2016: The Year of Ransomware

In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.

2016 Will be Remembered as The Year of Ransomware

Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.

That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.

Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.

Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.

In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!

Biggest Ransomware Threats in 2016

TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.

By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.

Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.

2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.

You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.

 

The Year of Ransomware

Should Malware Protection at the ISP Level be Increased?

Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?

Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.

Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.

Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.

While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.

ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.

Malware Protection at the ISP Level

Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.

ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.

ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.

An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.

The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.

The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.

The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.

If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.

ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections

Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.

ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.

WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.

If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.

Library WiFi Filtering Bill Signed Off by Utah Senators

In Utah, lawmakers are attempting in make it harder for pornography to be accessed, especially in libraries. A new bill has been introduced that would make it compulsory for library WiFi filtering to be implemented to block patrons from accessing pornography. That bill has now been signed off by a group of Utah senators, bringing the compulsory use of library WiFi filtering closer to being written into the state legislature.

Last year, Sen. Todd Weiler, R-Woods Cross, was heavily involved in a campaign to raise awareness of the problems related to the accessing of hardcore pornography, with the senator claiming the use of pornography had now become “a public health crisis.”

Sen. Weiler, was not alone in his thinking. Many people supported the campaign and agreed that pornography was particularly damaging for minors, that its use threatened marriages and was contributing to the rise in sexual violence.

Library WiFi filtering is a contentious issue. While many libraries across the United States have implemented a WiFi filter to block pornography and other harmful images to protect minors and obtain government grants and discounts, many librarians are opposed to library WiFi filtering.

Libraries are places of learning where individuals can come to gain access to all types of information. The use of Internet filtering in libraries is seen as excessively curbing civil liberties and undermining freedom of speech. Public opinion is similarly divided, although many individuals would not want to catch a glimpse of hardcore pornography on another patron’s computer, and even less so their children.

In Utah, the majority of libraries have already implemented library WiFi filtering software. Weiler says that there are more than 100 public libraries in the state and that the larger libraries are already filtering out pornography. However, he pointed out that there are a dozen or so smaller library branches that have yet to implement Internet filtering on WiFi networks.

In the case of small libraries, there may not be sufficient funds available for WiFi filtering solutions to be purchased, even if by implementing those solutions savings could be made through the eRate program. Sen. Weiler appreciates that the cost of implementing a software solution may be prohibitively expensive for smaller libraries, which is why he is requesting $50,000 from the state budget to be made available to smaller libraries via a grant program. Those grants could then be used to pay for Internet filtering solutions for libraries in the state that have yet to purchase a filtering solution.

Now that the bill has been signed off, it will go before the senate for debate, although there is a high probability that the bill will be written into state law. Support for Sen. Weiler’s anti-pornography campaign last year was strong and many members of the chamber and house of representatives backed Sen. Weiler’s campaign last year. The campaign also received public backing from the governor of Utah.

The Email Archiving Cost is Lower Than You May Think

The email archiving cost can be avoided, but fail to use an email archiving service at your peril. Huge fines await organizations that cannot recover emails promptly.

U.S. businesses are required are required to keep emails for several years. The IRS requires all companies to keep emails for 7 years, the FOIA requires emails to be kept for 3 years, and 7 years again for Healthcare organizations (HIPAA), public companies (Sarbanes Oxley), banking and finance (Gramm-Leach-Bliley Act) and securities firms (SEC).

While large firms are able to absorb the cost of email archiving, many SMBs look at the email archiving cost and try to save money by opting for backups instead. While it is possible to save on the email archiving cost by using backups, the decision not to use an email archiving service could prove to be very costly indeed.

Email backups can serve the same purpose as email archiving in the sense that both can be used to keep old emails. However, while an email backup can help a business protect against data loss, if ever there is a need to recovery backed up emails, companies often encounter problems.

Email backups are fine for recovering entire email accounts (mostly). In the event of a malware or ransomware attack, email backups can be used to recover entire email accounts. However, what happens if only certain emails need to be found – for eDiscovery purposes in the event of a lawsuit for example?

An eDiscovery order may be received that requires all email correspondence sent to a particular client or customer to be retrieved. Such a request may require emails from 100s of employees to be located. Those emails may date back several years. Finding all emails would be an incredibly time consuming process, and it may not actually be possible to recover all correspondence. Backup files cannot easily be searched. They are just data repositories, not a well-managed archive.

An email archive on the other hand is different. Not only can individual emails be easily recovered, the entire archive can be quickly and easily searched. If an eDiscovery request is received, all requested emails can be quickly and easily recovered. The process is likely to take minutes. The recovery of files from a backup could take weeks or even months, assuming that the task is even possible.

Email backups fail surprisingly often. The recent spate of ransomware attacks has highlighted a number of examples of data backups that have been corrupted, leaving organizations little option but to pay the attackers for a key to decrypt locked data. In the case of a ransomware infection, the ransom payment may be hundreds, thousands or even tens of thousands of dollars. However, the failure to produce email correspondence for eDiscovery or a compliance audit can be even higher.

Non-compliance with the Sarbanes-Oxley Act and other industry legislation can see fines of several million dollars issued. Only last year, Scottrade was issued with a fine of $2.6 million by the Financial Industry Regulatory Authority (FINRA). Scottrade had kept records of its emails, but not a complete record. More than 168 million emails had not been retained that should have been present in an archive. As Brad Bennett, Executive Vice President and Chief of Enforcement at FINRA explained when announcing the fine, “Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records.” That includes email correspondence.

The cost of email archiving is not only low compared to the cost of a regulatory fine, email arching is actually inexpensive, especially when using a cloud-based email archiving solution such as ArcTitan. Being cloud-based, emails are securely stored without the need for any additional hardware. Business can rest assured that no email will ever be lost.

In the event of an eDiscovery order, any email can be retrieved almost instantly, regardless of when the email was archived. No specific software is required as emails can be archived from Office 365 and archived messages can be accessed easily using an Outlook plug-in or even directly from the browser. Furthermore, the load on an organization’s email server can be greatly reduced. Reductions of 80% have been seen by a number of TitanHQ’s clients.

To find out more about the full benefits of email archiving and the features of ArcTitan, give the TitanHQ sales team a call today. We think you will be pleasantly surprised at how low the email archiving cost can be.

University Cyberattack Involved Campus Vending Machines and 5,000 IoT Devices

A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.

The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.

The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.

An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.

The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.

Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.

Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.

Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.

However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.

A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.

Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.

While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.