Tag Archives: ransomware

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Montgomery County Hit With Ransomware – Pays $40-$50,000 To Get Files Back

Montgomery County, Alabama joined the ranks of probably millions of others and paid a ransom to get their data back after hackers threatened to erase their data if the ransom was not paid within 7 days.

While details are sketchy, reports are that the attack began Monday around 5PM (at the end of the day) and probably spent all nite encrypting data.  By Tuesday morning systems such as vehicle tags, car registrations and marriage and business licenses were down.  Reports said that 70 terabytes of data was encrypted with no one noticing it.

The Chairman of the County Commisioners, interviewed on the Montgomery Advertiser link below said it was an “unfortunate situation” and “you don’t think about these situations until they happen”, but now he says it is “kind of an emergency situation”.

While we can laugh at his response because it wasn’t our systems that are down, the reality is that all of his comments are pretty accurate.  Most businesses don’t have a disaster recovery program, an incident response program, tested backups or trained emergency resources already identified and contracted for.  In fairness, some businesses are prepared, but they are the minority.

The County CIO, Lou Ialacci said that they tried to restore from backups but were unable to for some reason not related to the attack.  Perhaps, the backups weren’t working or didn’t exist.

The Chairman of the County Commissioners NOW says that they are going to do whatever it takes to prevent this from recurring.

That comment is also not unusual – after the horse is out of the barn, down the round and the barn on fire, it gets pretty real for people.

The county also said not to worry – no data has been compromised.  Are they sure?  It wouldn’t be very hard to encrypt the data and then copy it to the cloud somewhere.  Since the hacker has the key, he or she can then decrypt it at their leisure.  Don’t know in this case, but it definitely happens some times.

In Montgomery County’s case, they had to pay the hackers 9 Bitcoin or about $40,000 to $50,000 in taxpayer dollars based on the then current Bitcoin price.

My guess is that Montgomery County was not specifically targeted by Vladimir Putin, so I think we can safely say this was an attack of opportunity.

The county is being pretty quiet as to what happened, but likely someone clicked on a link or opened an attachment and it was all over at that point.

The message here is that businesses especially and individuals too need to be prepared,  Anyone can get targeted.  The bad guys might send out 10 million emails and hope a few people click on it.  At $40-$50 thousand a pop, you don’t need very many people clicking to earn a very nice living.  Ten people click on it and you might make a cool half mil – tax free, I might add.

Are you prepared?

Are you sure?

Have you tested it?

You don’t want to be the next Montgomery County.

Information for this post came from the Montgomery Advertiser and TechTalk.

Facebooktwitterredditlinkedinmailby feather

Maersk Says Ransomware Will Cost Them $200-$300 Million

In case you thought that people were overhyping the effects of ransomware,  perhaps you should rethink that.

The Maersk shipping line, which runs container ships and ports around the world, among many other businesses, had to shut down some of their port operations after computers were infected with the NotPetya ransomware.

This week Maersk’s CEO says that the ransomware attack is expected to cost them between $200 and $300 million dollars due to lost business.  At this point no lawsuits have been filed but that doesn’t mean that there won’t be any and if there are, that would add to the cost.

That is in spite of the fact that they say that no third-party data was lost.  Does that wording mean that they lost no customer data but did lose company data?  They are not saying.

They are saying that they have added more security measures as a result of having to shut down their port operations.

Another company, Merck, says that it STILL has not fully recovered from the attack and said that the attack affected manufacturing, research and sales worldwide.

Part of Merck’s costs are going to be due to losses related to their active pharmaceuticals ingredient operations which “grow” certain ingredients.  If the computers that control them go offline, it could affect the entire batch and depending on how long it takes to recover from that, it could dry up the supply chain for certain products.

Merck says that it does not yet know the magnitude of the impact on operations.  I think it is safe to say that if they have not recovered from the outage after SIX WEEKS, the cost will be significant.

And last week, Fedex said that the cost of their downtime, missed delivery and lost business due to NoyPetya will be MATERIAL to their full year profit and loss.

So here we have three very profitable multi-nationals with sophisticated IT operations and who were affected by this recent ransomware. They are all saying that it will cost them a lot of money.

It is reasonable to conclude that if you are not ready to respond to a ransomware attack – of which there are at least hundreds every day – that your operations could be impacted and your finances will likely take a hit.

As the Boy Scouts say – BE PREPARED!

Information for this post came from CNBC and Threatpost.

Facebooktwitterredditlinkedinmailby feather

The $10 Million Alternative to Paying Ransomware

Earlier this year, the Erie County Medical Center in Buffalo, New York was hit with a ransomware attack.  ECMC is a level 1 trauma center, teaching hospital and regional center for a variety of medical services – including, unfortunately, ransomware.

At 2 A.M. on Palm Sunday computer screens across the medical center flashed “What happened to your files?” and thus began a saga which is still playing out.

In the end 6,000 PCs were affected and many were infected.  The hackers wanted 1.7 Bitcoin for a key to decrypt each PC or 24 Bitcoins to decrypt all of the computers.  At the time, that represents about $25,000 to $30,000.

By 3:30 AM they had shut down all computer systems as a precaution.

The next decision was whether to pay the ransom or not.  By 5:30 AM they had called in cyber security experts from the consulting firm of Grey Castle from nearby Troy, NY.  Their incident response plan was working.  As Grey Castle’s experts explained to the management team what happened, they were in shock.  Kind of like their patients sometimes.  And, like those patients, they were making life or death decisions about the hospital’s IT systems.

After considering their options, they decided not to pay the ransom for a variety of reasons – they had backups, they could use a regional health information network called HealtheLink to get records from up to the time of the attack and they didn’t really know if they could trust the outcome if they did pay the ransom.  Would the data be intact and could they even trust the hackers to deliver the keys?

The hospital borrowed laptops and placed them in the emergency room and ICU and created an ad hoc network to get access to HealtheLink.

In the mean time, the disaster plan came into effect.  The hospital went back to paper patient charts.  Many hospital staffers had never worked with paper charts in their lives so the road was a bit bumpy.

All in all the hospital’s disaster recovery plan worked.  From the initial attack on April 9 they marched forward.  By April 19 – 10 days later, they had wiped computers and started delivering rebuilt computers to some critical departments such as emergency and critical care.

By early May doctors could begin to upload progress notes.

By mid May doctors could enter electronic prescriptions again.

In addition to working with Grey Castle, the hospital engaged experts from Microsoft, Cisco, Symantec and Meditech (their electronic health records vendor).   They brought in IT staff from Catholic Health Services and other hospitals and staff worked on their days off.   This was truly a all hands on deck effort.

Amazingly, the emergency room never went on diversion, critical because they are a level 1 trauma center.  Diversion is a process where ambulances are sent to more distant and sometimes less qualified hospitals because the primary hospital cannot not accept new patients for some reason.

Six weeks after the attack they were close to back to normal.

There are lessons here; some of which the hospital had in place and others that they learned as a result.

ECMC says expenses tied to the event were nearly $10 million.

Half of that money was for new hardware, software and assistance.  The other half was for overtime pay and other expenses and reduced revenue.

In addition, the hospital predicts expenses going forward of $250,000 to $400,000 a month for employee education, system upgrades and hardening of systems.

So what are the lessons?

  • Having a tested incident response plan allowed them to respond to the situation quickly and be able to not have to turn away customers (ambulances).
  • A tested disaster recovery/business continuity plan allowed the hospital to operate minus all the hardware and software they were used to working with.
  • The ability to get help from (competing) hospital systems in town gave them some much needed extra resources.  Whether by formal agreement (usually called mutual aid and commonly used by emergency services) or informally, having a plan to marshal outside resources can be very helpful.
  • Practicing for emergencies is critically important and that is not a one time event.  Just like anything complex, it needs to be rehearsed over and over until it is automatic.
  • A big part of their success can be attributed to their cyber insurance.  Just last year they made a decision to increase the insurance policy amount from $2 million to $10 million and while insurance never covers all costs, if it covers 75%, that allows the hospital to do what they need to do.  Insurance will never pay for those things that you should have done but didn’t, but it will pay for a lot of things – IF YOU HAVE THE RIGHT POLICY!

On the other side of the equation, however are lessons learned out of the incident.

  • How come they did not detect the event more quickly?
  • How come the ransomware was able to attack so many computers (HINT:  the network was not partitioned effectively)?
  • The fact that they are having to spend that $250-$400k a month NOW is because they did not take cyber security seriously enough before.  Would you rather spend $25k a month now or $400k a month later?  Kicking the cyber security can down the road was an expensive lesson for ECMC.

The good news is that any business can learn from events like this.  Are you prepared- really prepared?

Information for this post came from the Buffalo News and another Buffalo News article.


Facebooktwitterredditlinkedinmailby feather

Fedex Says Cost of Cyber Attack Material

Fedex was one of the companies that announced last month that they were affected by the Petya un-ransomware  (it operated like ransomware, but there was no decryption key, even if you paid the ransom).

It is interesting that most of the time there is some sort of malware attack you do not get much information, but with this incident, we are seeing a lot of information.

In this case, the attack, which happened over a month ago, affected Fedex’s TNT Express unit.  TNT operates in over 200 countries and had revenue of over $8 billion.

Fedex says that the attack will hurt it’s full year results and will be material.  For Fedex, at over $50 billion in revenue, to say the effects of a cyber attack will be material to it’s full year financial results is pretty unusual.

Over a month later, TNT is still experiencing widespread service delays and that it is experiencing a revenue drop and costs associated with dealing with the malware.

Even more amazing, Fedex did not have cyber risk insurance in place to cover the cost of the incident, they say.

They also say that they are still evaluating the financial impact of the attack and have no estimate as to when service at TNT would be back to normal.

Let me see if I can summarize this:

  • a $50 billion company says that the effects of a ransomware attack will be material to their full year financial results
  • Six weeks after the attack they are still experiencing widespread service delays
  • They do not know when service will be back to normal
  • And, they had no insurance to cover the incident

I seriously doubt that this will have any long financial effect for Fedex, but I am sure that their corporate ego is seriously bruised.  I anticipate that many of the customers that moved to other carriers like DHL and UPS after the service disruption will never come back to Fedex.

Ponder this one for a moment.

If YOUR company suffered ransomware attack like Fedex did, how long would it take you to recover?  How many customers would  you lose?  Could you afford the cost of the event or would it be life altering to the company?

The good news for Fedex is that even if it costs them $10 million , $100 million or even $500 million, they will be able to weather the storm.

Would YOUR company be able to say the same?

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Anatomy of a Ransomware Attack

Lately we have had the opportunity to see inside some ransomware attacks and what the cost has been to businesses.  For example, I wrote about the Petya malware and what it did to the shipping giant Maersk and the law firm giant DLA Piper.

Now we get to find out what happened inside a different ransomware attack at KQED TV and Radio in San Francisco.

As you will see, the impact to this organization has been profound and is still not over.  They have chosen to make a number of security changes – after the horses are out of the barn and the barn has burned to the ground.  Probably not the best strategy, but better late than never.

The value in reading about their misery is to learn from their experience – so that you don’t have to repeat it.  Here goes:

On June 15th, more than a month ago, KQED was hit with a ransomware attack.  After consulting with the FBI, they decided not to pay the ransom.  They have been – slowly – rebuilding their entire infrastructure, piece by piece and it is not done yet.

Now was the time to roll out the Incident Response Program, their Disaster Recovery program and their Business Continuity program.  Oh, wait, they didn’t have any of those.

Other than their Internet stream being down for half a day, they have not lost any broadcast time.  The pain, however, has been non-stop.

One of their reporters said it was like being bombed back 20 years, technology wise.

The article says that they had up to date security systems – whatever that means – and that they reported about cyberattacks frequently and still got hacked.  It is important to understand whether what their definition of up to date security systems means and also, reporting about cyber attacks as a concept is very different than practicing what you preach as you will see below, but still, there is some validity to the point.  Everyone has to up their game if they want to stay safe.

Having Incident Response, Disaster Recovery and Business Continuity programs would be a good start.

After the attack, email was down and so were all network connected devices.  Wireless was down for several days and email was down for two weeks.  What would that do to your company?

The day after the attack, reporters had to show up at 5 AM to redo a broadcast that had been recorded earlier, but lost in the attack.

For two weeks they had to record broadcasts at the University of California Hastings since their studio wasn’t operational.  At least they were still able to broadcast.

Even now, scripts are printed out on an old ink jet printer and placed in a box in the studio so that everyone can find it.

Timing of segments is not done by computer any more – now they are using a stopwatch.

Even getting in and out of the building was a challenge since the badge system was not working.

At the time, every computer was on the same network.  Now they are segmenting computers so that attacks that take out reporter’s laptops cannot take out the studio.  That is considered normal best practice, but they were not doing it before the attack.

Just to be clear, no one thinks KQED was targeted.  It was, as the cops say, a crime of opportunity.  A crime which the employees, a month later, are still dealing with.

On the other hand, the staffers have gotten very creative.

Translate this to your company – think about what you would do if this was you rather than KQED.

Information for this post came from the San Francisco Chronicle.

Facebooktwitterredditlinkedinmailby feather