Stolen Nude Photos & Hacked Defibrillators: Is This The Future Of Ransomware?

The destructive potential of ransomware, the malicious software that is used to extort money from victims, is huge: in the first half of 2017, two major outbreaks, WannaCry and NotPetya, led to service outages from organisations around the world.

A third of the UK’s National Health Service was hit by WannaCry, and the outbreak was estimated by risk modelling firm Cyence to have cost up to $4bn in lost revenues and mitigation expenses.

Then, a month later, NotPetya (so-called because it is not Petya, another type of ransomware with which it was initially mistaken), brought down a significant chunk of the Ukrainian government, pharmaceutical company Merck, shipping firm Maersk, and the advertising agency WPP, as well as the radiation monitoring system at Chernobyl.

But while both outbreaks wrought huge costs on the organisations they infected, they were surprisingly unrewarding for their creators.

The WannaCry payment address has taken just $149,545 (£113,814) to date, while the NotPetya address took much less: £8,456 ($11,181).

The problem the criminals face, says Marcin Kleczynski, the chief executive of information security firm Malwarebytes, is that “people have become desensitised to common ransomware, where it just encrypts your files”.

The criminals hope that people will face the loss of their digital memories, or critical business documents, and pay a few hundred dollars for the key to decrypt them. In practice, says Kleczynski, a growing number of victims simply shrug their shoulders and restore from a backup.

“You look at the bitcoin addresses, they’re not well funded. You see a couple of thousand dollars at best,” he adds. “So how does the criminal step up his or her game?”

Kleczynski, and his colleague, Adam Kujawa, who directs research at Malwarebytes, predict that criminals will evolve new ways of encouraging victims, both corporate and individual, to pay up rather than simply restoring from backups and ignoring the payment request.

New on the scene is a form of ransomware known as “doxware”. “Basically what it says is ‘pay, or we’ll take all the stuff we encrypted and we’ll put it online with your name on it’,” says Kujawa.

The name comes from “doxing”, the term for publishing private information on the Internet to bully, threaten or intimidate, and the idea of automating it isn’t hypothetical.

A number of similar attacks have already occurred in the wild. At one end of the spectrum was the Chimera ransomware, which hit German companies in 2015. The malware encrypted files and asked for around £200 ($260) to return them, but also came with the warning that if victims did not pay up, “we will publish your personal data, photos and videos and your name on the internet”.

Chimera, however, didn’t actually have the capability to publish anything online – the warning was bluster, designed to scare victims into paying up. But in other cases, the threat of publishing data is very real.

In May, hackers stole files from a Lithuanian plastic surgery clinic, containing highly personal information about 25,000 former clients: names, addresses and procedures performed, as well as passport scans, national insurance numbers and nude photos of patients.

They put the database online through the encrypted network Tor, and asked for payments from individual patients to remove their personal information from the site. Prices started at €50 for those patients who just had names and addresses in the site, but rose to €2,000 for the more invasive information stolen.

Recently, HBO faced its own threat, with 1.5TB of video stolen by hackers, including unaired episodes of Game of Thrones, and being held to ransom.
 
But currently, the hack-and-leakers are working on a manual, boutique basis: picking their targets where they can find them, and doing the hard work of monetising the attack manually.

There’s no reason, however, why the same technique can’t be loaded in to a similar piece of software to WannaCry and NotPetya – a so-called “ransomworm”, which jumps from computer to computer automatically, encrypting information as it goes.

With WannaCry, Kleczynski said, the propagation side of the malware was a “cruise missile” – but the actual payload was a rubber bullet. The malware used an exploit stolen from the NSA by a mysterious hacker organisation calling itself the Shadow Brokers, which allowed it to jump between Windows machines with abandon.

A fix for the exploit had only been released a couple of months earlier, and many hadn’t installed it at all, allowing the malware to spread rapidly.

But when it did arrive on computers, it was nowhere near as bad as it could have been. WannaCry was shoddily put together, with a decryption key which was poorly hidden in the computer (allowing some affected machines to be decrypted for free if they hadn’t been restarted), a kill switch, rapidly discovered by a British researcher, that stopped it in its tracks. And even the worst-hit machines could be fixed from backups.

One line of thinking with both WannaCry and NotPetya says the failures to successfully monetise the outbreaks was deliberate.

Security experts have suggested that both malware variants may be the work of state-sponsored actors, WannaCry to N. Korea, according to GCHQ and the NSA, and NotPetya to Russia, according to Ukraine – and there is a possibility that the intention wasn’t to raise money at all, but to provide plausible deniability for simply damaging as many computers as possible.

Both North Korea and Russia have also been linked to hack-and-leak attacks, North Korea is believed to be behind the 2014 hack of Sony Pictures, while Russian actors are linked with the hacks on the Democratic Party during the US General Election. Those attacks show the potential effectiveness of a wider doxware outbreak.

A ransomworm anywhere near the scale of WannaCry that dumped information online would be one of the greatest privacy breaches in history, or one of the greatest moneymaking opportunities ever found through cybercrime. But this is just one potential future for ransomware.

“Imagine somebody that has a botnet,” says Kleczynski, referring to a collection of compromised computers, such as the Mirai botnet made out of millions of hacked Internet of Things devices. “[Imagine them] being able to point it at, say, the British airways ticketing system.”

A so-called distributed denial of service attack, literally overloading the site with traffic from hacked devices, is very difficult to guard against, and as long as it went on it would cost the target millions of dollars a day. “You aren’t holding files hostage, you’re holding uptime hostage. There’s no restoring from backup there.”

Instead of holding uptime hostage, what about drive-time? “Ransomware on your car is definitely possible,” said Craig Smith, research director of transportation at Rapid7. “It’s way easier to secure a car, but it isn’t too hard to put up a ransom screen. And who’s going to risk driving a compromised vehicle?”

Maybe that’s not science fiction enough. In December, an investigation of 10 implantable cardiac defibrillators found “serious protocol and implementation weaknesses”, allowing an attacker to trick the device into keeping its communication channels open until the battery is flat. Holding a heart hostage? You wouldn’t want to try and restore that from a backup.

Guardian

You Might Also Read:

Cyber Wae Takes a New Turn:

The Stage IsSet For Cyber War:

 

« 71% Of SMEs Unprepared For Cyber Risks
The Stage Is Set For Cyber War »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

Cloud GRC

Cloud GRC

Cloud GRC is an innovative cybersecurity company with solutions and expertise in Cybersecurity Strategies & Frameworks, Threat & Risk Assessment, Cloud Security, and Regulatory Compliance Requirements

Astaara

Astaara

Astaara is an integrated insurance services and risk management advisory business incorporating cyber risk advisory, underwriting and analytics.

Cutting Edge Technologies (CE Tech)

Cutting Edge Technologies (CE Tech)

CE Tech is a Next Generation Technology Partner providing advanced technology infrastructure solutions through partnerships with leading technology providers.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

BriskInfosec Technology & Consulting

BriskInfosec Technology & Consulting

BriskInfosec provides information security services, products and compliance solutions to our customers.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

Regtank Technology

Regtank Technology

Regtank is a one-stop compliance solution for fintechs, navigating compliance, security and risk management.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

EDGE Group

EDGE Group

EDGE is one of the world’s leading advanced technology groups, established to develop agile, bold and disruptive solutions for defence and beyond.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Brightside AI

Brightside AI

Brightside AI is a Swiss cybersecurity SaaS that helps teams combat AI-enabled phishing threats. Protect your team today.

Softsource vBridge

Softsource vBridge

Softsource vBridge are an ICT systems integrator providing specialist technology solutions, professional services, technical expertise and data centre services.