RansomWare: A Hacker’s Cash Cow, Your Data Nightmare

By Peter K Kardel

It’s a foggy Thursday morning, you’re in early, knocking down your first strong coffee.  You’ve got a lot to get done before Friday afternoon . . . when you hope to leave a little early for a three-day weekend backpacking trip in Yosemite with your daughter.  You just have to blast though the morning mound of emails, clearing the decks for a packed day.

What’s this?  An email from FedEx stating they’re having trouble delivering your package, address verification needed.  Good thing too!  You’re expecting some gear for your trip . . . you click the link.   Just as you start to mutter “just open already” under your breath, the FedEx site opens to the home page, but nothing about the troubled shipment.  Frustrated, you try the link again.  Same thing only the FedEx site opens instantly this time.  Something doesn’t feel right.  Whatever.  You don’t need that new titanium spoon for the trip anyway.  Better get on that final draft that’s due by the end of the day . . .

Wait, what?  Looking through your directories, you see you files, but they look funny . . . the icons have all changed, and they now have a ‘.LOCKY’ extension.  And they won’t open.  You know that feeling that starts in the back of the throat, like you’re getting choked by invisible hands?  You’re getting that now.

Just then the Locky Decryptor “special software” screen pops up, offering their services.  All of your documents, spreadsheets and photos have been intractably scrambled with cryptographic Ransomware.   If you cough up $300 in Bitcoin, you can get your files back.  Are you kidding me?  You feel your heart pounding in your chest.  Wait a second!  I can just restore a previous version of the file!  Only Locky has gotten there first, zapping all the shadow copies off your system.  Ok, you still have backup right?  The USB drive attached to your computer, your silent data guardian . . . it’s show time.   Your hope is snuffed out when to your horror, Locky’s been there too. How are you going to meet your deadlines this afternoon? Oh, and your trip this weekend . . . how are you going to tell your daughter the trip is off?  It is going to take days to recover from this.  Maybe you should just pay the ransom.  You’re feeling physically sick, a little light headed and tingly all over.  This is a nightmare!  Then you hear your boss’s bewildered voice, spoken to no one in particular “hey what’s happened to all the files on the network drive?”  No, this nightmare is just getting started.

This terrible story has played out for millions of people around the world.  Organizations large and small have come under increasingly sophisticated, targeted attacks.  In February this year the Hollywood Presbyterian Medical Center in Los Angeles, CA fell victim to crippling attack that left their systems down for over a week before finally paying the $17,000 ransom.  A month later, the Methodist Hospital in Henderson Kentucky was plunged into an “internal state of emergency.”   David Park, an attorney for the hospital confirmed they may have to pay the $1,600 ransom despite the assistance of the FBI.  You would think that given the years of intense regulatory pressure for IT security in healthcare space, they’d be safe.  These are breathtaking IT security breaches coming after years of investment to meet stringent HIPAA data security requirements!

I often hear people say that their small business is not a target, nobody cares about our data.  That may have been true at one time, but no longer.    Kaspersky Lab recently reported a 30 percent ransomware jump in Q1 2016.    The growth we’re seeing is driven by market forces.  Crime pays, but ransomware pays really well.  The Russian cybercrime operators of the botnet GameOver Zeus raked in an estimated $30 million in their first 30 days of launching CryptoLocker.  This was a cloud-enabled software campaign operated on a scale and with a level of professionalism you’d expect from a legitimate software company.  They even had a tech support line that “customers” could reach for support buying the untraceable Bitcoins required for payment.   Before the FBI finally took them down, more than $100 million was stolen and ransomed by the group.   There is so much money to be made in this way that for every takedown, several more enterprising hackers jump into the “market.”

It is important to recognize that a real shift has occurred.  This was illustrated in a recent Ars Technica article “OK, panic—newly evolved ransomware is bad news for everyone” (http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/).  Senior Dell security researcher Harlan Carvey was quoted “It used to be, back in the days of Sub7 and ‘joy riding on the Information Highway,’ that your system would be compromised because you’re on the Internet. And then it was because you’ve got something—you’ve got PCI data, PHI, PII, whatever the case may be. Then it was intellectual property. And now it’s to the point where if you’ve got files, you’re targeted.”  Your data isn’t important to the hackers, it’s important to you, and they’re going to make you pay to get it back.

Ransomware and other threats are a clear and present danger to your business.   The huge profits extorted from victims is fueling robust research and development in ways to steal from you.  New crooks are finding their way into this vast new market.  New cloud technologies make it so easy to start, so rewarding to play and so hard to get caught.  We are going to have to take a few big steps forward to get ahead of this.

In the next few weeks, I’ll be sharing reasonable and prudent action steps that can be taken to protect your business from a data nightmare.