- In late April, the FBI issued a special bulletin [link no longer available] about the proliferation of ransomware and urged organizations to take precautionary measures in anticipation of an expected increase in attacks in 2016.
- Kapersky reports a 30% increase in ransomware attacks since last quarter.
- The Infoblox DNS Threat Index reached a record high Q1 2016 [link no longer available] indicating that cybercriminals are quickly setting up the infrastructure needed (including domain names and payment sites) for harmful attacks.
- Symantec reports a 300% increase in daily ransomware attacks since the beginning of the year as compared to the same time last year.
Healthcare institutions and universities continue to be easy targets for attacks due to the critical nature of their files and the urgency of not losing continuous access. Here are just a few attacks from the past few weeks:
- The University of Calgary reported an expense of $16K and a great deal of time and effort to decrypt files after a ransomware attack in June.
- A South Carolina school district recently paid $8K to have their files returned.
- Kansas Heart hospital paid the ransom after an attack in May, only to have the attackers hold the files hostage until a second payment was made. The hospital declined to pay the second ransom.
Several experts have hypothesized reasons for the surge including increased availability of open source code and promise of high profit margins prompting amateur criminals to rush to enter the ransomware game. Some experts attribute the spike in ransomware activity to copycat attackers seeing dollar signs in the news coverage of the success of the media and hospital attacks earlier in the year. From the Infoblox DNS Threat Index Report [link no longer available]:
“What has changed over the past quarter or two is a shift from small-dollar heists targeting consumers to larger, more profitable attacks on commercial entities. And as news of this success has spread, certainly through underground networks and ironically through general media coverage of the danger, cybercriminals have apparently taken notice.”
While the incident rate is increasing due to easier availability to amateur cybercriminals, many of the existing attack programs have grown more sophisticated and are changing the rules which makes the issue all the more challenging to resolve.
- As Kansas Heart Hospital recently discovered, paying the ransom no longer guarantees that complete files will be returned.
- Security researchers recently discovered a bundled ransomware and distributed denial of service (DDoS) attack in the Cerber ransomware code. Adding the DDoS component can overwhelm a victim’s network by flooding the servers with traffic. While there have been no reports of this assault having been launched, the prospect is frightening in that cybercriminals can continue damage to a company’s external relationships and reputation even after a ransomware attack has been resolved. It also calls into question what other nefarious hybrid code cybercriminals can invent and embed in a victim’s system.
- Another method attackers have been using to thwart security backup is to wait a week or so to encrypt the files so the malware is intertwined within the company’s backup files.
On a more positive note, the creators of the TeslaCrypt strain of ransomware, recently had a change of heart and released decryption keys to their victims.
While we patiently wait for more attackers to develop the same sense of conscience, make sure your organization is following the many recommendations for developing tighter IT security controls (backups, etc.) and of course enhanced user training. As a recent FBI crime report notes, awareness training is a “critical preventative measure.”
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 985,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.