Events on Corroborate Experts’ Identification of Ransomware as 2016 Top Threat

ransomware hacker

On February 5, 2016, Hollywood Presbyterian Medical Center was the target of a ransomware attack, in which malefactors seized control of the hospital’s computer systems and demanded a ransom in exchange for returning control.[i]  Initial reports indicated that the malefactors demanded 9,000 bitcoin, or $3.6 million, to unlock the system.[ii]  On February 17, 2015, the hospital paid a ransom of 40 bitcoin, or $17,000, to the malefactor.  The hospital was locked out of their system for almost two weeks, with no access to patient records.[iii]  More importantly, during this time, the malefactor had complete access to the patient records and other non-public privacy information of both the hospital’s patients and employees.

Ransomware is malicious software that allows a malefactor to infiltrate an organization’s systems, access and encrypt the organization’s data, and demand payment from the organization to decrypt or otherwise release the data.  Ransomware effectively allows a malefactor to hold an organization’s data, or even it’s entire system, hostage.[iv]  Ransomware attacks grew 113% in 2014.[v]  There were a total of 8.8 million ransomware attacks in 2014, up from 4.1 million in 2013.[vi]   Most experts anticipate that ransomware attacks will be a leading threat vector in 2016.

The Online Trust Alliance reports that malefactors have begun to intentionally select targets based on a variety of factors, including the value of the data, the size of the company, market value, and much more.[vii]  While targeted ransomware attacks are increasing in frequency, many malefactors still automatically send ransomware to large numbers of people in hopes that they will open it.  Organizations must be cognizant of, and prepared to deal with, both targeted and spammed ransomware attacks.

Researchers continue to discover new ransomware variants in greater numbers than ever before.[viii]  Many of these variants have new stealth functionalities.  For example, certain ransomware will stealthily encrypt the organization’s data in anticipation of eventual system backups.  When the system backs up, the ransomware and encrypted data will then “infect” both the organization’s system and all backups, making it that much more challenging for an organization to avoid paying the ransom. [ix]  Other real world examples of ransomware include threats to release the organization’s information to the Internet if the ransom is not paid.  Finally, as with all ransom situations, there remains the possibility that a malefactor will not relinquish control of the organization’s data and/or systems, or will follow through on the threat to release the data to the Internet even after the ransom is paid.  In many instances, however, the FBI is advising victims to pay the ransom.  This fact is a telling indicator of the overall inability of organizations and government to effectively deal with ransomware attacks.[x]

Additionally, the “ransomware-as-a-service” business model will continue to grow.[xi]  Ransomware-as-a-service allows inexperienced cybercriminals to access ransomware for free or for a nominal fee.  Once the target pays the ransom, the original author of the ransomware receives a 5% to 20% fee.[xii]  The availability of ransomware to a segment of people who do not have the knowledge or experience to code it themselves realistically creates a whole new breed of “lay” cybercriminals.   Additionally, the proliferation of ransomware creates a layer of anonymity for the actual author, which in turn reduces the risk exposure because they are not the one “pulling the trigger.”  The reduced risk of selling ransomware to a third party may embolden more experienced and talented hackers to engage in increasingly more frequent and diverse attacks, and for little reason other than making a quick buck.  The commoditization of cybersecurity threats is a dangerous development to which all organizations should pay heed.

Ransomware is typically contained in an infected attachment or link, and, once downloaded or opened by any employee, it locks all files on the device until the target pays a ransom to unlock it.[xiii]  This can occur on any electronic device connected to a company’s systems, including computers, tablets, or smartphones.[xiv]  Therefore, it is essential for organizations to: (1) educate themselves and their employees on information security and awareness, including current and emerging threats; (2) provide consistent and frequent training on email and Internet usage protocols; (3) monitor all employees’ use of computers and company issued mobile devices; and (4) restrict or limit employees’ use of personal computers, mobile devices, and wearable devices, or implement a Bring Your Own Device (“BYOD”) policy.  These minimum steps should be an organization-wide priority for 2016.


[i] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[ii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html

[iii] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[iv] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[v] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[vi] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[vii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.

[viii] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[ix] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[x] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.

[xi] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[xii] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.

[xiii] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.

[xiv] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.


 

[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html

[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[1] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[1] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.

[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[1] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.

[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[1] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.

[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.

[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.

Information Governance: Culture of Security vs. Culture of Compliance

information security threats

Organizations can, and often do, make the mistake of classifying information security as only a compliance matter. Much like taxes, workplace safety, and human resources, information security is governed by a complex set of statutes and regulatory rules. However, unlike the aforementioned areas, information security cannot adequately be solely addressed as a compliance matter.

This is attributed to many factors, including: (1) the inherently valuable and essential nature of an organization’s information; (2) the ever-evolving nature of threats; (3) the relative lack of awareness of information security issues and overall inability of organizations to effectively control and protect its information; (4) the persistent existence of intentional or unintentional insider threats; and (5) the rapidly changing national and global legal and regulatory landscape. Information security cannot be relegated to IT or delegated to one specific person or department without oversight. Information security simply must be addressed from the executive level and must be a persistent, holistic, and synergistic aspect of an organization’s overall governance.

The best practice is to change the organizational mindset from a culture of compliance to a culture of security. The first step in changing the organizational mindset is to stop thinking of information security as an item to “check” to meet minimum compliance requirements and to start thinking of it as an overarching organizational governance goal. Information is the DNA of modern organizations, and information security must be thought in terms of how the organization is run. All of the organization’s departments and employees must fall under the umbrella of information governance and must work together to achieve the common goal. The organization’s leadership must deliver a clear and concise vision, communicate expectations, and expect results

Changing an organizational mindset requires executive level buy-in and a commitment to initiate, develop, and implement an information security program. It requires the bravery and dedication to allocate resources (financial and personnel) to pursuing a culture of security. It requires the fortitude to stick with a culture of security in the face of inevitable setbacks and recalibrations.

Ultimately, changing the organizational mindset to a culture of security is a simple matter of saying “yes.” In doing so, organization will reap the benefits of increased productivity, greater security, and the peace of mind of its employees, vendors, and customers. In doing so, the organization will also not only meet compliance standards, but will in all likelihood, exceed compliance standards.