Usually, online racket for financial profit is proceeded in one of two methods. The first way is the so called “business disruption attack”, where hackers target an organization’s critical business systems, steal confidential information and threaten to do something malicious with it (such as expose, delete, or encrypt it) unless victims pay a ransom. This method is used much often, though it requires a huge portion of finesse on the part of the hackers, and usually has a greater potential payout.
The second common way of cyber extortion for financial profit is ransomware. It is a type of malware which prevents users from interacting with their files, applications or systems until a ransom is paid. Most often, the ransom is demanded in the form of the anonymous currency Bitcoin.
Over the past months, ransomware has gained massive publicity through mainstream media coverage of huge ransomware attacks against organizations, namely hospitals. In these cases, the end goal is the same – some type of financial payout to the cyber criminals.
However, not all ransomware work the same way. Probably, the file-encrypting variety is the most dangerous one. This is because the targeted files, which often contain users’ or organizations’ most valuable data, become useless without the decryption key. The issue is compounded because paying the ransom offers no guarantee that the files will be unlocked. For that reason, making frequent backups of users’ files is the best defense against ransomware infections.
Considering the fact that the average ransom demanded from a victim is relatively low, the hackers who distribute ransomware, usually follow the “spray and pray” tactic of sending out as many lures as possible – emails with malicious attachments or links to malicious websites.
According to a FireEye Dynamic Threat Intelligence report, ransomware activity has been rising fairly steadily since mid-2015. A significant spike has been registered in March 2016.
This was the time when FireEye Labs detected a huge rise in Locky ransomware downloaders due to an email spam campaign targeting users in more than 50 countries. The malicious email attachments pretended to contain an invoice or a picture, but opening the attachment led to an infection instead.
This February, the systems of Hollywood Presbyterian Medical Center (HPMC) became infected with file-encrypting ransomeware. The president and CEO – Allen Stefanek, said that the hospital staff had trouble accessing the network beginning Feb. 5. Stefanek explained that malware ceased the access to certain computer systems, prevented the sharing of communications electronically, and demanded a ransom of 40 Bitcoins.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek stated. “In the best interest of restoring normal operations, we did this.”
HPMC restored its electronic medical record system and cleared all systems of the malware by Feb. 15.
Later in February, The Register revealed that file-encrypting ransomware infected the systems of Lukas Hospital and Klinikum Arnsberg hospital in Germany, while in March, the same happened at Union Memorial Hospital in Maryland and some other MedStar hospitals in the Washington, DC area.
Apparently, hackers have been increasingly turning to industries such as healthcare that possess critical data but may have limited investment in security across their enterprise. With hospitals, budget dollars often go towards surgery wards, emergency care centers and supplies for a large number of patients – not security. This makes for a tricky issue, since hospitals cannot operate without the necessary patient data stored in their systems.
The following are some additional factors contributing to the increase of ransomware activity:
- Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation.
- The success of prolific ransomware families such as CryptoWall has provided a blueprint for aspiring ransomware developers, showcasing increasing profit margins and campaign sustainability. According to the FBI’s IC3, CryptoWall generated identified victim losses totaling more than $18 million between April 2014 and June 2015.
- The emergence of several new ransomware variants adopting a ransomware as a Service (RaaS) framework since mid-2015, a phenomenon likely driven by the competitive development of quality goods and services within the cyber crime ecosystem. Based on multiple factors, RaaS offerings – which are uniquely poised to capitalize on current underground marketplace demand for ransomware – are highly likely to fuel an increasing number of ransomware infections.
Through this discernible uptick in ransomware activity from mid-2015 to early 2016, FireEye has observed significant growth and maturation of the ransomware threat landscape – predominately involving the proliferation of myriad new variants.