Imagine you are the CEO of a hospital and come in one day to find staff in a panic because they can't use critical systems like CT scanners, lab test and emergency room equipment or access pharmacy records. That's precisely the nightmare scenario that faced executives at Hollywood (California) Presbyterian Medical Center last month as most of the hospital's backend computer systems, including email, was shut down for more than a week. The cause wasn't a software bug or admin error, but a targeted attack that hijacked and encrypted data and executables until the hospital paid a ransom. Hospital operations ground to a crawl as staff went back to paper records, fax transmissions and phone calls. Despite assistance from the FBI and LAPD, executives didn't see a viable, timely solution other than paying up to the tune of 40 Bitcoins ($17,000) to unlock their machines. Sadly, the repetitional damage and operational costs were undoubtedly far higher.
The hospital's predicament is becoming more common as ransomware moves from the criminal fringes to become a potentially disruptive scourge on business operations. According to a new report (available on 10th March) by the Institute for Critical Infrastructure Technology, a Washington cyber security think tank, ransomware will become more common as previously dormant infiltrations are activated and weaponized. As the ICIT authors put it, "'To Pay or Not to Pay,' will be the question fueling heated debate in boardrooms across the Nation and abroad."
Ransomware is a cyber version of kidnapping, with the same motives: money. It works like a virus that secretly encrypts files. Victims don't get the key until paying the ransom. It's as if instead of a thief stealing your car, they took the car keys and put them in a safe left in your garage. You don't get the combination to the safe, and use of your car unless you pay up.
Like all malware, ransomware exploits have become more sophisticated, borrowing APT (advanced persistent threat) techniques such as the ability to subvert signature-based security checks or scans typically designed to detect unusual system activity and data exfiltration. According to the ICIT report,
As of 2016, ransomware is mutating again to be more vicious and less predictable than in the past. This transition may be the result of adoption by more knowledgeable and ruthless adversaries, such as Advanced Persistent Threat groups.
As the attacks have gotten more advanced and correspondingly expensive to develop, they have also become more costly, with an average ransom of about $300 per infected host. What is an extortionate annoyance to someone trying to get their family photo library back can be a significant business expense, both in the ransom itself and the indirect costs of operational disruption and cleanup, when faced with a data center full of affected systems.
Although ransomware usually targets Windows machines, the ICIT report warns that,
Unlike traditional malware actors, ransomware criminals can achieve some profit from targeting any system: mobile devices, personal computers, industrial control systems, refrigerators, portable hard drives, etc. The majority of these devices are not secured in the slightest against a ransomware threat.
Indeed, this past week saw the first report of Mac-based ransomware.
Ransomware's growing sophistication takes several forms:
- Malware that targets zero-day, undisclosed and unpatched vulnerabilities.
- Distribution and ransom demands that incorporate social engineering, prior surveillance and self-propagation to spread throughout a network.
- Strong, asymmetric, in-memory encryption that is both impossible to break (see the Apple-FBI case for example) and leaves no trace of unique session keys on the device.
- The use of multiple anonymizing technologies such as Tor, proxy servers and crypto-currencies (for payment) like Bitcoins, Litecoins (LTC) and Dogecoins (DOGE) to hide and thwart tracking the attacker's identity.
The vast majority of victims follow traditional law enforcement advice not to pay ransom, although the FBI has now reversed course for the most advanced attacks, saying you really have no recourse. Estimates are that only 1-3% of victims pay, however due to the ease of targeting millions of systems, even with low rates of successful infiltration and payment, ransomware is profitable. According to FBI figures cited in the ICIT report, one exploit netted over $18 million between 2014-2015. But as the hospital incident highlights, these numbers will surely increase as more businesses are hit with viral ransomware that can grind their entire operations to a halt. Indeed, the hospital's experience is hardly unique. Many law enforcement agencies themselves have been the victims of ransomware, in which they often ignore their own advice and pay.
With ransomware adopting the stealth distribution techniques pioneered by APTs and botnets it becomes a greater threat to large enterprises, even those with detailed backup and DR processes. The ICIT report details the implications,
Modern crypto ransomware maps networks, enumerates drives, and spreads onto as many systems as it can before it activates. As a result, numerous systems, including the backup and redundancy systems, may be infected. Not even a large organization can ignore half their systems going offline. The organization will have to react through remediation, surrender, or allowing the loss of the data. Many organizations cannot survive the loss of essential data for an extended period. Without adequate backups, business continuity may be impossible and customers or end users may be affected.
My Take: vigilance, but not panic
Ransomware is just the latest in a long line of disruptive and potentially expensive cyber threats, but it's most alarming for the brazen and direct way it monetizes an attack. Still, as it becomes harder and less efficient to cash in on stolen identities or information espionage, expect to see more cyber crime take on a ransom element. For example, the Target credit card breach cost the company and affected banks hundreds of millions of dollars in mitigation costs, while the perpetrators netted an estimated $54 million by selling the information on the black market. Imagine that instead of skimming card numbers, the thieves had crypto-locked Target's entire PoS and transaction processing infrastructure just days before Black Friday. Might the company be willing to part with $50 or even $100 million to quickly restore operations rather than risk millions of lost transactions and angry (perhaps former) customers over that busy shopping weekend?
The ominous potential of ransomware serves as a reminder that organizations must heighten their cyber security strategy and preparedness. While having advanced network, system and data security technologies with layered defenses are important, it's not enough, nor even the most important element. Indeed, ransomware, like many exploits primarily relies on human weakness and naïveté to gain a toehold. Thus, regular training in basic security hygiene and cyber threat awareness is more valuable and cost effective than buying expensive new security equipment and software. As the ICIT report puts it (emphasis added),
The vast majority of breaches and cyber security incidents are directly correlated to the innocuous or malicious actions of personnel. Malicious emails are the favored attack vector of ransomware and other malware alike. Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that most organizations cannot reduce their personnel’s malicious link click rate below 15 percent. A single employee is all it takes for the entire network to be compromised.
Of course, organizations with thorough and frequently validated backup and recovery plans have an advantage in that they can try to restore data from archives rather than submit to ransom.
One key to limiting the spread of ransomware is the use of virtualized security functions (NFV) and micro segmentation of virtual data center networks. By placing security controls on the host and strictly limiting communications between hosts and applications through explicit security policies, NFV should contain or, at least slow the spread of all types of malware.
On the client, the use of application sandboxing techniques such as Bromium's microvisor can nip ransomware at the source by preventing access to the local file system, applications and the OS network stack.
Despite the myriad available security technologies that can reduce the risk of ransomware and other cyber exploits, we agree with ICIT that,
Ultimately, personnel are the strongest and the weakest link in organizational security. If they make a mistake, then the organization has made a mistake. If they fail, the organization has failed.