Security Dealer & Integrator

AUG 2018

Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.

Issue link:

Contents of this Issue


Page 21 of 73

W hen you used to hear the word "ransom," you probably figured that someone was kidnapped or taken hostage, and their return was contingent on a pay- ment or action. In many cases, meeting the demand of the hostage takers didn't necessarily lead to the victim's release. Today, cybercrime appears to be eas- ier and lower risk than physical intru- sion or armed robbery, and thus "ran- somware" has worked its way into our everyday jargon, as criminals hold data or services hostage through the use of targeted malware. Ransomware locks up data so it can only be decrypted with an encryption key, which is prom- ised to the victim upon receiving the ransom payment – oen paid in cryp- tocurrency such as Bitcoin. Recent High-Profile Ransomware Attacks WannaCry exploited a vulnerability in Microso Windows operating systems in the Server Message Block (SMB) protocol. It is believed that this was an outgrowth of the NSA's activity to warehouse exploits to discovered vul- nerabilities. Code developed for this exploit was termed "Eternal Blue" and was stolen by a hacker group called the Shadow Brokers. Many vulnerabilities discovered by the government are not publicly released, but rather saved for future offensive operations. Although WannaCry attacks began in earnest on May 17, 2017, Microso had announced a patch on March 14, 2017, through Security Bulletin MS17- 010 and labeled it 'Critical.' Patched systems were protected, but many systems were unpatched – particularly Windows XP – for which support had been discontinued but later provided for this vulnerability. WannaCry is estimated to have infected more than 300,000 systems across 150 countries in a matter of days. It was later discovered that WannaCry was unable to determine which victims had paid the ransom, due to a code flaw which may have been intentional. Today, millions of Internet-connected XP systems remain in operation (netMarketShare esti- mates nearly 6 percent of desktops run Windows XP), most notably Britain's National Health Service. I would surmise that a very high number of Windows XP systems remain unpatched today. SamSam ransomware hit the City of Atlanta in March 2018. It infiltrates by exploiting vulnerabilities or guess- ing weak passwords in a target's pub- lic-facing systems (read more about weak passwords in my June SD&I column at www.securityinfowatch. com/12413836). SamSam has report- edly targeted protocols including Microso IIS (Internet Information Services), FTP (File Transfer Protocol) and RDP (Remote Desktop Protocol). Other victims include Hancock Health and Allscripts. GandCrab made its debut in 2018 and is commonly delivered with phish- ing emails about common subjects such as payments, tickets, invoices and orders. A JavaScript attachment is executed and downloads the malware from a malicious URL. Upon success- ful infection, files will be encrypted with the .CRAB extension while a ransom note is le with instructions on the next steps required to recover the files. Statistics indicate that only 25 percent of those who pay the ransom actually get their files decrypted. Ransomware by the Numbers Verizon, in its 2018 Data Breach Investigations Report, reports a num- ber of interesting findings: • Email continues to be the most com- mon social attack vector (96%) and malware vector (92.4%). • Bad websites account for 6.3 percent of the malware vectors. • 49 percent of non-POS malware was installed via malicious email. • Within the 1,379 incidents where a specific malware functionality was recorded, ransomware (56%) is still the top variety of malware found. • Ransomware accounts for 85 percent of all malware found in healthcare systems. • On average, 4 percent of people in any given phishing campaign will click an infected link; however, just 17 percent of phishing campaigns were reported. • Java Script, Visual Basic Script, Microso Office and PDF files are 22 Security Dealer & Integrator / August 2018 Ransomware Prep Why it is advisable to make the up-front investment rather than pay a ransom with no guarantees Tech Trends BY RAY COULOMBE Unfortunately, the normal state in our industry does not reflect an all- inclusive approach to this problem." – Randall Frietzsche, CISO of Denver Health

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Dealer & Integrator - AUG 2018