Tag Archives: ransomware

Ransomware, The Gift That Keeps On Giving

Just a few years ago most people had not even heard about ransomware.  Today, if you have not been hit by a ransomware attack, you certainly have heard about attack after attack.  Ranging from massive attacks that affected companies like Fedex and Merck pharmaceuticals to  hospitals to little mom and pop stores, ransomware is the scourge of our technical world.

There really is one major reason for ransomware attacks – money.  If you pay the ransom, even what you perceive to be a small  one, it sustains the attacker’s morale and encourages more attacks.

Although no one really knows the statistics, people do  make educated guesses.  According to security firm Kaspersky, In Q1 2016 an individual was attacked every 20 seconds; a business was attacked every 2 minutes (I assume that most of these attacks were NOT successful).  By Q3 2016, those numbers were 10 seconds and 40 seconds respectively.

In Q1 2017, 60% of all malware payloads were ransomware, according to malwarebytes.

And, according to Cybersecurity Ventures, ransomware damages are predicted to exceed $5 billion in 2017 when the stats finally come in.  That includes a billion dollars for WannaCry alone.

People are paying millions in ransom as well.

See this article for more stats.

So why are we seeing the increase in ransomware?

#1 – as credit card companies improve their security, it is becoming harder to cash in on stolen credit cards.  Hackers are turning to other ways to make money.

#2 – Complex hacks to steal data and then monetize it are becoming harder and riskier as companies up their games when it comes to cybersecurity.

#3 – The emergence of Bitcoin and other crypto-currencies have made it easier for hackers to get paid in a way that is difficult to trace, if done correctly.

So here are some thoughts about dealing with ransomware.

In two recent attacks at organizations with a few thousand user devices each, ransomware spread quickly.  In these cases several thousand devices were compromised in an hour.  That doesn’t give you much time to detect the attack, never mind respond to it.

In the first organization, they did not have robust detection software and so the attack ended when all of the vulnerable machines were compromised.  The other organization did detect it and were able to take some machines offline and save them, but still many machines were compromised.

Here in Colorado, the Colorado Department of Transportation was hit by a ransomware attack twice in a period of a week or two.  Weeks later, many of their computers are still only useful as doorstops.

Lets assume you get attacked and are not able to stop it (by the way, there are likely better ways to contain an attack than that decades old anti virus software that you are using) – then there are two options.

First, you don’t pay the ransom.  Assuming you have good backups and depending on the size of the organization, it could take weeks to months to recover all of your systems.

Assuming you do pay the ransom you only have 50/50 odds of getting a key that will successfully decrypt your devices.

But in either case, have you really eliminated the malware on those computers and have you closed the flaw that allowed the ransomware attack to work and spread?  PROBABLY NOT!

The best technique for preventing successful ransomware attacks is training your users.  Clicking on links and opening attachments are likely the two most common ways to get infected.

There is software that can improve the odds of stopping an attack, but that software is likely NOT what you are using today.

The next thing that you have to have is a very robust incident response program.

When I speak at seminars I talk about the Sony attack disaster.  A few months before that, there was a similar attack that you likely never heard of – because they have a great incident response program and empowered individuals to take actions.  The organization was the Sands Hotel and casino and IT security made the decision to start literally unplugging computers from the network.  They had people running through the casinos pulling cables.  The result was a greatly diminished attack.

On the other hand, a local municipality in the Denver area was hit by a denial of service attack and once they got approval to disconnect from the Internet,  it took them hours to figure exactly how to do that.    A lot of damage can be done in hours.  You need to have the plan in place and the approval pre-made so that you can make decisions in minutes, preferably less.

Two different organizations, two different outcomes.

Given the trends, it is more likely than you might like that your organization will get hit by a ransomware attack.  How devastating that attack is will be based on how prepared you are.

How prepared are you?

Information for this post came from SecurityInfoWatch.

Facebooktwitterredditlinkedinmailby feather

Davidson County, NC Hit By Ransomware – Reverts to Paper

While yet another local government being shut down by a ransomware attack is old news these days, it still can point to a few valuable things.

This time it is Davidson County, NC, home of Greensboro.

At 2:00 in the morning the county’s CIO was woken up – there was something strange going on with the 911 system.

What they figured out what that ransomware had compromised 70 servers and an unknown number of desktops and laptops.

Oh, yeah, and the phones weren’t working, which is sort of a problem for the 911 dispatchers.

The county manager said it could take weeks or months to fully resolve.  He also said that this kind of attack is common in Europe.  It is, but it is equally common in the U.S.  Just recently neighboring county Mecklenburg had the same problem.

One bit of good news is that they have cyber insurance.  That likely will help them pay for some of the costs.  At the time of the first article, they had not decided if they were going to pay the ransom.

By Monday the county said that 911 was working as was the tax collector.  You can see why both of these are important to the county.

They continue to work on the restoration, but did not give a time when things would be back to normal – just soon.

What what are the takeaways here?

  • Have a disaster recovery plan – it sounds like they did have one of these.
  • Have a business continuity plan  – how do we the doors open or answering the phone.  And, if you are a web based business and your web site is down, now what?
  • Having cyber insurance will help pay for all this.
  • Make sure you have backups.  Make sure it covers ALL of your data and systems.
  • Figure out how long it will take to restore those backups.  For nearby Mecklenburg, it was a couple of months.  Is that OK?  If not, what is plan B?
  • How are you going to communicate about it.
  • MUTUAL AID – this one is easier for non-profits and the public sector, still it is worth considering.  Davidson County received offers of assistance from the nearby City of Lexington and from Rowan County as well as the North Carolina Association of County Commissioners.  And they are talking with Mecklenburg County – that went through the same ordeal recently.  When I was in college in upstate New York (this was in the dark ages before the Internet), the volunteer fire departments up and down the Finger Lakes would invoke that mutual aid using fog horns that traveled across the lakes for miles.  A particular  burst meant that this fire department or that needed help.  It was a life saver, literally.  Maybe it is with a customer or a business partner or an investor.  You may not need the aid, but having it available could make a huge difference.

Ultimately, having a plan and testing that plan is hugely important.  Don’t hope it won’t happen to you.  That might be the case, but then again, it might not be the case.  Will you be ready if it happens to you?

Information for this post came from the Dispatch and Greensboro.com

Facebooktwitterredditlinkedinmailby feather

Ransomware. Backups. MTTR. Disaster Recovery. Business Continuity.

Ransomware and hospitals.  Not a great combination.

The Register is reporting that Hancock Hospital paid ransom attackers $60,000 to get control of their system back.

Pictured: Hancock Health, 801 N. State St. in Greenfield.(Tom Russo | Daily Reporter)

Hancock Health in Indiana was hit with a ransomware attack last week.  As the hospital detected “something wrong”, they decided to shut down all hospital systems, all wellness center systems, Physicians offices systems and, in fact, the entire Hancock Health Network.

The attack put the hospital and its affiliates back into the medical stone age.  No electronic medical records.  No email.  All paper.

Like many other attacks, this attacker, apparently, found a publicly exposed remote desktop protocol (RDP) open port and the rest, as they say, was history.

When the hospital figured out that it was being attacked they contacted the FBI and an outside IT specialist.  However, the Lone Ranger used all of the silver bullets up – there are  none left.

This is where the title of this blog post comes in.

If you get hit with a ransomware attack, the experts say that you are okay if you have good backups.  Well, maybe.

But there is more to it.

Business continuity –  can you continue to operate while you sort things out.  In this case, the hospital reverted to paper.  But paper is slow and cumbersome and introduces errors.

Disaster recovery – do you have a plan for how you are going to recover from the disaster.

MTTR – MTTR standards for mean time to repair.  That goes along with RTO or Recovery Time Objective and RPO or Recovery Point Objective.  All of these mean HOW LONG WILL IT TAKE TO GET BACK IN OPERATION?  And, HOW MUCH DATA ARE YOU WILLING TO LOSE?

That is what tripped up Hancock.  They decided to pay the $60k and get working again.

The county in which Charlotte, NC is in, Mecklenburg, decided that they were not going to pay the ransom and it is still recovering, months later.

In late 2016,  Madison County, Indiana, decided to pay their ransom to get access to their data – it cost them $200,000.

According to the FBI, there are thousands of these attacks every day.  According to some reports, ransomware is a $9 billion industry.

So as you think about how to deal with a possible ransomware attack; think about this:

  • Backups
  • Mean Time To Repair
  • Business Continuity
  • Disaster Recovery

Put those all together and you will be in pretty good shape.

 

Information for this post came from The Register and The Greenfield Reporter.

Facebooktwitterredditlinkedinmailby feather

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Montgomery County Hit With Ransomware – Pays $40-$50,000 To Get Files Back

Montgomery County, Alabama joined the ranks of probably millions of others and paid a ransom to get their data back after hackers threatened to erase their data if the ransom was not paid within 7 days.

While details are sketchy, reports are that the attack began Monday around 5PM (at the end of the day) and probably spent all nite encrypting data.  By Tuesday morning systems such as vehicle tags, car registrations and marriage and business licenses were down.  Reports said that 70 terabytes of data was encrypted with no one noticing it.

The Chairman of the County Commisioners, interviewed on the Montgomery Advertiser link below said it was an “unfortunate situation” and “you don’t think about these situations until they happen”, but now he says it is “kind of an emergency situation”.

While we can laugh at his response because it wasn’t our systems that are down, the reality is that all of his comments are pretty accurate.  Most businesses don’t have a disaster recovery program, an incident response program, tested backups or trained emergency resources already identified and contracted for.  In fairness, some businesses are prepared, but they are the minority.

The County CIO, Lou Ialacci said that they tried to restore from backups but were unable to for some reason not related to the attack.  Perhaps, the backups weren’t working or didn’t exist.

The Chairman of the County Commissioners NOW says that they are going to do whatever it takes to prevent this from recurring.

That comment is also not unusual – after the horse is out of the barn, down the round and the barn on fire, it gets pretty real for people.

The county also said not to worry – no data has been compromised.  Are they sure?  It wouldn’t be very hard to encrypt the data and then copy it to the cloud somewhere.  Since the hacker has the key, he or she can then decrypt it at their leisure.  Don’t know in this case, but it definitely happens some times.

In Montgomery County’s case, they had to pay the hackers 9 Bitcoin or about $40,000 to $50,000 in taxpayer dollars based on the then current Bitcoin price.

My guess is that Montgomery County was not specifically targeted by Vladimir Putin, so I think we can safely say this was an attack of opportunity.

The county is being pretty quiet as to what happened, but likely someone clicked on a link or opened an attachment and it was all over at that point.

The message here is that businesses especially and individuals too need to be prepared,  Anyone can get targeted.  The bad guys might send out 10 million emails and hope a few people click on it.  At $40-$50 thousand a pop, you don’t need very many people clicking to earn a very nice living.  Ten people click on it and you might make a cool half mil – tax free, I might add.

Are you prepared?

Are you sure?

Have you tested it?

You don’t want to be the next Montgomery County.

Information for this post came from the Montgomery Advertiser and TechTalk.

Facebooktwitterredditlinkedinmailby feather

Maersk Says Ransomware Will Cost Them $200-$300 Million

In case you thought that people were overhyping the effects of ransomware,  perhaps you should rethink that.

The Maersk shipping line, which runs container ships and ports around the world, among many other businesses, had to shut down some of their port operations after computers were infected with the NotPetya ransomware.

This week Maersk’s CEO says that the ransomware attack is expected to cost them between $200 and $300 million dollars due to lost business.  At this point no lawsuits have been filed but that doesn’t mean that there won’t be any and if there are, that would add to the cost.

That is in spite of the fact that they say that no third-party data was lost.  Does that wording mean that they lost no customer data but did lose company data?  They are not saying.

They are saying that they have added more security measures as a result of having to shut down their port operations.

Another company, Merck, says that it STILL has not fully recovered from the attack and said that the attack affected manufacturing, research and sales worldwide.

Part of Merck’s costs are going to be due to losses related to their active pharmaceuticals ingredient operations which “grow” certain ingredients.  If the computers that control them go offline, it could affect the entire batch and depending on how long it takes to recover from that, it could dry up the supply chain for certain products.

Merck says that it does not yet know the magnitude of the impact on operations.  I think it is safe to say that if they have not recovered from the outage after SIX WEEKS, the cost will be significant.

And last week, Fedex said that the cost of their downtime, missed delivery and lost business due to NoyPetya will be MATERIAL to their full year profit and loss.

So here we have three very profitable multi-nationals with sophisticated IT operations and who were affected by this recent ransomware. They are all saying that it will cost them a lot of money.

It is reasonable to conclude that if you are not ready to respond to a ransomware attack – of which there are at least hundreds every day – that your operations could be impacted and your finances will likely take a hit.

As the Boy Scouts say – BE PREPARED!

Information for this post came from CNBC and Threatpost.

Facebooktwitterredditlinkedinmailby feather