Though it’s been around in various incarnations for a couple of decades, ransomware is one of the hottest topics in the world of cybersecurity, and for good reason. It’s malware on the rise, thanks to its role in a growing number of successful cyber-attacks and the high ROI it delivers.
While consumers still comprise the majority of victims, ransomware rings are increasingly targeting organizations, where they can demand higher ransoms. In his session at the 2016 CyberCrime Symposium, Peter Van Valkenburgh cited the paralyzing March 2016 attack on Columbia, Md.-based MedStar Health Inc., whose network of hospitals was forced to operate offline, with no access to key systems or data. The attack came just a month after a Los Angeles hospital, Hollywood Presbyterian Medical Center, paid hackers $17,000 in Bitcoin to restore access to their systems.
Three key things work together to make modern ransomware possible, according to Van Valkenburgh, who serves as research director at Coin Center, a non-profit research and advocacy group focused on the crypto-currency policy issues. The “sexy” elements in this trifecta, he said, are “encryption” and “Bitcoin,” the crypto-currency that most attackers now demand as the form of payment. As such, this duo, particularly Bitcoin, gets the bulk of the attention from the media and infosec professionals.
What many tend to overlook, said Van Valkenburgh, is the root of the ransomware problem, and the third component in the trifecta – the actual breach. And what leads to breaches? Poor security policies and practices.
The Trifecta at Work
During his presentation, Van Valkenburgh provided this simplified breakdown.
The Encryption. Once it’s breached a system, the malware searches the computer’s drive and any connected drives and encrypts non-system files, rendering them inaccessible. In the case of enterprise hits, hackers may target specific file extensions or folders for encryption. They retain control of the decryption key on a remote server.
The Payment. Once infected, the computer displays different directives, depending on the type of ransomware. Older versions, for example, might show a notice from the FBI claiming the user had engaged in software piracy and had to pay a fine using a prepaid card. Newer versions get right to the point – they tell users that a system’s files are encrypted, the ransom they’ll have to pay to get the decryption key, and how to purchase the Bitcoin they’ll use as the currency for the exchange.
Because of its association with ransomware, Bitcoin’s benefits have been obscured by a cloud of misconception. One is that it’s an anonymous method of currency exchange. But Bitcoin transactions leave a trail on the blockchain, requiring hackers to vigilantly protect their pseudonyms – handled properly, even prepaid cards are a more anonymous form of payment. Cyber-criminals attacking with ransomware “don’t use Bitcoin because it’s anonymous,” said Van Valkenburgh. “They use it because it’s fast and reliable and it just works.”
In fact, said Van Valkenburgh, Bitcoin and other crypto-currencies can provide stronger user security and privacy than traditional forms of financial transactions, like credit cards. That’s because the financial transaction chain involves numerous parties – merchants, their card processors, card networks, and card issuers, typically banks – each with its own methods for securing its infrastructure, systems, and user credentials.
Crypto-currencies, on the other hand, remove the “middlemen” that control transactions. With Bitcoin, users have their own wallet, software that enables them to control their funds, and their own private key that serves as their credentials. Instead of the multitude of individual ledgers involved in traditional financial transactions, the foundation of crypto-currencies is an open, decentralized “super-ledger,” or blockchain, where every peer in the network has an identical, up-to-date copy of this ledger.
In a market as nascent as digital currencies, Van Valkenburgh acknowledged there’s a great deal of uncertainty, including potential new security issues, that will need to be addressed in coming years.
But today, organizations across industry need to increase their vigilance and enforce best-in-class security policies and practices surrounding passwords, two-factor authentication, routine system patching and upgrades, and other measures, said Van Valkenburgh. Just consider reports stemming from the MedStar hack: The hackers that successfully attacked the healthcare system did so through a vulnerable server that officials had been warned – on two occasions, both years earlier – needed an available update to avoid becoming a major security risk.
This is the fifth in our series presenting key takeaways from Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check-in weekly for the latest installment featuring actionable insight from select presentations.
Free Download: Ransomware Survival Guide
We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.