San Francisco Muni Refuses Extortion Demands, But Many Others Choose to Pay

The San Francisco Municipal Transportation Agency (SFMTA) is continuing to deal with the fallout from a Friday ransomware attack that affected 900 office computers and led to passengers getting free rides as ticket machines were taken offline. The agency has since restored systems from a backup, and fares have been running as normal since Sunday; however, the actor behind the attack is still threatening to release 30GB of data if the 100 bitcoin ransom ($75,000) is not paid by tomorrow.

The actor, going by the name Andy Saolis, has refused to provide media outlets with a sample of the stolen data in order to verify the alleged theft, and SFMTA said that its ongoing investigation has not discovered that any data exfiltration took place.

“[N]o data was accessed from any of our servers,” the agency said in a statement. “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

Many Organizations Choose to Pay

While SFMTA has decided not to pay the ransom, other organizations targeted by the same threat actor have been successfully extorted. A security researcher who gained access to an email account used by Andy Saolis said that the hacker had extorted at least $140,000 in bitcoins from victim organizations over the past few months, including 63 bitcoins (around $45,000) from a U.S.-based manufacturing firm. The emails also show that this past Sunday another company, China Construction of America Inc., paid 24 Bitcoins (around $17,500) to decrypt 60 servers infected with the same strain of ransomware, known as HDDCryptor or Mamba.

In addition to the attacks described above, SurfWatch Labs has collected, evaluated and analyzed data pertaining to dozens of other targets associated with extortion over the past month.

2016-12-01_extortion
Facebook is the top trending target tied to ransomware and extortion due to recent attacks known as ImageGate.

The top trending ransomware story over the past 30 days is the newly discovered attack vector known as ImageGate, which is infecting numerous users with Locky ransomware via Facebook and LinkedIn by exploiting a misconfiguration that forces victims to download a malicious image file. It’s unclear how many of those victims have paid the ransom, but a variety of other organizations have publicly confirmed making ransom payments recently:

  • The Lansing Board of Water & Light recently acknowledged it paid a $25,000 ransom after an employee opened an attachment that led to a ransomware.
  • A $28,000 ransom was paid after an infection locked up several government systems in Madison County, Indiana and the county’s insurance carrier advised payment.
  • The New Jersey Spine Center paid an undisclosed amount after CryptoWall encrypted all electronic medical records and the most recent system backup, as well as disabled the phone system.
  • Cloud service provider VESK said that it paid £18,600 after being infected with a strain of the Samas DR ransomware

Government Agencies Continue to Warn of Threat

Despite the many public incidents of late, the vast majority of ransomware attacks are believed to go unreported. That’s why in September the FBI urged victims to report infections regardless of the outcome. The FBI also warned of cybercriminals shifting tactics to target servers in order to receive larger ransoms.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

2016-12-01_extortion2.png
Tags such as HDDCryptor, Locky and unauthorized server access are trending in SurfWatch Labs’ data due to recent ransomware attacks.

In November, the Federal Trade Commission also warned organizations that it may investigate certain ransomware incidents.

“[I]n some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency,” wrote Ben Rossen, an attorney at the FTC. “Thus, a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”

The Department of Health and Human Services issued a similar statement over the summer, warning that in most cases a ransomware infection would qualify as a reportable “breach”:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. …

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

As the FBI noted, new ransomware variants are emerging regularly and global ransomware infections continue to grow. Organizations need to ensure they have a plan in place to deal with this threat.

SurfWatch Labs’ Recommend Courses of Action

A large percentage of ransomware is spread via social engineering techniques; therefore, SurfWatch Labs advises customers that user education around tactics such as spear phishing is the best method to prevent these kinds of attacks. In addition, having data that is backed up and can be restored is often the quickest and cheapest way to get operations back up and running. Organizations should make regular backups that are not stored on local machines or connected through network shares.

Other ransomware prevention tips include:

  • Antimalware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.
  • General users should be restricted from administrator-level permissions on their local machines, unless specifically required. Limiting this privilege could lessen the impact of ransomware.
  • The ‘vssadmin’ utility should be removed unless it is justifiably required to be on the system. This will not stop the encryption from occurring, but could assist with recovering key files from a machine that has been affected if the system’s shadow copy files are left intact.
  • It’s recommended that Remote Desktop Protocol (RDP) be disabled as this can exploited by certain ransomware types.
  • Since HDDCryptor creates a suspicious set of files, using Host Intrusion Prevention (HIPS) software can help detect this activity.
  • All Macros in MS Office programs should be disabled to ensure no accidental activation of an infected document. Users should be made aware not to activate macros on documents that are unverified.
  • When possible, segmenting networks by role and criticality may prevent the spread of the malware itself or limit the extent of the network is impacted when a device is compromised.
  • Keep operating systems, software, and antivirus protections patched and up to date.

Weekly Cyber Risk Roundup: Ransomware Ups the Ante and Other Headlines

2016-09-16-ITT.png

Three of this week’s top four trending industry targets centered around DDoS attacks. Linode, which made last week’s roundup over reported DDoS attacks, was targeted once again. The cloud hosting company has seen DDoS attacks throughout the month, with the latest attack coming on September 13, according to company logs. Additionally, Brian Krebs’ website was hit with DDoS attacks after his reporting on the booter service VDoS led to the arrest of two young Israeli men who allegedly ran the cybercrime-as-a-service operation.

Trending new data breaches and cyber-attacks recently observed in SurfWatch Labs’ data are shown below.

2016-09-16-ittnew

Noteworthy cybercrime events from the past week include:

    • Variety of New Breaches Reported: Dutch news sources are reporting that hackers have stolen 22 gigabytes of data from municipal servers in Almelo, though at the moment it is unclear what data may have been compromised. London-based VoIP Talk is emailing customers about a potential breach after discovering “attempts to exploit vulnerabilities in our infrastructure to obtain customer data.” The paid-to-click site ClixSense suffered a data breach in which a hacker exposed 2.2 million subscriber identities and put another 4.4 million up for sale. The Exile Mod gaming forum website was hacked and the personal details of nearly 12,000 users was posted online by a group going by the name “Expl.oit.” EurekAlert!, which is used to distribute scientific press releases, temporarily shut down their website after a breach compromised usernames and passwords and two embargoed news releases were prematurely released. The personal information of 29 Olympic athletes has been stolen from the World Anti-Doping Administration. Finally, a data breach at Regpack, an online enrollment platform serving the private education industry, has led to 324,000 people having personal information exposed.
    • More Extortion Attacks: A hacker attempted to extort Bremerton Housing Authority in Washington for 6 bitcoins (around $3,700) after gaining access to its website and stealing a database of 1,100 client names and the last four digits of Social Security numbers. University Gastroenterology in Rhode Island is notifying patients of a data breach after what sounds like a ransomware attack. In its notification letter, it wrote that an unauthorized individual had gained access to an electronic file storage system from  Consultants in Gastroenterology, which it acquired in 2014, and “encrypted several files.”
    • Political Parties Continue to be Targeted: State Democratic Party officials are being breached and impersonated by hackers, according to a warning from the Association of State Democratic Chairs. The message urged recipients to avoid searching the leaked DNC information posted by WikiLeaks due to concerns over malware being embedded in the links. Additionally, a “serious misconfiguration” on Donald Trump’s website exposed the resumes of prospective interns, according to security researcher Chris Vickery.
    • Stolen Laptops Continue: M Holdings Securities, a subsidiary of M Financial Holdings, had a password-protected laptop with information on 20,000 clients stolen from the trunk of an employee’s car on July 29. Roughly 2,000 of those clients had Social Security numbers potentially compromised. U.S. Healthworks began notifying 1,400 patients of a data breach earlier this month after a laptop and the laptop’s password were stolen from an employee.

Other Noteable Cyber Risk News

2016-09-16-RiskScores.png

This week saw little movement among most sectors’ overall cyber risk scores. Other Organizations – which includes groups such as political parties, schools, and charities – saw the week’s biggest rise in risk, up 1.6%.

Ransomware was at the forefront of much of the week’s cybercrime news. CBC News reported that a school board and a support group for cancer patients, both in Canada, were infected with the Zepto ransomware, and the actor behind the attack demanded $20,000 in payment to decrypt the files. Those high prices may become more commonplace, the FBI warned in an alert published on Thursday. Recent ransomware variants have been seen targeting vulnerable business servers rather than individual users, and the actors behind these targeted attacks have been upping their ransom demands as the data they encrypt grows more valuable.

“This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files,” the alert warns. “Recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

The FBI isn’t the only government agency warning of the threat. In July, the Department of Health and Human Service stated that PHI being encrypted by ransomware qualifies as a “breach” in most circumstances, and FTC chairwoman Edith Ramirez warned this week that “a company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

It’s worth taking a moment to review this week’s advice on combatting ransomware from the FBI alert:

  • Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
  • Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
  • Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
  • Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Tracking the exact number of ransomware victims is difficult, the FBI said, since many attacks go unreported. The FBI is urging victims to report ransomware incidents regardless of the outcome so that they can better understand who is behind the attacks and how they operate.

Ransomware Is Not the Top Cybersecurity Threat Facing the Healthcare Sector

Ransomware is making all the headlines so far in 2016. This threat has become so mainstream it has caused both the FBI and US-CERT to issue ransomware alerts, with the healthcare sector being mentioned in both.

On March 31, 2016, the United States Computer Emergency Readiness Team (US-CERT) issued a ransomware warning concerning the Locky and Samas ransomware variants – both of which have been used to target hospitals and other healthcare targets.

On April 29, 2016, the FBI wrote a post warning of the rise in ransomware threats, saying that ransomware attacks were prevalent in 2015 and will continue to grow in 2016.

“Ransomware attacks are not only proliferating, they’re becoming more sophisticated,” the FBI post read. “Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.”

However, when you look at the biggest data breaches in healthcare, are ransomware attacks really deserving of all the headlines?

Despite Ransomware Trend, Healthcare Most Impacted By Data Loss

SurfWatch Labs has collected data on 141 healthcare cybercrime targets so far in 2016, and the ransomware attacks against Hollywood Presbyterian Medical Center and Medstar Health have been the top two most discussed industry targets to date.

2016-05-16_healthcareitt
Ransomware attacks such as the ones against Hollywood Presbyterian Medical Center and MedStar Health have dominated the discussion around healthcare sector cybercrime in 2016.

Both Hollywood Presbyterian Medical Center and MedStar health made huge headlines this year after being victimized with ransomware. Hollywood Presbyterian paid the ransom demand to get their data back. Medstar Health was able to get their systems operational without paying a ransom.

While infected assets leads the way in terms of chatter around healthcare sector cybercrime effects this year – largely due the high level of ransomware discussion – stolen or leaked personal information and data are leading the way when looking at the total number of distinct healthcare targets being impacted by cybercrime so far this year.

upload
Although not receiving the most discussion (CyberFacts), the stolen personal information and stolen data tags are associated with the highest number of healthcare targets impacted by cybercrime in 2016.

Similarly, while malware dominates the chatter around healthcare sector cybercrime practices, unauthorized access is the top trending practice category in terms of the actual number of affected targets.

upload1
Malware is leading the way in terms of discussion for the Healthcare sector in 2016; however, unauthorized access was the leading practice used in attacks against healthcare by total number of industry targets.

While everyone is talking about malware – more specifically, ransomware – affecting healthcare targets, if we dig deeper into that top practice category it’s clear that the old-fashioned, tried-and-true methods used by cybercriminals are causing the most damage in the healthcare sector in 2016.

2016-05-16_unauthorizedaccess
Physical theft was the top trending unauthorized access practice tag to date in the healthcare sector. 

Criminals Are Still Seeking Healthcare Data

While it is still important for hospitals and healthcare companies to worry about the threat of ransomware, as SurfWatch Labs’ data shows, ransomware attacks are just the tip of the iceberg when it comes to cyber threats facing the healthcare industry.

Several attack vectors are present in the healthcare industry. Phishing and social engineering attempts are still the primary cybersecurity threat concerning healthcare facilities, with stolen laptops and flash drives also creating a severe issue protecting data.

W-2 data breaches have made several headlines this year, affecting organizations throughout all sectors – including healthcare. Healthcare companies Main Line Health, York Hospital, E Clinical Works, Endologix, Care.com, CareCentrix, and Magnolia Health Corporation all suffered W-2 data breaches in 2016 that stemmed from a simple phishing email.

The verdict is in; ransomware isn’t going anywhere and will continue to trend throughout 2016. However, we can’t forget about the old-fashioned methods used by hackers since the dawn of the Internet when it comes to protecting organizations from cybercrime. Ransomware has become popular due to its ease of execution and potential to make a quick buck, but the valuable data stored throughout the healthcare sector is still the holy grail for cybercriminals looking for a bigger score.

Talking MedStar, Ransomware and Healthcare with Arbor Networks’ Dan Holden

On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.

Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.

“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”

Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.

“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”

Warnings About Samas and JBoss

Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.

The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.

As Reuters reported,  “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

A Decade of Ransomware

Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.

“It’s likely,” the agent said, “that this will be the decade of ransomware.”

So far in 2016, the healthcare sector has been a major focus of that trend.

“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”

Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.

“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”

He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”

Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:

About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.

On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.

Ransomware Making Headlines In Early 2016

In early 2015, the FBI issued a warning about the rise of ransomware attacks, noting that “there’s been a definite uptick lately in its use by cybercriminals.” A year after that warning we’re seeing a new surge in attacks, and concern over ransomware has risen sharply in the first quarter of 2016.

2016-03-30_ransomware4
The number of ransomware-related CyberFacts collected by SurfWatch Labs has spiked dramatically to start the year.

Last year, the FBI explained that ransomware was continuing to evolve, writing that in the past “computers predominately became infected with [ransomware] when users opened e-mail attachments that contained malware.” That tactic had shifted and computers were now being easily infected using a “drive-by” method “where users can infect their computers simply by clicking on a compromised website, often lured there by a deceptive e-mail or pop-up window.”

The way cybercriminals demand ransom payments has also evolved. Initially, cybercriminals asked for ransom payments on pre-paid cards. Now Bitcoin has been implemented, a better option for criminals “because of the anonymity the system offers.”

SurfWatch Labs’ data identified 49 companies associated with ransomware attacks so far in 2016, although the total number of companies affected by this threat is likely much higher as many companies do not disclose these attacks — particularly if they choose to pay the ransom.

The healthcare sector in particular has been a focus of ransomware discussion this year.

2016-03-30_ransomware3
The healthcare sector as well as technology platforms such as Apple and WordPress have been a focus of ransomware discussion in 2016.

The reason ransomware has continued to gain popularity is simple — it is a cheap tool that has a high profit margin. Not long ago, malware developers were selling Cryptolocker ransomware kits with source code included for just $3,000. It wouldn’t take long for a criminal to recoup that initial investment as the average ransom demand is anywhere from $300 to $500. Recently, Hollywood Presbyterian Hospital reportedly paid $17,000 after suffering a ransomware attack.

Trending Ransomwares in 2016

There are three variants of ransomware that have stood out in the beginning of 2016: KeRanger, TeslaCrypt and Locky.

2016-03-30_ransomware
Although there are many different types of ransomware, KeRanger, TeslaCrypt and Locky have been the most discussed so far in 2016.

KeRanger malware has received a lot of discussion due to its connection with Apple. Locky ransomware has been observed in several attacks in 2016, and TeslaCrypt, which has been around for more than a year, continues to evolve.

2016-03-30_ransomware2
TeslaCrypt and Locky ransomware have steadily appeared in SurfWatch Labs’ data over the last two months. KeRanger ransomware made a big splash in the beginning of March.

KeRanger Ransomware

The newest addition on the list, KeRanger Ransomware, first made headlines in the beginning of March due to its accomplishments. It is the first ever fully functional Mac OS X ransomware in existence.

KeRanger was able to successfully infect a BitTorrent client used on OS X known as Transmission. More specifically, it infected Transmission version 2.90. Transmission has since warned users that version 2.90 was malicious and prompted users to download version 2.91.

TeslaCrypt Ransomware

TeslaCrypt Ransomware initially made headlines back in early 2015 for infecting computer gamers. Over the last year, TeslaCrypt has continued to evolve, with the latest version TeslaCrypt 4.0 released earlier this month. The ransomware is now capable of attacking organizations and home users.  

The latest edition of TeslaCrypt features RSA 4096 for encrypting data. This feature makes decrypting data impossible. Tools developed to combat previous TeslaCrypt versions, such as “TelsaDecoder,” will not work with TeslaCrypt 4.0.

TeslaCrypt ransomware has evolved quickly. In just over a year, malware creators have been able to release four versions of the ransomware, each more sophisticated than the last version. If any weaknesses are found in TeslaCrypt 4.0, look for malware creators to move quickly in creating a new version addressing those weaknesses.

Locky Ransomware

Locky ransomware was discovered in February 2016. The ransomware works like most strains: it infects a user’s computer, encrypts the content on the computer, and then a ransom is extracted in order to decrypt the information. It is in the encryption step that the ransomware gets its name, as it renames all the user’s files with the extension .locky.

This ransomware is being distributed through malicious macros in Microsoft Word attachments. In typical cases, victims receive a spoofed email with a Microsoft Word attachment seeking some sort of payment for a service or product. When the attachment is clicked, a document appears with scrambled text. The user is then instructed to click an Office macro to unscramble the text, which leads to infection.

This ransomware variant made huge headlines for causing Methodist Hospital of Henderson, Kentucky, to declare an “internal state of emergency.” Fortunately, Methodist Hospital was able to regain their data without paying the cybercriminal’s ransom demand of four bitcoins ($1,600).

Being Prepared is Key

Although ransomware has been making headlines for the last few years, data from 2016 suggests more criminals are going to focus on this tactic and more organizations are going to be victimized. Businesses need to be aware of this threat and take action now to mitigate the effects of a potential attack.

As recent attacks have shown, the overall cost of a ransomware attack can be much greater than just the ransom demand.