0have been hit especially hard with 88 percent of attacks, according to Solutionary’s Security Engineering Research Team Quarterly Threat Report for Q2 2016. In February, Hollywood Presbyterian Hospital paid a $17,000 ransom to get its EHR back<\/a>, and the Kansas Heart Hospital also admitted to paying a ransom in May, except it gets worse: The hackers demanded a second ransom<\/a> to unlock the data. And in April, the Lansing Board of Water and Light<\/a> paid $25,000 to retrieve its data after discovering ransomware on its computers–the first U.S. utility company known to have paid a ransom.<\/p>\n

Banks have not been immune<\/a> to attacks either, although you won\u2019t always hear about them. While it\u2019s not been a public threat, the Federal Financial Institutions Examination Council did issue a warning<\/a> about the severity of ransomware last year.<\/p>\n

<\/span>Different ransomware families to watch out for:<\/span><\/h2>\n

There are more than 25 families of ransomware, and researchers say they are on pace to discover more than 100 variants<\/a> within the families. The top variants in the US are: CryptoWall, CTB-Locker, TeslaCrypt, Locky, Cerber and MSIL\/Samas.A.<\/p>\n

CryptoWall<\/strong>: First appeared in early 2014, and famous for AES encryption, unique CHM (a type of file) infection mechanism, and robust command and control (C2) activity using Tor networking. It also uses various exploit kits, spam campaigns and malvertising to gain access to computers. CryptoWall uses Invisible Internet Project<\/a> (I2P) network proxies to communicate with the live command and control servers, making it anonymous. It also uses Tor for Bitcoin payments, making this strain extremely difficult for AV software to trace the malware author. It\u2019s been very\u00a0popular in attacks against hospitals\u2014in the Solutionary Security report, of all the hospitals claimed to have been hit with ransomware, 94 percent were victims of CryptoWall.<\/p>\n

CTB-Locker<\/strong>: CTB-Locker<\/a> (Curve-Tor-Bitcoin) is a family of ransomware that has branches modified to include lockouts of websites. It’s known for its use of Curve Elliptography encryption, Tor browser service for victims to make payments, and Bitcoin for the currency of those payments. It\u2019s most commonly distributed through spam campaigns, but it has also been seen in several exploit kits<\/a>, including Rig and Nuclear. Bleeping Computer has a handy FAQ<\/a> guide to CTB-locker for more information.<\/p>\n

TeslaCrypt<\/strong>: Once a dangerous strain, the good news is that TeslaCrypt shut down in May and is now defunct. If your files were encrypted with a .xxx, .ttt,\u00a0 or .micro extension, go to this site<\/a> for the master key and step-by-step guidance to unlock your files for free. Even if your files are encrypted with other extensions, it doesn\u2019t hurt to try.<\/p>\n

Locky<\/strong>: One of the most dangerous strains<\/a>, it\u2019s been accounted for 6 percent<\/a> of all attacks recognized globally during September 2016. Locky is dangerous because it uses multiple exploit kits, including Angler and Neutrino, as well as macros to encrypt files after a user opens a document. It\u2019s usually found in Office documents or embedded in JavaScript and sent as part of a phishing campaign. Once the victim has their files encrypted, the ransom note is set as wallpaper, and they are instructed to pay via a private Tor browser. Locky also removes shadow copies on Windows systems, making victims\u00a0even more likely to pony\u00a0up. The malware spreads through networks and across Windows, OSX and Linux platforms.<\/p>\n

Cerber<\/strong>: One of the more widely used strains of ransomware this year, Cerber uses a wide variety of tactics to gain access, including DDoS attacks, Windows Scripting and attacks on cloud platforms. The ransomware attacks individual machines but has also been found to encrypt entire enterprise databases, making it especially dangerous. It encrypts many file types, including .doc, .mdb, .pdf, .txt and .backup, and adds a .cerber extension to each file. During encryption, the malware creates three different files that tell the victim his\/her files have been encrypted, including a .vbs file that plays a message through the computer speakers. While several decryption tools have been released, the ransomware has been updated and unfortunately, there are no free tools to decrypt files available at this time<\/strong>.<\/p>\n

MSIL\/Samas.A<\/strong>: This strain of ransomware and its variants target an entire network of machines rather than individual computers. This makes it especially dangerous for enterprise operations, including healthcare and financial sectors. The FBI issued an alert<\/a> about this strain last year, adding that\u00a0like Locky, it also looks for network backups to delete and cautioning businesses to be on alert.<\/p>\n

<\/span>Lessons learned from Code Spaces<\/span><\/h2>\n

Anyone remember Code Spaces? It was an up-and-coming SaaS provider offering developers source code management tools available through AWS. In June 2014, an attacker<\/a> gained control of the company\u2019s AWS control panel and orchestrated a DDoS attack. When the company contacted the attacker, they were told to pay a ransom to stop the attack. Instead of paying the ransom, Code Spaces tried to regain control of its panel. In response, the attacker started deleting data<\/a> and didn\u2019t stop until they had removed all EBS snapshots, S3 buckets, all AMIs and several EBS and machine instances. The move effectively destroyed the company<\/a>.<\/p>\n

It sounds like the lesson here is, \u201cPay up when you\u2019re told to pay.\u201d But Code Spaces was right not to pay the ransom. There was no guarantee the attacker would have stopped the flood of traffic, nor given Code Spaces its panel back without deleting anything. Instead, the lesson that can be learned is, \u201cDon\u2019t put your production and backup eggs in one basket.\u201d Code Spaces had a backup and recovery plan and also replicated servers, but it had them hosted in the same AWS control panel as its regular machine and server instances.<\/strong> Once that panel was illegally accessed, it pretty much spelled the end of the company. The moral? When you back up your copy, follow the 3-2-1 rule: Three copies of data, on two different media, with one offsite.<\/p>\n

While Code Spaces isn\u2019t a literal case of ransomware, it\u2019s certainly appropriate here. The same recommendation to back up your data offsite holds true to protect oneself against ransomware as it does any other attack. Several\u00a0strains of ransomware have been known to infect backups stored on the network, rendering them useless. It\u2019s important to have a data set that\u2019s disconnected from the network to avoid infection or corruption.<\/p>\n

<\/span>To pay or not to pay, that is the question<\/span><\/h2>\n

Even if you\u2019ve done all you can to prevent attackers from infecting your network, cyber criminals are a pesky, determined bunch. It\u2019s best to expect them to break in at some point, as bleak as that statement is. When you find yourself facing the morning you\u2019ve been dreading\u2014waking up to a ransom screen demanding money in return for access to your data\u2014what will you do? Do you pay, or try to get your systems back?<\/p>\n

It\u2019s easy to advise one way or the other, but when you\u2019re in the middle of an attack, it can be a completely different scenario. The FBI and major security researchers, however, all recommend not<\/strong> paying the ransom if possible. As mentioned before, paying the ransom doesn\u2019t guarantee anything, and it also reinforces the success of the attack. Most criminals have developed a reputation termed \u201cdishonest reliability\u201d where they do indeed give you the decryption key to get your data back once you pay up. But they don\u2019t all operate that way, and it\u2019s a dangerous gamble to assume they will. The Kansas Heart Hospital case is a great example of this\u2014the hospital paid the first ransom, and the attackers demanded a second before giving up the encryption keys. In this case, the hospital chose not<\/a> to pay the second ransom, citing it wasn\u2019t a \u201cwise maneuver or strategy.\u201d\u00a0Unfortunately, Kansas Heart is a clear demonstration of how paying a ransom doesn\u2019t always get you what you expect.<\/p>\n

If you\u2019ve been the victim of a ransomware attack, it\u2019s important to contact the FBI. Visit the FBI website to see a list of field offices<\/a> throughout the US.<\/p>\n

<\/span>Your options<\/span><\/h2>\n

Your best recourse is to restore from a safe backup. This is where having a strong, thorough disaster recovery and backup strategy is so important. For more information on developing that strategy and what considerations you should make, check out the following resources:<\/p>\n