On February 5, 2016, Hollywood Presbyterian Medical Center was the target of a ransomware attack, in which malefactors seized control of the hospital’s computer systems and demanded a ransom in exchange for returning control.[i] Initial reports indicated that the malefactors demanded 9,000 bitcoin, or $3.6 million, to unlock the system.[ii] On February 17, 2015, the hospital paid a ransom of 40 bitcoin, or $17,000, to the malefactor. The hospital was locked out of their system for almost two weeks, with no access to patient records.[iii] More importantly, during this time, the malefactor had complete access to the patient records and other non-public privacy information of both the hospital’s patients and employees.
Ransomware is malicious software that allows a malefactor to infiltrate an organization’s systems, access and encrypt the organization’s data, and demand payment from the organization to decrypt or otherwise release the data. Ransomware effectively allows a malefactor to hold an organization’s data, or even it’s entire system, hostage.[iv] Ransomware attacks grew 113% in 2014.[v] There were a total of 8.8 million ransomware attacks in 2014, up from 4.1 million in 2013.[vi] Most experts anticipate that ransomware attacks will be a leading threat vector in 2016.
The Online Trust Alliance reports that malefactors have begun to intentionally select targets based on a variety of factors, including the value of the data, the size of the company, market value, and much more.[vii] While targeted ransomware attacks are increasing in frequency, many malefactors still automatically send ransomware to large numbers of people in hopes that they will open it. Organizations must be cognizant of, and prepared to deal with, both targeted and spammed ransomware attacks.
Researchers continue to discover new ransomware variants in greater numbers than ever before.[viii] Many of these variants have new stealth functionalities. For example, certain ransomware will stealthily encrypt the organization’s data in anticipation of eventual system backups. When the system backs up, the ransomware and encrypted data will then “infect” both the organization’s system and all backups, making it that much more challenging for an organization to avoid paying the ransom. [ix] Other real world examples of ransomware include threats to release the organization’s information to the Internet if the ransom is not paid. Finally, as with all ransom situations, there remains the possibility that a malefactor will not relinquish control of the organization’s data and/or systems, or will follow through on the threat to release the data to the Internet even after the ransom is paid. In many instances, however, the FBI is advising victims to pay the ransom. This fact is a telling indicator of the overall inability of organizations and government to effectively deal with ransomware attacks.[x]
Additionally, the “ransomware-as-a-service” business model will continue to grow.[xi] Ransomware-as-a-service allows inexperienced cybercriminals to access ransomware for free or for a nominal fee. Once the target pays the ransom, the original author of the ransomware receives a 5% to 20% fee.[xii] The availability of ransomware to a segment of people who do not have the knowledge or experience to code it themselves realistically creates a whole new breed of “lay” cybercriminals. Additionally, the proliferation of ransomware creates a layer of anonymity for the actual author, which in turn reduces the risk exposure because they are not the one “pulling the trigger.” The reduced risk of selling ransomware to a third party may embolden more experienced and talented hackers to engage in increasingly more frequent and diverse attacks, and for little reason other than making a quick buck. The commoditization of cybersecurity threats is a dangerous development to which all organizations should pay heed.
Ransomware is typically contained in an infected attachment or link, and, once downloaded or opened by any employee, it locks all files on the device until the target pays a ransom to unlock it.[xiii] This can occur on any electronic device connected to a company’s systems, including computers, tablets, or smartphones.[xiv] Therefore, it is essential for organizations to: (1) educate themselves and their employees on information security and awareness, including current and emerging threats; (2) provide consistent and frequent training on email and Internet usage protocols; (3) monitor all employees’ use of computers and company issued mobile devices; and (4) restrict or limit employees’ use of personal computers, mobile devices, and wearable devices, or implement a Bring Your Own Device (“BYOD”) policy. These minimum steps should be an organization-wide priority for 2016.
[i] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
[ii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html
[iii] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
[iv] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.
[v] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.
[vi] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.
[vii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.
[viii] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.
[ix] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.
[x] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.
[xi] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.
[xii] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.
[xiii] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.
[xiv] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.
[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html
[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.
[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.
[1] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.
[1] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.
[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.
[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.
[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.
[1] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.
[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.
[1] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.
[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.
[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.
ICKES \ CALHOUN \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ CALHOUN \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization, to better protect your information assets from ransomware and other threat vectors.