A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 65: Panama Papers, Never-Ending Ransomware and New Cyber Legislation:
This week saw a massive leak of 11.5 million documents from Panamanian law firm Mossack Fonseca, and that information is impacting politicians, business leaders and entertainers across the world. Among the week’s other trending cybercrime events were Turkish Citizens having their personal information posted online, more hospitals being hit with ransomware, another likely breach at Trump Hotel Collection, and vBulletin Forums being hacked. On the advisory front, new ransomware variants and WordPress attacks continue to make headlines along with a proof-of-concept Firefox extension vulnerability dubbed “extension reuse attack.” Legal developments include pending draft legislation on encryption, an amendment to Tennessee’s data breach notification law, and data breach lawsuit updates from Lamps Plus, Anthem and Intuit. Also, Microsoft discovered that teaching a bot to talk like a Millennial may not be such a good idea.
Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.
In early 2015, the FBI issued a warning about the rise of ransomware attacks, noting that “there’s been a definite uptick lately in its use by cybercriminals.” A year after that warning we’re seeing a new surge in attacks, and concern over ransomware has risen sharply in the first quarter of 2016.
Last year, the FBI explained that ransomware was continuing to evolve, writing that in the past “computers predominately became infected with [ransomware] when users opened e-mail attachments that contained malware.” That tactic had shifted and computers were now being easily infected using a “drive-by” method “where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”
The way cybercriminals demand ransom payments has also evolved. Initially, cybercriminals asked for ransom payments on pre-paid cards. Now Bitcoin has been implemented, a better option for criminals “because of the anonymity the system offers.”
SurfWatch Labs’ data identified 49 companies associated with ransomware attacks so far in 2016, although the total number of companies affected by this threat is likely much higher as many companies do not disclose these attacks — particularly if they choose to pay the ransom.
The healthcare sector in particular has been a focus of ransomware discussion this year.
The reason ransomware has continued to gain popularity is simple — it is a cheap tool that has a high profit margin. Not long ago, malware developers were selling Cryptolocker ransomware kits with source code included for just $3,000. It wouldn’t take long for a criminal to recoup that initial investment as the average ransom demand is anywhere from $300 to $500. Recently, Hollywood Presbyterian Hospital reportedly paid $17,000 after suffering a ransomware attack.
Trending Ransomwares in 2016
There are three variants of ransomware that have stood out in the beginning of 2016: KeRanger, TeslaCrypt and Locky.
KeRanger malware has received a lot of discussion due to its connection with Apple. Locky ransomware has been observed in several attacks in 2016, and TeslaCrypt, which has been around for more than a year, continues to evolve.
The newest addition on the list, KeRanger Ransomware, first made headlines in the beginning of March due to its accomplishments. It is the first ever fully functional Mac OS X ransomware in existence.
KeRanger was able to successfully infect a BitTorrent client used on OS X known as Transmission. More specifically, it infected Transmission version 2.90. Transmission has since warned users that version 2.90 was malicious and prompted users to download version 2.91.
TeslaCrypt Ransomware initially made headlines back in early 2015 for infecting computer gamers. Over the last year, TeslaCrypt has continued to evolve, with the latest version TeslaCrypt 4.0 released earlier this month. The ransomware is now capable of attacking organizations and home users.
The latest edition of TeslaCrypt features RSA 4096 for encrypting data. This feature makes decrypting data impossible. Tools developed to combat previous TeslaCrypt versions, such as “TelsaDecoder,” will not work with TeslaCrypt 4.0.
TeslaCrypt ransomware has evolved quickly. In just over a year, malware creators have been able to release four versions of the ransomware, each more sophisticated than the last version. If any weaknesses are found in TeslaCrypt 4.0, look for malware creators to move quickly in creating a new version addressing those weaknesses.
Locky ransomware was discovered in February 2016. The ransomware works like most strains: it infects a user’s computer, encrypts the content on the computer, and then a ransom is extracted in order to decrypt the information. It is in the encryption step that the ransomware gets its name, as it renames all the user’s files with the extension .locky.
This ransomware is being distributed through malicious macros in Microsoft Word attachments. In typical cases, victims receive a spoofed email with a Microsoft Word attachment seeking some sort of payment for a service or product. When the attachment is clicked, a document appears with scrambled text. The user is then instructed to click an Office macro to unscramble the text, which leads to infection.
This ransomware variant made huge headlines for causing Methodist Hospital of Henderson, Kentucky, to declare an “internal state of emergency.” Fortunately, Methodist Hospital was able to regain their data without paying the cybercriminal’s ransom demand of four bitcoins ($1,600).
Being Prepared is Key
Although ransomware has been making headlines for the last few years, data from 2016 suggests more criminals are going to focus on this tactic and more organizations are going to be victimized. Businesses need to be aware of this threat and take action now to mitigate the effects of a potential attack.
As recent attacks have shown, the overall cost of a ransomware attack can be much greater than just the ransom demand.
Cybercriminals have shifted their focus away from stealing payment card data in favor of targeting personal information and directly extorting victims, according to a new report from SurfWatch Labs.
The trends aren’t surprising, said SurfWatch Labs chief security strategist Adam Meyer, who discussed the report on this week’s Cyber Chat podcast. Cybercrime is a business, and malicious actors gravitate towards the process that gives them the largest return on their effort.
While extortion is perhaps the most direct path towards monetizing cybercrime, stolen personal information has a long shelf life and can be easily sold or used for authentication purposes. It also tends to be the low-hanging fruit as retailers and financial institutions improve at preventing or minimizing the losses around payment card information.
“All these identifiers that make you ‘you’ can be used in 20 different ways to conduct an attack,” Meyer said. “It makes complete sense why we’re seeing this trend come up.”
While 2014 was dominated by headlines surrounding point-of-sale (PoS) breaches, only three PoS breaches cracked last year’s top 25 trending cybercrime targets: Starwood Hotels & Resorts (#14), Hyatt Hotels (#17) and Dixon’s Carphone (#23).
Altogether, SurfWatch Labs collected CyberFacts related to 4,562 distinct industry targets last year.
The top trending cybercrime targets last year — the United States Office of Personnel Management, Anthem, and Avid Life Media — all centered around the theft of personal information.
“A Failure of Corporate Culture”
The rise in stolen personal information can be attributed to failures at the top of many organizations, Meyer said.
“The biggest vulnerability that we have in my opinion is outdated corporate culture,” he said. “They completely have their heads in the sand about what’s going on in the world.”
Despite all of the recent headlines around cybersecurity, many organizations still do not adequately assess their level of cyber risk and take the necessary precautions.
“No one is really trying to solve this problem at the decision maker level,” Meyer said. “The organizations are falling down on educating themselves on these issues until its too late.”
He added: every organization is a custodian of data, and the first step to mitigating cyber risk is to put a thought process in place assessing the risks facing your data, your infrastructure, your industry, and your partners and suppliers.
Dark Web and Other Cyber Risk Trends
Dark Web markets can provide valuable insight into many cybercrime trends.
“The black market is a great resource to look at what is the typical state of the underground economy,” Meyer said. “You can see what’s being bought and sold. You can see what prices they’re generating. You can see the tempo and the supply and demand aspect of things, and you can use that information to compare against where would you fit in that.”
Unfortunately, there’s not enough education on what happens to data once it is stolen, he added.
“This is where the stuff goes most of the time, and we’re not educating anybody on where it’s going and why it’s going there. And people just keep repeating the mistakes over and over and over.”
About the Podcast: SurfWatch Labs recently released a threat intelligence report detailing cyber risk trends. They noted that cybercriminals have shifted their targets over the past year from focusing on credit card information at financial institutions to increasingly stealing personal information across a swath of industries.
On today’s Cyber Chat we talk with our own Adam Meyer, Chief Security Strategist at SurfWatch Labs, about the report, cyber risk trends and what businesses need to do in order to stay ahead of cybercriminals.
A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 64: Anonymous Gets Political, Employees Selling Passwords and Latest Cybercrime Lawsuits:
The hacking collective Anonymous made headlines by threatening to target Republican front runners Donald Trump and Ted Cruz. A large DDoS attack took down Swedish newspapers. Other trending events include more hospitals being hit with ransomware, a breach at USA Cycling, and a dangerous attack against a water treatment plant. On the advisory front new studies highlighted software vulnerabilities and employee passwords, Locky ransomware continues to be discussed by researchers, Microsoft if fighting back against malicious macros, and a new scam is impersonating ISPs. Legal stories include more warnings from the FTC, lawsuits against 21st Century Oncology and Costco, and arrests related to intellectual property theft and the Syrian Electronic Army. Plus, sports fans have terrible passwords.
Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.