By M. BRETT JAFFEE
Ransomware is not just big business - it's big and exploding business. Ransomware attacks skyrocketed in the first quarter of 2019, according to the Beazley Breach Response (BBR) Services team, which reported a 105 percent increase in the number of ransomware attack notifications against clients compared to Q1 2018.
It is such big business that recently the hackers responsible for GandCrab, a popular form of ransomware that was sold to clients on the dark web, are now retiring and going legitimate with their earnings. The hackers claim that GandCrab netted its clients around $2 billion, all extracted from victims who opted to pay for a decryption key after falling prey to the ransomware. The hacking group also claims it "earned more than $150 million per year" from GandCrab and is now "leaving for a well-deserved retirement."
If you are understanding this at home, there are many companies that sell ransomware software to anyone with the desire to purchase it, AND they have all made so much money doing it, that some have decided to stop. The fact that there is one less player in this market might seem like good news, but I assure you, it is not.
According to HIPPA: Healthcare Data Breaches by Year
Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59 percent of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day.
In Q1 2019, the average ransomware demand reported to the BBR Services team was $224,871, an increase of 93 percent over the 2018 average of $116,324, said the Beazley Breach Insights report.
Not only has the frequency of attacks skyrocketed, but attackers are fine tuning their focus, and demanding higher ransom payments, said the report.
A ransomware attack against any business could be potentially devastating, but there are some sectors which are more at risk from file-encrypting attacks are than others. Cybercriminals prey on industries which can't afford to lose access to their networks.
Some cybercriminals will be attempting to compromise any organization possible with a generic attack. Professional threat actors will create specially tailored attacks in order to make them look as authentic as possible - even by making the message look like it comes from a colleague or friend.
Ransomware is most often delivered via a phishing email, which provides an explanation as to why NTT Security's Global Threat Intelligence Report lists business and professional services as the sector most likely to be targeted by ransomware.
Given that opening financial spreadsheets, job applications, and other email attachments is at the very heart of this modern sector, it makes sense that over a quarter of ransomware attacks (28 percent) were directed at business and professional services firms.
What are the top 4 industries to be targeted? (according to the NTT Security report)
- 19 percent of ransomware attacks were targeted at government and government agencies.
- Healthcare is the next highest-profile target for cybercriminals, accounting for 15 percent of attacks. It was a ransomware attack against an LA hospital which infamously highlighted the problem, taking the network offline for days until the hospital paid a $17,000 Bitcoin ransom.
- Ransomware attacks against the retail industry account for a further 15 percent of all incidents.
- All other industries make up the remaining 23 percent,
While attacks using ransomware as a service (RaaS) platforms remain commonplace, tending to hit unsuspecting small businesses, more sophisticated variants are being deployed through phishing emails and tricking users into activating banking Trojans, the report affirmed.
"We have witnessed a considerable uptick in notifications of both ransomware and banking Trojans in the first few months of this year," emphasized Katherine Keefe, head of Beazley Breach Response Services, in a statement accompanying the report.
The report quoted Bill Siegel, CEO of Coveware, who attributed the increased number of attacks to two main factors. "First, anytime the average ransom demand goes up, it's going to pull in more attack groups interested in making money. Second, the easy availability of exploit kits (GandCrab) and ransomware means there is a lower barrier to entry for would-be hackers." Said differently, the hackers don't have to be smart anymore.
The report recommended the following measures if a company's system has been infected:
- Disconnect infected machines from the network (wired and wireless) as soon as possible and preserve them for forensic investigation.
- Reset passwords for any users of the machine and alert employees to change passwords for any personal accounts they may have accessed through the machine.
- Notify external cyber experts who can investigate the incident and determine whether data has been exfiltrated that gives rise to a legal obligation to notify affected individuals.
Businesses should regularly train employees not to open unsolicited attachments and links, particularly from unknown sources. In addition, macros should not be allowed to run, and employees should be suspicious of links leading to web pages that ask for login credentials.
Employees should also be trained not to store any personal login information on their computers, even through their browsers.
British Prime Minister Winston Churchill famously said in 1948, "Those who fail to learn from history are condemned to repeat it."
Ransomware attacks continue to succeed because targets, like city governments, healthcare practices and anyone doing business after 2015, aren't doing security basics.
One of the best examples, in March 2018, ransomware took down at least a third of Atlanta's 424 software programs, about 30 percent of which were considered "mission critical." The recovery price tag is now somewhere in the range of $21 million, or about 420 times the $51,000 ransom demand.
You might think that kind of disastrous history-recent history-would prompt municipalities from coast to coast to implement at least a few security basics like replacing outdated software and patching current software. Not so much. Recorded Future reported more than two dozen attacks so far this year. And the most recent and most egregious example is Baltimore, MD, which is struggling to climb out of a digital black hole caused by a May 7, 2019 ransomware attack that essentially locked the city government's voicemail, email, parking fines database, and the online system for paying water bills, property taxes and vehicle citations. The attack also froze the processing of real estate transactions, although city officials did work out a manual workaround that would let those transactions proceed.
Baltimore shouldn't have even needed the Atlanta attack to put it on notice. It had its own history-the city's 911 system was hacked in March 2018, just days after the Atlanta attack.
Baltimore had 14 months to prepare for what was coming and chose not to. That doesn't make them much different than 85 percent of all the physician offices across America.
The warning shots have been fired on every business, industry and individual computer owner in the world.
Brett Jaffee is VP of Sales for NSG and has over 25 years of experience selling and marketing primarily to Fortune 1000 companies.
After successful stints at HearFromMe.com and WelltalityHealth.com, where Brett was responsible for HIPPA and Data Compliance systems, Brett has brought his experience and protocols to NSG. Visit www.nsgi-hq.com