The threat of ransomware attacks on large corporations, myriad institutional facilities and small to mid-sized commercial businesses has haunted organizations in the United States for more than a decade. IC3, which is a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice that receives and investigates complaints of internet crime, reported almost 2,500 ransomware complaints to the tune of more than $1.6 million in ransom payouts by victims in 2015. But according to software security developer Kaspersky, the actual number of threats has been woefully under-reported and the financial impacts substantially more. Estimates by the FBI say ransomware victims paid out nearly $1 billion globally in 2016 and they expect those numbers to double this year.
Apparently, the onslaught began this past Friday, however, when IT executives across the globe were sent scrambling as a major ransomware outbreak rocked organizations from the UK to Germany, from France to Romania, from Spain to Russia and China to Japan, when operations in automotive factories, universities, telecom companies, healthcare facilities and a multitude of commercial businesses were locked up and held hostage. The “WannaCry” ransomware infection was spread via a massive email spam, exploiting a vulnerability in the Windows OS, which Microsoft released a security patch for in March. Computers and networks that did not install the patch to help protect their systems are at risk. While cybersecurity experts admit that the spread of the infection has slowed today, they are worried that new versions of the worm could be mutating and attack again at any time.
“Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for a while now. Unfortunately, it takes a massive scale cyber-attack like the one we are seeing against the U.K.’s NHS and other entities around the world, for such cyber crimes to gain national and international notoriety. In fact, another recent ransomware attack that caught the public’s attention in the U.S., was when San Francisco’s transportation department was hit last November, impacting the city’s light rail transit system,” says Rob Clyde, who is a Board Director for ISACA and an Executive Chair of the Board of Directors at White Cloud Security.
Clyde insists that the reasons for the increase and popularity of ransomware attacks are no mystery. He says that for the bad guys it simplifies the crime and process of monetization.
“Think about it. Earlier, even a simple computer crime involved two steps to get to monetization. First, the criminals have to break-in and steal personal information like credit card details and then secondly, sell it on the dark web, often to organized crime groups, in order to get paid. The buyers, in turn, use the credit card or other information to commit fraudulent transactions,” Clyde explains. “With ransomware, crime has become an easy one-step monetization process. They break into a computer system, install ransomware and get the payment directly from the person or organization impacted. It’s a one-to-one interaction and payment is easily received. So from a cyber criminal’s perspective, ransomware has become a superior way of monetization.”
According to the research team at Barracuda Networks, once this malware gets into a network, it is infecting Windows systems via a vulnerability in SMB file sharing. Customers running older versions of Windows (XP/2003 and such) are generally more affected by this. Microsoft no longer supports Windows XP/2003 and customers still using these systems are often left unprotected by suck attacks, and in this specific case, the worm-like nature of the malware makes it even more dangerous since one person opening it doesn't just lock down their computer, but can potentially spread it to their entire network through the Samba vulnerability.
“This is an example of the systemic failure of government and commercial firms to implement security, resiliency and appropriate privacy policies,” chastises Philip Lieberman, President of Lieberman Software. “Once again, the immaturity of security ecosystems and fantasy privacy policies continue to endanger and kill EU citizens. When the privacy of criminals has primacy over the safety and commercial interests of legitimate businesses, this is the only outcome: death, theft, and commercial failure which seem acceptable costs to the EU leadership.
Lieberman adds that U.S. technology exists to minimize these attacks and their consequences, but their usage is considered criminal activity by the EU. He says the other trends that add to this tragedy are the lack of a significant UK IT security culture, poor budgets for security tools, and rampant outsourcing.
“All that has happened in cyber-attacks was predicted and plenty more is on the way till the EU governments wake up and change their priorities as they apply to privacy and security.”
Rich Barger, Director of Cyber Research for Splunk, warns that this event should serve as a global wake-up call – the means of delivery and the delivered effect is unprecedented. He says that initial reports were that this malware was propagating on its own, and in England, this ransomware attack has been causing ripples much further than financial gain. With their IT systems at a complete shutdown, a number of hospitals all over London are said to have been turning away ambulances as they’re not confident they can care for patients. Some hospitals had lost the use of phone lines and computers, with some diverting all but emergency patients elsewhere.
“Ransomware is arguably the No. 1 method of cyber attack in 2017, and this attack demonstrates the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked. Protecting critical infrastructure from cyber-attack is a responsibility that cannot be taken lightly,” Barger says. “One thing is for sure – somebody is going to get very rich, or spend a very long amount of time in jail.”
According to news reports from Reuters on Monday, perhaps the most intriguing caveat of this worldwide event, and a fact that Microsoft President Brad Smith posted on a Sunday blog was that “the ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency that leaked online in April.”
The Reuter’s story added that Smith said: “this is an emerging pattern in 2017 and we have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."
Jonathan Sander, Chief Technology Officer for STEALTHbits Technologies is not at all surprised at the ongoing events created by the WannaCry worm. He says we have ourselves to blame.
"This massive attack, known as WannaCry among other nicknames, is a potent mix of phishing to attack the human, worm to spread via unpatched Microsoft systems, and ransomware to get the bad guys their payday. WannaCry does nothing original. It is a Frankenstein's monster of vulnerabilities with patches and exploits that were stolen from the NSA and published for all to see,” Sander explains. “The reason for WannaCry's success is our collective failure to do the basic security blocking and tackling of patches, user education, and consistent backups. As long as we fail to remove vulnerabilities and watch our files, bad guys will exploit us by exploiting our systems."
Steven Bullitt, Global Vice President for Threat Intelligence and Incident Response at NTT Security confirms, however, that a temporary solution was discovered this weekend which seems to have slowed the spread of malware.
“The unprecedented global campaign has made its impact across nearly every vertical industry such as healthcare, finance, manufacturing and government. Several researchers have noted that at least 150,000-200,000 victims in nearly 150 countries have been impacted by the number most likely increasing today. The good news to report is that an accidental kill switch was activated recently which should slow down the spread of this vulnerability until or if a new variant is created,” Bullitt reports, saying a researcher at Malwaretech apparently registered the callback domain of the variant which appears to have stopped the initial level of infections until another variant without the kill switch is widely released. “The variant exploits EternalBlue vulnerabilities and initially originated by a cyber group called The Shadow Brokers, who leaked a trove of National Security Agency hacking tools, which opens the debate on when and if government agencies should share discovered vulnerabilities. Some believe that if this information or vulnerability had been shared earlier, we would not be in this threat environment today.”
Chuck Brooks, Vice President of Government Relations and Marketing for Sutherland Government Solutions points out that while ransomware is not a new threat, it has become a trending one. Experts estimate that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code. Success for hackers does not always depend on using the newest and most sophisticated malware. It is relatively easy for a hacker to do. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks.
“There are remedies for mitigating ransomware. First and foremost patching and updating of software vulnerabilities must be current. Unfortunately, many companies and organizations are slow, and in many cases, negligent on the update of patches that would prevent breaches” laments Brooks, who is also Chairman of CompTIA’s New and Emerging Technology Committee.
He adds that companies and government also need to share data. Because of exponential connectivity, further being promulgated via the Internet of Things, future global public/private cooperation will be critical in maintaining a knowledge base to track and counter emerging cyber threats. Department of Homeland Security’s (DHS) cyber-threat information-sharing program implemented as part of the Cybersecurity Information Sharing Act (CISA) is a good basis for a global model to explore.
“A new mindset is required as information sharing is an important element in defeating malware threats and patching software vulnerabilities. Also, some basic precautions can help mitigate threats and these include training employees to recognize malware and phishing threats, disabling macro scripts, and keeping systems updated,” says Brooks. “In the long run, emerging cybersecurity technology, and protocols may not be enough to thwart the exploding trend of ransomware. They can serve as mitigation tools and hope for global cooperative criminal enforcement to catch up to the threats.”
About the Author:
Steve Lasky is a 30 year veteran of the security industry and is the Editorial Director of SouthComm Security Media and Editor-in-Chief of Security Technology Executive magazine.