Late on a Friday evening in the beginning of February, staff at the Hollywood Presbyterian Medical Center in Los Angeles, California began to report issues accessing portions of the hospital’s network. As the administration would soon learn, their system had been infected with a piece of malicious software that had encrypted critical files and databases. The malicious software provided the hospital with an ultimatum—pay up, or never have access to these files again.
That is precisely the goal of what has become known as “ransomware.” These malicious programs infect a computer or a network, and opportunistically block access to data in order to extort funds from the affected company, organization, or individual.
In the case of Hollywood Presbyterian, the hospital was left without recourse, and according to their press release, was forced to pay 40 Bitcoins to anonymous hackers—which is roughly equivalent to $17,000. This restored access to the data, but the hospital has no idea whether that information was copied and stolen at any point during the attack. This presents an enormous breach of data for the hospital, its patients, and employees.
According to the MIT Technology Review, hospitals and healthcare companies are becoming popular fodder for these attacks.1 The information they handle, such as private medical and financial records, can be very useful to hackers and criminals engaged in fraud, identity theft, or extortion. Despite that, every industry should be on the lookout for this type of threat.
A Growing Problem
The rise of ransomware is not news to the computer security industry or to law enforcement. McAfee Labs 2016 Threats Predictions lists ransomware as a key source of concern. The report noted that cases of ransomware attacks were up every quarter for the last few years and that a number of “ransomware-as-a-service” systems were being hosted on the Internet.
That means that this was no longer a simple case of a bored hacker, but rather a sophisticated network of criminal organizations. In an interview on eRiskHub’s Junto blog, Michael Tanji, former supervisory intelligence officer and writer for Wired, said, “It may be weird to say this about a criminal endeavor, but this is really an enterprise IT operation.2
This isn’t merely a problem for large private organizations, either.3 In a separate Junto interview, Special Agent Benjamin Stone of the FBI told NetDiligence he has seen ransomware such as the Cryptowall virus infect police departments, saying, “In general, I don’t think these organizations are being targeted; it’s usually an individual that falls prey to a phishing scheme and clicks on an attachment, which initiates the malware.”4
The FBI reports that between October 2013 and December 2014 in the United States alone,5 there were 1,198 cases of email hacking, spoofing and phishing, with a total loss of $179 million in stolen or extorted funds. Crypotowall specifically has infected more than 730,000 systems, and encrypted more than 5.25 billion files. No one in this industry expects those numbers to decline in the coming years, despite the best efforts of law enforcement.
Mark Greisiger, President at NetDiligence, told us that his organization has worked with more than sixty insurance companies regarding ransomware attacks, and he hears about new attacks at least once a week. Mark points out that it is the small scope of these attacks that has made them such a large problem.
The hackers ask for a small amount of money, amounts in the hundreds or thousands rather than the millions, so it really is a no-brainer for the victim to simply pay the extortion. The authors of the ransomware are also pretty reliable about holding up their end of the bargain.
If their demands were unrealistic or if they were notoriously unreliable, the likelihood that anyone would pay the ransom would decrease. As Tanji pointed out, these aren’t bored hackers; this is an organized criminal enterprise with the goal of making money, not wreaking havoc.
Indiscriminate Targeting Places Special Districts at Risk
Your district may or may not be a hospital or other large entity with data worth stealing, but that doesn’t mean you are immune. Tanji points out that the attachments and links that people are accessing are not themselves infected. The file might look like a PDF or a ZIP file, but when opened, the file downloads the actual malware that begins to encrypt your documents before your anti-virus software can detect what’s going on or even attempt to stop it.
Most cyber security experts indicate that even companies with fabulous security protocols and rules are being hit, and their single greatest vulnerability is the frequency with which their employees fall for phishing scams.
Not every case of ransomware has the technical sophistication of Cryptowall or Cryptovirus. In one recentcase, Mark Greisiger noted that an employee received a phishing email advising that the recipient company should pay an attached invoice using the wire transfer credentials listed. The person who received the email simply wired the amount over without verifying who the email was from or if the email was legitimate. The employee paid out over a million dollars in that case, and it was a total loss.
Cases like that, and all phishing attacks, are examples of social engineering. Social engineering normally refers to the application of sociological or psychological principles to specific social problems. However in this case, it refers to the manipulation of people instead of machines in order to achieve a desired outcome.
Many public entities feel that cyber security is not an enormous concern for them. They feel that the exemptions from state and local laws help insulate them from the legal ramifications of falling for ransomware attacks in ways that the Hollywood Presbyterian Hospital or a company like Target or Sony Pictures would face.
This could not be less true. Ignoring for a moment the fact that federal “Red Flag” rules require even special districts to spend a minimum amount of time on their cyber security, there are other factors at play that place districts and their boards and staff in a special bind.
If a district does not have a way to restore their systems, their only option would be to pay the ransom. Private companies can do this easily—the way they spend money is often loosely controlled.
For public entities, however, expenditures like this must be publicly transparent and often require the input and approval of boards of directors. These rules, while an important part of governance, delay the response and can make a bad situation worse.
For public officials in general, this can be a far more difficult situation than for their private counterparts. If a company admits to falling victim to a ransomware attack its board of directors may not take action if their CEO has a proven record of bringing success and profit to the company. As long as it looks like the company is taking action, reaction from the general public may be a moot point.
However, for elected officials, it could mean a drumming out of office at the next election or severe damage to the reputation of the district and its board and management. These individuals and the general public may find ethical qualms with using taxpayer money to pay extortion to foreign hackers.
That, however, may be beside the point. If the district is forced to pay the ransom it is not simply a matter of writing a check. The district would have to pathfind the process of creating a Bitcoin account, identify and approve funding to pay the ransom, and then execute the transaction in a transparent way.
Back Up or Pay Up
One of the best defenses to ransomware is having frequent, proven data backups. Your IT department or contractors should be making backups of your data preferably daily, but as often as they can, and these backups should be frequently tested. In several cases in the last few years, companies have attempted to restore from a backup, discovered it did not work, and were ultimately forced to pay the ransom because the alternative of considering the data lost was too costly.
In some cases, certain types of malware have been known to find and destroy backups that occur in common places, such as any set up by Windows itself. The best way to avoid this is to use a third party cloud backup service which would be completely isolated from your local system in the event of an attack.
Since the chief exposure at any organization is its people, it is essential that all staff members who use work computers understand how to properly identify phishing both in email and on websites. If you have received an email from someone you do not know and it has any sort of a link or attachment, treat these with extreme caution. If in doubt, show the message to your IT contractor or staff.
If someone needed to send you something truly important such as an invoice, lawsuit, or similar document, it would have been delivered in a method other than email or would have had a secondary contact method listed that you could use to obtain verification, such as a phone number.
Often these messages indicate that the recipient has won something, such as a foreign lottery, a boat, travel packages, or jewelry and seem to come from an organization that you have had no significant previous contact with. It may even appear to be from a company or individual you know. “Spoofing” is the process by which an email is faked to look like it is from someone other than the actual sender. Email is a highly insecure way to transfer data, so if someone you know has sent something suspicious treat it with as much caution as you would a message from a stranger.
Going Forward
We can always hope that white hat software solutions such as antivirus and firewalls can protect our systems from this type of attack, but even if something like that is created, it will be just as swiftly circumvented.
Cyber security experts say that this problem will continue to grow and remain a pernicious threat to both public and private entities for years to come. Law enforcement, while helpful after the fact, has few options regarding mitigation of ransomware so long as most of the perpetrators are in foreign countries such as Latvia, Russia, or China.⁵
It cannot be said enough—the best defense for your district is rock-solid training and vigilance by your staff. Your employees are both your greatest potential strength and your greatest vulnerability. The Pool provides members with access to eRiskHub, powered by NetDiligence, which provides guidance on how to avoid and prepare for a cyber attack, as well as resources for how to respond if you fall victim.
eRiskHub also has listings of qualified pre-screened breach coaches, cyber law attorneys, cyber security companies, and even Bitcoin vendors. You can find more information by visiting csdpool.org/services/cyber/eriskhub.
All Pool members also have access to online training on this topic in our Training Centers. Regardless of entity type, you can login today at csdpool.org/training/targetsolutions.
References:
1 https://www.technologyreview.com/s/600838/hollywood-hospitals-run-in-with-ransomware-is-part-of-an-alarming-trend-in-cybercrime/
2 https://eriskhub.com/junto/52 (Login required)
3 http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
4 https://eriskhub.com/junto/85 (Login required)
5 http://www.ic3.gov