Based on the severe ransomware attacks lately, the Institute for Critical Infrastructure Technology (ICIT) warns users that ransomware threats will probably escalate this year.
The ICIT report shows that 2016 will be the year ransomware will “wreak havoc on America’s critical infrastructure community.” “To pay or not to pay,” will be the question fueling heated debate in boardrooms across the country, according to the report authors, James Scott, ICIT senior fellow and Drew Spaniel, ICIT visiting scholar from Carnegie Mellon University.
Considering the expected ransomware attacks this year, ICIT advises decision makers on technology and cybersecurity trends in infrastructure sectors including government, defense and healthcare. The report gives an analysis of the ransomware threat as well as the attacker and targets and provides mitigation strategies.
“Ransomware is less about technological sophistication and more about exploitation of the human element. Simply, it is a digital spin on a centuries old criminal tactic,” the authors of the report said.
They also tapped into cyber-security research contributed by some security firms for insights into ransomware attacks. According to the report, the security firms predict a dominant resurgence of ransomware attacks in 2016, similar to the attack against Hollywood Presbyterian Medical Center last month.
“The healthcare sector was not a traditional target for ransomware attacks. One theory is that attackers did not target systems that jeopardized lives,” Scott and Spaniel stated. Nevertheless, both researchers noted that mentality has changed for at least the group operating the Locky ransomware as evidenced by the incident at Hollywood Presbyterian Medical Center.
According to the report, cyber threat actors are using ransomware attacks because these attacks are “under combatted and highly profitable.” And, unlike hackers who attempt to exfiltrate or manipulate data, ransomware criminals only attempt to prevent access to data and during an active ransomware attack, business operations grind to a halt until the system is restored or replaced.
Also, the prevalence of mobile devices and the growth of the Internet of Things (IoT), the “potential threat landscape available to ransomware threat actors is too tantalizing a target to ignore.”
“Information security specialists and the technical controls that they implement must become adaptable, responsive, and resilient to combat emerging threats,” Scott and Spaniel said.
A research provided by security companies shows that creating a phishing page and setting up a mass spam email costs about $150. “A trendy crypto ransomware sells for about $2000 on dark net forums. Locker ransomware probably costs less. This means that an attacker only needs to ransom eight everyday users (at the average $300) to generate a profit,” the experts wrote.
“Symantec estimated that in 2009, 2.9 percent of the victims paid the ransom. In 2014, CTU researchers estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints, Cryptowall reportedly netted over $18 million from victims between 2014-2015.”
The report details the types of ransomware, such as locker ransomware and crypto ransomware, with the Locky ransomware being an active example and the type that infected medical systems belonging to Hollywood Presbyterian Medical Center. In that incident, while healthcare data remained unaffected, computers essential to laboratory work, CT scans, emergency room systems and pharmacy operations were infected.
“After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week, five computers belonging to the Los Angeles County health department were infected with a ransomware variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly, two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian Medical Center. Both are restoring their systems from backup systems,” Scott and Spaniel wrote.
The security researchers also noted that ransomware follows the same distribution and infection vectors, or delivery channels, as traditional malware such as traffic distribution services, malvertisement, phishing emails, downloaders, social engineering and ransomware as a service (RaaS).
The authors also detail mitigation strategies noting that “preventing infection is preferred over remediation efforts.”
“The first step to mitigating a ransomware threat is to implement a comprehensive cybersecurity strategy,” Scott and Spaniel stated. “Software and hardware solutions are necessary, but they are not the only necessity. First and foremost, information security training and awareness must improve. Afterward, organizations can rely on the layered defenses that they have invested in to secure their network.”
According to the security report, organizations have an information security team to ensure all systems were updated and patched and that critical systems were backed up. Organizations also should have layered defenses to protect networks. And, personnel training and awareness are critical as information security experts often cite that “humans are the weakest link.”
“Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that most organizations cannot reduce their personnel’s malicious link click rate below 15 percent,” the authors wrote. “Teach employees to not click on any links in any emails. It takes barely any more time to type a link into Google as it does to click the link. Personnel should only open attachments from personnel that they trust and only if they are expecting the file.”
Healthcare leaders also should focus on administrative policies and procedures to strengthen cyber defense and consider cyber insurance policies that cover ransomware attacks.
When a compromise does occur, the ICIT report recommends that organizations disengage from communicating with the attack until the situation is thoroughly assessed and a course of action decided.
“The proper response will depend on the risk appetite of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements,” the experts stated.
There are several response options:
- Engage the incident response team which will, in turn, notify the authorities
- Try to implement a solution without an information security team
- Attempt to recover the data through system backup or recover data through shadow copies or file recovery software tools
- Do nothing; backup the system and ignore the ransom demand; or, if there is no backup but the ransom outweighs the cost of the system, then purchase a new device and dispose of the infected system
- Pay the ransom. If this option is legitimately being debated, the report authors recommend doing an internet search on the type of ransomware holding the system to find out whether cyber-criminals who use that ransomware are likely to release the data after receiving payment.
- Hybrid solution which includes simultaneous efforts to pay the ransom and to triage the system to attempt to restore from a backup server.
According to Scott and Spaniel, the enlistment of an information security team is the first step in a company-wide security strategy. And, the information security team should, at minimum, “conduct an immediate companywide vulnerability analysis, develop a crisis management strategy that takes into consideration all know threats and also conduct continuous device and application patching, auditing of third party vendors and agreements as well as organizational penetration testing and security centric technological upgrades.”
“Together, these actions can profoundly minimize a company’s attack surface,” the researchers concluded.
