City departments, hospitals, and shipping companies learned the hard way that ransomware will hold anyone’s data hostage
Shortly after the WannaCry ransomware crypto worm finished swindling Microsoft Windows users out of billions in May 2017, the finger pointing game began. The US blamed North Korea, Twitter exploded with conspiracy theories, and everyone scrambled to secure their precious information using whatever methods seemed feasible.
But then an unfamiliar variant of Petya nailed 80 global companies in a politically-motivated attack meant to throttle Ukraine. Analysts speculated this motivation because ransomware normally allows the release of data after payment, yet Petya didn’t offer this luxury. The origination of the attack clearly implicated Ukrainian cybercriminals and affected roughly 80% of Ukraine companies. Billions were lost by exploiting a vulnerability designed by the NSA.
It gets scarier.
SamSam, first discovered in 2016, looks for unpatched server-side software to intrude. Once in, it’s able to lay waste to every Windows computer connected to the network, collecting sensitive data from companies before dumping another payload of ransom requests. Since 2015, SamSam has hit major companies and cities like Atlanta, which alone may need to pay $17 million to resolve it.
Nefarious code writers are after your digital assets. It’s a ubiquitous threat to multibillion-dollar firms and small enterprises alike that can’t be ignored.
How ransomware distributes its payload
Low-level hackers use sketchy websites, email blasts, and pay-per-install schemes to infect computers with ransomware. These methods aren’t always effective since most computer users are more educated now than they were 10 years ago. But make no mistake – the tactics still work.
Petya shoots straight toward the heart of PCs – the master boot record (MBR). Once there, the crypto work will trigger a rewrite of Windows’ bootloader and initiates a computer restart. Once DOS has begun loading, the payload is dropped, encrypting the Master File Table of NTFS, which most Windows-based operating systems are partitioned with.
Throughout the ransom process, the user’s screen will look like CHKDSK (check disk) is running a series of drive sector repairs. Once the required Bitcoin payment is submitted, the ransomware will self-terminate. However, the email provider Posteo suspended the hacker’s account for terms of service violations, meaning those who insisted on paying the ransom couldn’t send payment confirmation. Petya was powerful enough to knock Chernobyl’s Nuclear Power Plant radiation monitor offline in 2017.
WannaCry was a short-lived yet highly-damaging crypto worm that affected global computers running Microsoft Windows. Utilizing an exploit in older versions of Windows developed by the NSA and released by The Shadow Brokers dubbed ‘EternalBlue,’ the ransomware encrypted data and demanded Bitcoin payment for its release. It worked in tandem with the DoublePulsar backdoor tool, although it was written to self-install as a failsafe.
Although Microsoft had already patched the exploit in their flagship platform and developed a kill switch to avert further damage, 200,000 computers spanning 150 countries were affected, forcing countless businesses and consumers to pony up the requested payment. Many of these victims could have avoided the attack by simply keeping their systems up to date.
Ransomware targets many industries and sectors. Yes, even yours
If you’re looking for reasons why no organization can ignore cybersecurity, look at how the following sectors have been victimized by ransomware over the last three years:
Not only did Atlanta endure its own nightmare involving SamSam blocking access to court documents, but Baltimore’s 9-1-1 dispatch system was infected. Atlanta has since spent millions to secure its networks and computers and hire cybersecurity experts to help mitigate future attacks. Farmington, New Mexico had its records processing and electronic bill payment system upended by ransomware, too. Even the City Hall in Springfield, Tennessee had to fork over $1,000.
Utilities and Energy
Major utility providers, like Lansing Board of Water & Light (BWL) in Michigan, have seen their share of ransomware attacks. The BWL attack was propagated through email attachment, locking out employees with enterprise-level computers.
In April, the Ukrainian Energy and Coal Ministry website succumbed to a low-level ransomware attack which was quickly mitigated without paying the ransom fee.
Anonymous cyber extortionists bilked a remote Massachusetts school district out of $10,000 of Bitcoin in May. The payment was made relatively quickly to avoid excessive damage. University College London, one of the UK’s most prestigious universities, was attacked in 2017. It’s unclear what the college paid, if anything, to secure their data.
Industry analysts concur that healthcare now takes the brunt of ransomware attacks, and stolen and resold personal data reaps thousands on the black market. onion websites accessible by Tor. For examples, Hollywood Presbyterian Medical Center forked over $17,000 back in February 2016 and the National Health Service hospitals in Scotland and England saw 70,000 connected devices, such as MRI scanners, theater equipment, and blood-containment refrigerators damaged to some degree by SamSam.
Shipping company COSCO recently admitted ransomware crippled systems in several worldwide locations, including within the United States. Free email addresses offered by Yahoo and Gmail were harvested. NotPetya, an offshoot of the Petya crypto work, affected the world’s largest container shipper, Maersk. FedEx sustained damage from WannaCry, too.
In fact, every industry that owns connected devices such as tablets, computers, servers, scanners, and highly-technical machinery can fall victim to ransomware. If it uses an Internet connection at any point, it’s fair game.
Companies can protect themselves
An ounce of prevention sure beats paying a massive random in bitcoin. Unless you’re flush with cash and prepared to lose customer credit card information, sales data, an entire website and possibly the company itself, start by doing simple prep work, like:
- Disconnecting all network computers from the internet when a significant speed drop is recognized.
- Quickly identifying and applying all software and hardware updates.
- Creating local and online backups.
- Never use default passwords (like Admin123)
- Training employees to spot threats like ransomware, phishing, and vishing.
- Investing in comprehensive cybersecurity, whether it’s a dedicated in-house solution or an expert provider.
Ransomware isn’t dying anytime soon, because as long as something of value is attainable, there will always be rogue organizations gutsy enough to hold data hostage. Take steps to keep your company safe.
Absolute Logic’s clients across four states and 40 industries are guided safely through the threat landscape. Our Absolute Security powered by CyberGuard360 includes a wide array of services such as system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.