Weekly Cyber Risk Roundup: Ransomware and Insecure Databases Dominate Headlines

Ransomware and extortion continue to dominate the headlines in 2017. The past week saw several widely reported incidents involving service outages and lost data due to infections, as well as warnings that malicious actors are attempting to extort organizations via the threat of DDoS attacks.

2017-02-04_ITT.pngThe Austrian hotel Romantik Seehotel Jägerwirt paid approximately $1600 in ransom after ransomware locked the hotel out of its computer systems and the hotel was unable to issue new key cards to arriving guests. The hotel’s reservation system was down for 24 hours; however, the initial media reports that customers were locked in their rooms due to the incident were false, the owner told Motherboard. The hotel’s managing director told The Verge that the issue was that the hotel could not program keycards for the guests checking in on the same day due to the system being down. The Local reported that it was the fourth time hotel had been hit by such an attack, prompting the company to go public in order to warn others about these types of cybercrime incidents.

Several other ransomware-related service outages were announced this week. Licking County, Ohio, shut down more than a thousand computers due to a ransomware infection. A variety of departments, such as the 911 call center, were unable to use computers and had to switch over to other forms of communication, and services such as court house phones and the issuing of court documents were made unavailable, 10TV reported. In addition, The Washington Post reported that ransomware left 123 of the 187 Washington D.C. police surveillance cameras, which monitor public spaces across the city, unable to record from January 12 to January 15. The ransom demand was not paid as the police simply removed all software and restarted the system at each site.

Finally, Hong Kong’s Securities and Futures Commission warned that brokers across the city are being targeted with DDoS attacks and extortion demands from cybercriminals, and it is urging financial institutions to implement and review security measures.

2017-02-04_ittgroups

Other trending cybercrime events from the week include:

  • Warning issued following two dozen W-2 breach announcements: The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert on Thursday warning employers that W-2 phishing scams are spreading into sectors beyond the corporate world, including school districts, tribal organizations and nonprofits. In addition, the scammers are following up the request with a more traditional fraudulent wire transfer request, resulting in some organizations losing both employees’ W-2s and thousands of dollars due to wire transfers. SurfWatch Labs has identified at least 24 organizations publicly tied to W-2 data breaches over the past two weeks. The emails are a form of the popular Business Email Compromise scam, such as the one against Sedgwick County that led to $566,000 being fraudulently transferred.
  • Shamoon malware strikes again: Saudi Arabia’s telecom authority is warning organizations to be on the lookout for Shamoon 2 after recent attacks led to at least three government agencies and four private sector companies going offline for 48 hours. Among those targeted were multiple petrochemical and IT services companies, which reportedly shut down their networks in an attempt to protect themselves. It appears the goal of the attack was disruption, not data exfiltration, similar to previous Shamoon attacks; however, the incident was less destructive than similar attacks in November as backups were more commonplace due that previous incident.
  • Czech foreign ministry targeted with DNC-style hack: A foreign government hacked the email system of the Czech foreign ministry and accessed the email system used by employees to communicate with people outside the ministry in an attack similar to the breach of the Democratic National Committee, Foreign Minister Lubomir Zaoralek said. A spokesperson for the Czech minister said the scale of the attack is still being assessed but noted that other ministries “might be in a little bit of a problem.” Officials indirectly accused Russia of carrying out the attacks.
  • Printing company exposes 400 GB of data: A PIP Printing and Marketing Services franchise branch located in California exposed 400 gigabytes of sensitive information due to a publicly available backup server without any password protection. The exposed data includes 50 GB of scanned documents relating to court cases, medical records, well-known companies and celebrities, as well as an archive of correspondence with attached documents, some of which have credit card numbers and billing details in plain text.
  • Other cybercrime announcements: The Xbox360 ISO and PSP ISO forums, which provides gamers with links to free and often-illegal game downloads, were hacked in September 2015 and the details of 2.5 million accounts were leaked. Security firms Dr. Web and Emsisoft were targeted by DDoS attacks after publishing research related to a botnet of Linux devices and an update for the Merry Christmas ransomware (MRCR) decryptor tool. The hacking group OurMine hacked into a variety of social media accounts belonging to the WWE and CNN. Toys “R” Us is forcing reward members to reset account passwords after the vendor responsible for managing the program notified the company of attempts to access customer accounts and steal coupons using credentials reused from other data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-04_ittnew

Cyber Risk Trends From the Past Week

2017-02-04_riskThe past week once again saw numerous organizations exposing data due to insecure public databases, and several of those databases reportedly contained data that was no longer in use.

Security researcher Chris Vickery discovered unsecured database backup files from Indycar, which exposed the personal information of more than 200,000 users as well as Indycar employee login credentials. The user data was related to a now-retired Indycar bulletin board and contained sensitive information such as names, usernames, email and physical addresses, dates of birth, password hashes and security questions and answers.

As Vickery noted, holding that user data was unnecessary since the board was no longer in use:

Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.

In addition, Polish game development studio CD Projekt RED, which developed the popular Witcher franchise, announced that a now-obsolete forum database was hacked and more than 1.8 million user credentials were stolen in March 2016.

“It’s the old database we used to run the forum before we migrated to the login system powered by our sister company — GOG.com,” the company wrote in a post on its forums. “At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier.”

The incidents are reminders that when it comes to cybersecurity, less data tends to equals less risk. This is particularly true for data that is no longer required to be held and may therefore receive less scrutiny than data that is being actively used. In short, if your organization is holding on to unnecessary data, it is opening itself up to unnecessary risk.

Weekly Cyber Risk Roundup: Ransomware Disrupts Organizations and Massive Data Leaks

Extortion is once again the top trending cybercrime issue as concern continues around the theft, destruction and blackmail related to thousands of insecure MongoDB, Elasticsearch, CouchDB and Hadoop Distributed File System installations. While those stories led much of the past week’s discussion, there was also a steady stream of reports of organizations being infected with ransomware.

2017-01-20_ittThe most impactful, publicly known ransomware attack of late involves the St. Louis Public Library. The attack hit 700 computers across all 17 of the library’s locations on Thursday, forcing the library to temporarily stop all book borrowing. A $35,000 ransom demand was made, but the library said it will wipe its computer system rather than pay. Checkout service was restored to all locations on Saturday, according to the St. Louis Post Dispatch, and the library’s next priority is to restore service to the publicly available computers – although as of Sunday morning the library’s website stated that the “use of reservable computers is suspended.” A spokesperson said the criminals managed to infect a centralized computer server, which also disrupted the staff’s email system.

Other organizations to report disrupted services due to apparent ransomware attacks include Advanced Flexible Composites in Illinois, Valley Springs School District in Arkansas, and Kanawha County Schools in Virginia. Advanced Flexible Composites notified its customers that a January 17 hack of its computer system prevented the company from receiving emails and processing quote requests or orders. Not much information was provided about the attack; however, on the surface it sounds like a ransomware infection. Valley Springs School District’s superintendent said the school’s infection may lead to some information saved by teachers being lost such as lessons plans, curriculum and tests. Kanawha County Schools said that it was able to restore internal documents after its incident but that its website would take longer to bring back online.

Finally, the Delaware Department of Insurance is investigating an incident involving a ransomware infection and the unauthorized access of customer data at Summit Reinsurance Services and BCS Financial Corporation.

2017-01-20_groups

Other trending cybercrime events from the week include:

  • New type of SWIFT attack: Malicious actors compromised the SWIFT systems of three Indian banks and created fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items. “There was fraudulent duplication of trade documents like letters of credit (LC) and guarantees which the hackers may have or planning to encash with some offshore banks,“ a source told ET Tech. “It’s also possible that hackers did not present the fake LCs to raise funds but to carry out trade of prohibited or illegal commodities.”
  • Popeye’s point-of-sale breach: Point-of-sale malware was discovered at the restaurant chain Popeyes, and customers who used their payment cards at one of 10 infected locations between May 5, 2016, and August 18, 2016, likely had their information stolen, the company said in a press release. The ten locations include seven in Texas, two in North Carolina, and one in Georgia.
  • More employee and third-party breaches: Police in the Netherlands are alerting 20,000 potential victims about a man who worked at various companies as a website builder and used his position to insert a special script that allowed him to steal usernames and passwords. Online fashion store Showpo is suing a former employee and an online retailer over allegations the graphic designer exported a database of 306,000 customers from MailChimp and passed the information along to online retailer Black Swallow. Customers of the Victorian Game Management Authority in Australia had their personal information potentially exposed when the authority accidentally sent customer data to eight individuals who were renewing their game license. A third-party advertiser that promotes Canada’s Grey Eagle Resort and Casino was hacked and fake text messages were sent to the casino’s VIP members telling them the casino “will be closed for the remainder of January due to infestation and rodent problems.”
  • Healthcare-related breaches: TheDarkOverlord said it stole data from Little Red Door Cancer Services of East Central Indiana and attempted to extort the organization by threatening to release the data. CoPilot Provider Support Services announced a breach affecting approximately 220,000 individuals due to a database being illegally accessed in October 2015. Sentara Healthcare is notifying 5,454 vascular and thoracic patients that their medical information was compromised due to a breach at an unnamed third party. The orthopedics practice at The University of Maryland Faculty Physicians Inc. is notifying 1,500 patients that their information may have been accessed when an email account belonging to a physician assistant’s email account was hacked. Barts Health NHS Trust experienced a malware infection that led to taking numerous hard drives offline “as a precautionary measure” and using a manual backup for its computerized pathology results service.
  • Other announcements: Hackers targeted a laptop belonging to the special investigation team probing South Korean President Park Geun-hye’s political scandal. Current and former employees of Dracut Public Schools had their Social Security numbers and other personal information compromised due to an employee falling for a phishing attack. A Russian-language version of the series finale of Sherlock circulated online before the episode was broadcast. The forums of Clash of Clans developer Supercell and MrExcel, both of which use vBulletin, announced data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-01-20_ittnew

Cyber Risk Trends From the Past Week

2017-01-20_riskscoresSecurity researchers frequently discover private data being exposed to the Internet due to technical errors such as poorly secured data backups, and this past week several new incidents along those lines.

Chris Vickery’s discovery of multiple misconfigured Rsync instances at Canadian ISP KWIC appears to be truly massive potential breach, with CSO Online reporting that terabytes of information for all of its customers was exposed. The issue was fixed after the company was notified of the problem; however, it is unclear how long the information was available before the fix. The data exposed included credit card details, email addresses, passwords, names, home and business addresses, phone numbers, email backups, VPN details and credentials, internal KWIC backups, and more.

In last week’s roundup we noted that incorrectly configured databases exposed the data of 3.3 million Hello Kitty fans as well as thousands of patients of Canadian plastic surgery company SpaSurgica. The week before that data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was exposed in a similar fashion. The week before that data belonging to Ameriprise clients was exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password.

This past week saw a similar story of a poorly configured backup drive. Interpreters Unlimited, a California-based translation and interpreter company, exposed thousands of sensitive documents due to an Internet-connected backup drive used by an IT manager that had no password protection and was online for four to six months. Files seen by ZDNet showed that the drive contained dozens of usernames, email addresses and passwords stored in plain text for the company’s infrastructure, including its website, hosted email and domain name servers, and remote desktop apps. The drive also contained the private data of clients and employees such as Social Security numbers and the amount of money translators earned.

The constant trickle of company, customer and employee data being leaked due to the poor practices of employees and partners should serve as a reminder for all organizations that data breaches often spring from mistakes made within the organization — not just external cybercriminals.

Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

2017-01-013_ITT.pngIt was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

2017-01-013_ittgroups

Other trending cybercrime events from the week include:

  • Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.
  • More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.
  • Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.
  • Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-01-013_ittnew

Cyber Risk Trends From the Past Week

2017-01-013_riskAs SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway,  a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.

Weekly Cyber Risk Roundup: Another Botnet and the Gamification of Cybercrime

Botnets were once again front-and-center this past week as new developments were announced by security researchers, malicious actors and government officials.

2016-12-09_ITT.pngTo start, CloudFlare observed a ten-day long series of distributed denial-of-service (DDoS) attacks that have generated as much as 400 Gbps in traffic, sparking fears of yet another massive botnet that can disrupt organizations. The attacks “are not coming from the much talked about Mirai botnet,” the researchers wrote. “They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol.”

Following that announcement, the hacker known as BestBuy, who had previously begun advertising a Marai-based DDoS service, claimed to have taken control of 3.2 million routers. He told Motherboard that a server he set up automatically connects to vulnerable routers and pushes a malicious firmware update to them. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” he said in an online chat. “Bots that cannot die until u throw device into the trash.”

If true, those developments are certainly worrisome for organizations like Deutsche Telecom, the UK Postal Office, TalkTalk, and Kcom ISP – all of which have seen customer outages due to attempted Marai infections – not to mention the businesses that may be targeted with DDoS attacks from all those compromised devices.

One piece of good news on the botnet front: the cybercriminal network known as Avalanche was dismantled in what authorities are describing as the largest-ever use of sinkholing to combat botnet infrastructures. Europol said that the four-year investigation with global partners resulted in over 800,000 domains being seized, sinkholed or blocked. Although exact calculations are difficult, monetary losses associated with attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide.

2016-12-09_groups

Other trending cybercrime events from the week include:

  • Massive thefts announced: Technical trade secrets were stolen from ThyssenKrupp, one of the world’s largest steel makers, in what the company described as a “massive cyber attack.” The theft occurred at the steel production and manufacturing plant design divisions, the company said. Two billion rubles ($31 million) was stolen from banking clients that hold accounts at Russia’s central bank, according to a bank spokesperson. The hackers attempted to steal approximately five billion rubles, but the bank managed to recover some of the money. Reuters reported that hackers broke into accounts at the bank by faking a client’s credentials, citing a report issued by the bank.
  • Ransomware updates: The ransomware attack that affected about 900 computers at the San Francisco Municipal Transportation Agency cost the agency an estimated $50,000 in lost fares due to passengers being unable to pay. Ransomware behind the infection that caused an NHS hospital trust to shut down systems and cancel 2,800 patient appointments in early November has been confirmed as Globe2. Allegheny County district attorney Stephen Zappala Jr. admitted that his office was hit in January 2015 and that the office paid nearly $1,400 in ransom. The announcement came after several victims of the Avalanche network were revealed via court documents.
  • Malicious insiders face consequences: A former computer support technician employed at Experian subsidiary Hotwire.com pleaded guilty to accessing the emails of executives and using that non-public information to illegally profit from trading Expedia stock. The man accessed documents and emails on the devices of the Chief Financial Officer and the Head of Investor Relations. A former employee of Internet service provider Pa Online was sentenced to 24 months in prison and ordered to pay $26,000 in restitution for hacking into Pa Online’s network after being fired and installing malware that caused files and directories to be erased and the network to crash.
  • Third-party breaches: More than 43,000 Indian patient pathology reports, including those of HIV patients, were left publicly exposed by Health Solutions. Security researcher Troy Hunt said the information is now removed from public view after a lengthy process to track down and motivate those behind the leak and that the incident appears to be the result of shockingly poor security. A breach of a contractor’s email account exposed the information of individuals who participated in the U.S. Olympic Committee’s 100-Days Out event in April 2016. Members of the Scotland Supporters Club were sent phishing emails from the Scottish Football Association’s official email account after a third-party email database was compromised.
  • Other data breaches: An Intranet server for South Korea’s cyber command was contaminated with malware, and the attack appears to have come from North Korea, the South Korean military said. An official said that some military documents had been hacked, including confidential information, but that they have yet to determine the full extent of the leak. Around 420,000 customers may have had their personal information leaked due to a data breach at an online store run by IPSA, a subsidiary of Japanese cosmetics maker Shiseido. A University of Wisconsin–Madison law school database was breached, resulting in 1,213 applicants having their names and Social Security numbers compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-12-09_ittnew

Cyber Risk Trends From the Past Week

2016-12-09_risk

One of the more interesting developments over the past week is the new tactics being used by malicious actors in order to spread malware and encourage cyber-attacks. For example, a new ransomware called “Popcorn Time” is encouraging victims to spread ransomware by offering them options when it comes to decrypting their files. They can go the usual route of paying the 1 bitcoin ransom, or they can go the “nasty way” and infect other users in order to avoid payment.

popcorn_ransomware_referral.png

“Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free,” the malware authors wrote. This is the first time SurfWatch Labs has observed ransomware developers using the tactic of leveraging victims in order to intentionally spread the malware.

Another interesting cybercriminal tactic is being used by a DDoS collaboration service called “Surface Defense.” A set of Turkish hackers is using gamification to encourage others to attack political organizations are not in line with Turkey’s government. They provide a point system for attacks, rewards that can be earned, and a live scoreboard. Rewards include cybercriminal tools such as click-fraud bots and the Sledgehammer DDoS tool. Two dozen organizations are being targeted by the gamified-DDoS service, including the German Christian Democratic Party, The People’s Democratic Party of Turkey, the Armenian Genocide Archive, and the Kurdistan Workers Party. Users can also suggest new targets.

Malicious actors are continuing to experiment with new ways to expand their reach. It is difficult to judge how successful these types of tactics will be, but expect other actors to incorporate similar features in the future if they are proven to be successful.

San Francisco Muni Refuses Extortion Demands, But Many Others Choose to Pay

The San Francisco Municipal Transportation Agency (SFMTA) is continuing to deal with the fallout from a Friday ransomware attack that affected 900 office computers and led to passengers getting free rides as ticket machines were taken offline. The agency has since restored systems from a backup, and fares have been running as normal since Sunday; however, the actor behind the attack is still threatening to release 30GB of data if the 100 bitcoin ransom ($75,000) is not paid by tomorrow.

The actor, going by the name Andy Saolis, has refused to provide media outlets with a sample of the stolen data in order to verify the alleged theft, and SFMTA said that its ongoing investigation has not discovered that any data exfiltration took place.

“[N]o data was accessed from any of our servers,” the agency said in a statement. “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

Many Organizations Choose to Pay

While SFMTA has decided not to pay the ransom, other organizations targeted by the same threat actor have been successfully extorted. A security researcher who gained access to an email account used by Andy Saolis said that the hacker had extorted at least $140,000 in bitcoins from victim organizations over the past few months, including 63 bitcoins (around $45,000) from a U.S.-based manufacturing firm. The emails also show that this past Sunday another company, China Construction of America Inc., paid 24 Bitcoins (around $17,500) to decrypt 60 servers infected with the same strain of ransomware, known as HDDCryptor or Mamba.

In addition to the attacks described above, SurfWatch Labs has collected, evaluated and analyzed data pertaining to dozens of other targets associated with extortion over the past month.

2016-12-01_extortion
Facebook is the top trending target tied to ransomware and extortion due to recent attacks known as ImageGate.

The top trending ransomware story over the past 30 days is the newly discovered attack vector known as ImageGate, which is infecting numerous users with Locky ransomware via Facebook and LinkedIn by exploiting a misconfiguration that forces victims to download a malicious image file. It’s unclear how many of those victims have paid the ransom, but a variety of other organizations have publicly confirmed making ransom payments recently:

  • The Lansing Board of Water & Light recently acknowledged it paid a $25,000 ransom after an employee opened an attachment that led to a ransomware.
  • A $28,000 ransom was paid after an infection locked up several government systems in Madison County, Indiana and the county’s insurance carrier advised payment.
  • The New Jersey Spine Center paid an undisclosed amount after CryptoWall encrypted all electronic medical records and the most recent system backup, as well as disabled the phone system.
  • Cloud service provider VESK said that it paid £18,600 after being infected with a strain of the Samas DR ransomware

Government Agencies Continue to Warn of Threat

Despite the many public incidents of late, the vast majority of ransomware attacks are believed to go unreported. That’s why in September the FBI urged victims to report infections regardless of the outcome. The FBI also warned of cybercriminals shifting tactics to target servers in order to receive larger ransoms.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

2016-12-01_extortion2.png
Tags such as HDDCryptor, Locky and unauthorized server access are trending in SurfWatch Labs’ data due to recent ransomware attacks.

In November, the Federal Trade Commission also warned organizations that it may investigate certain ransomware incidents.

“[I]n some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency,” wrote Ben Rossen, an attorney at the FTC. “Thus, a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”

The Department of Health and Human Services issued a similar statement over the summer, warning that in most cases a ransomware infection would qualify as a reportable “breach”:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. …

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

As the FBI noted, new ransomware variants are emerging regularly and global ransomware infections continue to grow. Organizations need to ensure they have a plan in place to deal with this threat.

SurfWatch Labs’ Recommend Courses of Action

A large percentage of ransomware is spread via social engineering techniques; therefore, SurfWatch Labs advises customers that user education around tactics such as spear phishing is the best method to prevent these kinds of attacks. In addition, having data that is backed up and can be restored is often the quickest and cheapest way to get operations back up and running. Organizations should make regular backups that are not stored on local machines or connected through network shares.

Other ransomware prevention tips include:

  • Antimalware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.
  • General users should be restricted from administrator-level permissions on their local machines, unless specifically required. Limiting this privilege could lessen the impact of ransomware.
  • The ‘vssadmin’ utility should be removed unless it is justifiably required to be on the system. This will not stop the encryption from occurring, but could assist with recovering key files from a machine that has been affected if the system’s shadow copy files are left intact.
  • It’s recommended that Remote Desktop Protocol (RDP) be disabled as this can exploited by certain ransomware types.
  • Since HDDCryptor creates a suspicious set of files, using Host Intrusion Prevention (HIPS) software can help detect this activity.
  • All Macros in MS Office programs should be disabled to ensure no accidental activation of an infected document. Users should be made aware not to activate macros on documents that are unverified.
  • When possible, segmenting networks by role and criticality may prevent the spread of the malware itself or limit the extent of the network is impacted when a device is compromised.
  • Keep operating systems, software, and antivirus protections patched and up to date.

Weekly Cyber Risk Roundup: Ransomware Ups the Ante and Other Headlines

2016-09-16-ITT.png

Three of this week’s top four trending industry targets centered around DDoS attacks. Linode, which made last week’s roundup over reported DDoS attacks, was targeted once again. The cloud hosting company has seen DDoS attacks throughout the month, with the latest attack coming on September 13, according to company logs. Additionally, Brian Krebs’ website was hit with DDoS attacks after his reporting on the booter service VDoS led to the arrest of two young Israeli men who allegedly ran the cybercrime-as-a-service operation.

Trending new data breaches and cyber-attacks recently observed in SurfWatch Labs’ data are shown below.

2016-09-16-ittnew

Noteworthy cybercrime events from the past week include:

    • Variety of New Breaches Reported: Dutch news sources are reporting that hackers have stolen 22 gigabytes of data from municipal servers in Almelo, though at the moment it is unclear what data may have been compromised. London-based VoIP Talk is emailing customers about a potential breach after discovering “attempts to exploit vulnerabilities in our infrastructure to obtain customer data.” The paid-to-click site ClixSense suffered a data breach in which a hacker exposed 2.2 million subscriber identities and put another 4.4 million up for sale. The Exile Mod gaming forum website was hacked and the personal details of nearly 12,000 users was posted online by a group going by the name “Expl.oit.” EurekAlert!, which is used to distribute scientific press releases, temporarily shut down their website after a breach compromised usernames and passwords and two embargoed news releases were prematurely released. The personal information of 29 Olympic athletes has been stolen from the World Anti-Doping Administration. Finally, a data breach at Regpack, an online enrollment platform serving the private education industry, has led to 324,000 people having personal information exposed.
    • More Extortion Attacks: A hacker attempted to extort Bremerton Housing Authority in Washington for 6 bitcoins (around $3,700) after gaining access to its website and stealing a database of 1,100 client names and the last four digits of Social Security numbers. University Gastroenterology in Rhode Island is notifying patients of a data breach after what sounds like a ransomware attack. In its notification letter, it wrote that an unauthorized individual had gained access to an electronic file storage system from  Consultants in Gastroenterology, which it acquired in 2014, and “encrypted several files.”
    • Political Parties Continue to be Targeted: State Democratic Party officials are being breached and impersonated by hackers, according to a warning from the Association of State Democratic Chairs. The message urged recipients to avoid searching the leaked DNC information posted by WikiLeaks due to concerns over malware being embedded in the links. Additionally, a “serious misconfiguration” on Donald Trump’s website exposed the resumes of prospective interns, according to security researcher Chris Vickery.
    • Stolen Laptops Continue: M Holdings Securities, a subsidiary of M Financial Holdings, had a password-protected laptop with information on 20,000 clients stolen from the trunk of an employee’s car on July 29. Roughly 2,000 of those clients had Social Security numbers potentially compromised. U.S. Healthworks began notifying 1,400 patients of a data breach earlier this month after a laptop and the laptop’s password were stolen from an employee.

Other Noteable Cyber Risk News

2016-09-16-RiskScores.png

This week saw little movement among most sectors’ overall cyber risk scores. Other Organizations – which includes groups such as political parties, schools, and charities – saw the week’s biggest rise in risk, up 1.6%.

Ransomware was at the forefront of much of the week’s cybercrime news. CBC News reported that a school board and a support group for cancer patients, both in Canada, were infected with the Zepto ransomware, and the actor behind the attack demanded $20,000 in payment to decrypt the files. Those high prices may become more commonplace, the FBI warned in an alert published on Thursday. Recent ransomware variants have been seen targeting vulnerable business servers rather than individual users, and the actors behind these targeted attacks have been upping their ransom demands as the data they encrypt grows more valuable.

“This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files,” the alert warns. “Recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

The FBI isn’t the only government agency warning of the threat. In July, the Department of Health and Human Service stated that PHI being encrypted by ransomware qualifies as a “breach” in most circumstances, and FTC chairwoman Edith Ramirez warned this week that “a company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

It’s worth taking a moment to review this week’s advice on combatting ransomware from the FBI alert:

  • Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
  • Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
  • Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
  • Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Tracking the exact number of ransomware victims is difficult, the FBI said, since many attacks go unreported. The FBI is urging victims to report ransomware incidents regardless of the outcome so that they can better understand who is behind the attacks and how they operate.

Ransomware Is Not the Top Cybersecurity Threat Facing the Healthcare Sector

Ransomware is making all the headlines so far in 2016. This threat has become so mainstream it has caused both the FBI and US-CERT to issue ransomware alerts, with the healthcare sector being mentioned in both.

On March 31, 2016, the United States Computer Emergency Readiness Team (US-CERT) issued a ransomware warning concerning the Locky and Samas ransomware variants – both of which have been used to target hospitals and other healthcare targets.

On April 29, 2016, the FBI wrote a post warning of the rise in ransomware threats, saying that ransomware attacks were prevalent in 2015 and will continue to grow in 2016.

“Ransomware attacks are not only proliferating, they’re becoming more sophisticated,” the FBI post read. “Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.”

However, when you look at the biggest data breaches in healthcare, are ransomware attacks really deserving of all the headlines?

Despite Ransomware Trend, Healthcare Most Impacted By Data Loss

SurfWatch Labs has collected data on 141 healthcare cybercrime targets so far in 2016, and the ransomware attacks against Hollywood Presbyterian Medical Center and Medstar Health have been the top two most discussed industry targets to date.

2016-05-16_healthcareitt
Ransomware attacks such as the ones against Hollywood Presbyterian Medical Center and MedStar Health have dominated the discussion around healthcare sector cybercrime in 2016.

Both Hollywood Presbyterian Medical Center and MedStar health made huge headlines this year after being victimized with ransomware. Hollywood Presbyterian paid the ransom demand to get their data back. Medstar Health was able to get their systems operational without paying a ransom.

While infected assets leads the way in terms of chatter around healthcare sector cybercrime effects this year – largely due the high level of ransomware discussion – stolen or leaked personal information and data are leading the way when looking at the total number of distinct healthcare targets being impacted by cybercrime so far this year.

upload
Although not receiving the most discussion (CyberFacts), the stolen personal information and stolen data tags are associated with the highest number of healthcare targets impacted by cybercrime in 2016.

Similarly, while malware dominates the chatter around healthcare sector cybercrime practices, unauthorized access is the top trending practice category in terms of the actual number of affected targets.

upload1
Malware is leading the way in terms of discussion for the Healthcare sector in 2016; however, unauthorized access was the leading practice used in attacks against healthcare by total number of industry targets.

While everyone is talking about malware – more specifically, ransomware – affecting healthcare targets, if we dig deeper into that top practice category it’s clear that the old-fashioned, tried-and-true methods used by cybercriminals are causing the most damage in the healthcare sector in 2016.

2016-05-16_unauthorizedaccess
Physical theft was the top trending unauthorized access practice tag to date in the healthcare sector. 

Criminals Are Still Seeking Healthcare Data

While it is still important for hospitals and healthcare companies to worry about the threat of ransomware, as SurfWatch Labs’ data shows, ransomware attacks are just the tip of the iceberg when it comes to cyber threats facing the healthcare industry.

Several attack vectors are present in the healthcare industry. Phishing and social engineering attempts are still the primary cybersecurity threat concerning healthcare facilities, with stolen laptops and flash drives also creating a severe issue protecting data.

W-2 data breaches have made several headlines this year, affecting organizations throughout all sectors – including healthcare. Healthcare companies Main Line Health, York Hospital, E Clinical Works, Endologix, Care.com, CareCentrix, and Magnolia Health Corporation all suffered W-2 data breaches in 2016 that stemmed from a simple phishing email.

The verdict is in; ransomware isn’t going anywhere and will continue to trend throughout 2016. However, we can’t forget about the old-fashioned methods used by hackers since the dawn of the Internet when it comes to protecting organizations from cybercrime. Ransomware has become popular due to its ease of execution and potential to make a quick buck, but the valuable data stored throughout the healthcare sector is still the holy grail for cybercriminals looking for a bigger score.

Talking MedStar, Ransomware and Healthcare with Arbor Networks’ Dan Holden

On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.

Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.

“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”

Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.

“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”

Warnings About Samas and JBoss

Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.

The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.

As Reuters reported,  “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

A Decade of Ransomware

Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.

“It’s likely,” the agent said, “that this will be the decade of ransomware.”

So far in 2016, the healthcare sector has been a major focus of that trend.

“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”

Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.

“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”

He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”

Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:

About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.

On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.

Ransomware Making Headlines In Early 2016

In early 2015, the FBI issued a warning about the rise of ransomware attacks, noting that “there’s been a definite uptick lately in its use by cybercriminals.” A year after that warning we’re seeing a new surge in attacks, and concern over ransomware has risen sharply in the first quarter of 2016.

2016-03-30_ransomware4
The number of ransomware-related CyberFacts collected by SurfWatch Labs has spiked dramatically to start the year.

Last year, the FBI explained that ransomware was continuing to evolve, writing that in the past “computers predominately became infected with [ransomware] when users opened e-mail attachments that contained malware.” That tactic had shifted and computers were now being easily infected using a “drive-by” method “where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”

The way cybercriminals demand ransom payments has also evolved. Initially, cybercriminals asked for ransom payments on pre-paid cards. Now Bitcoin has been implemented, a better option for criminals “because of the anonymity the system offers.”

SurfWatch Labs’ data identified 49 companies associated with ransomware attacks so far in 2016, although the total number of companies affected by this threat is likely much higher as many companies do not disclose these attacks — particularly if they choose to pay the ransom.

The healthcare sector in particular has been a focus of ransomware discussion this year.

2016-03-30_ransomware3
The healthcare sector as well as technology platforms such as Apple and WordPress have been a focus of ransomware discussion in 2016.

The reason ransomware has continued to gain popularity is simple — it is a cheap tool that has a high profit margin. Not long ago, malware developers were selling Cryptolocker ransomware kits with source code included for just $3,000. It wouldn’t take long for a criminal to recoup that initial investment as the average ransom demand is anywhere from $300 to $500. Recently, Hollywood Presbyterian Hospital reportedly paid $17,000 after suffering a ransomware attack.

Trending Ransomwares in 2016

There are three variants of ransomware that have stood out in the beginning of 2016: KeRanger, TeslaCrypt and Locky.

2016-03-30_ransomware
Although there are many different types of ransomware, KeRanger, TeslaCrypt and Locky have been the most discussed so far in 2016.

KeRanger malware has received a lot of discussion due to its connection with Apple. Locky ransomware has been observed in several attacks in 2016, and TeslaCrypt, which has been around for more than a year, continues to evolve.

2016-03-30_ransomware2
TeslaCrypt and Locky ransomware have steadily appeared in SurfWatch Labs’ data over the last two months. KeRanger ransomware made a big splash in the beginning of March.

KeRanger Ransomware

The newest addition on the list, KeRanger Ransomware, first made headlines in the beginning of March due to its accomplishments. It is the first ever fully functional Mac OS X ransomware in existence.

KeRanger was able to successfully infect a BitTorrent client used on OS X known as Transmission. More specifically, it infected Transmission version 2.90. Transmission has since warned users that version 2.90 was malicious and prompted users to download version 2.91.

TeslaCrypt Ransomware

TeslaCrypt Ransomware initially made headlines back in early 2015 for infecting computer gamers. Over the last year, TeslaCrypt has continued to evolve, with the latest version TeslaCrypt 4.0 released earlier this month. The ransomware is now capable of attacking organizations and home users.  

The latest edition of TeslaCrypt features RSA 4096 for encrypting data. This feature makes decrypting data impossible. Tools developed to combat previous TeslaCrypt versions, such as “TelsaDecoder,” will not work with TeslaCrypt 4.0.

TeslaCrypt ransomware has evolved quickly. In just over a year, malware creators have been able to release four versions of the ransomware, each more sophisticated than the last version. If any weaknesses are found in TeslaCrypt 4.0, look for malware creators to move quickly in creating a new version addressing those weaknesses.

Locky Ransomware

Locky ransomware was discovered in February 2016. The ransomware works like most strains: it infects a user’s computer, encrypts the content on the computer, and then a ransom is extracted in order to decrypt the information. It is in the encryption step that the ransomware gets its name, as it renames all the user’s files with the extension .locky.

This ransomware is being distributed through malicious macros in Microsoft Word attachments. In typical cases, victims receive a spoofed email with a Microsoft Word attachment seeking some sort of payment for a service or product. When the attachment is clicked, a document appears with scrambled text. The user is then instructed to click an Office macro to unscramble the text, which leads to infection.

This ransomware variant made huge headlines for causing Methodist Hospital of Henderson, Kentucky, to declare an “internal state of emergency.” Fortunately, Methodist Hospital was able to regain their data without paying the cybercriminal’s ransom demand of four bitcoins ($1,600).

Being Prepared is Key

Although ransomware has been making headlines for the last few years, data from 2016 suggests more criminals are going to focus on this tactic and more organizations are going to be victimized. Businesses need to be aware of this threat and take action now to mitigate the effects of a potential attack.

As recent attacks have shown, the overall cost of a ransomware attack can be much greater than just the ransom demand.