Stolen Nude Photos & Hacked Defibrillators: Is This The Future Of Ransomware?

The destructive potential of ransomware, the malicious software that is used to extort money from victims, is huge: in the first half of 2017, two major outbreaks, WannaCry and NotPetya, led to service outages from organisations around the world.

A third of the UK’s National Health Service was hit by WannaCry, and the outbreak was estimated by risk modelling firm Cyence to have cost up to $4bn in lost revenues and mitigation expenses.

Then, a month later, NotPetya (so-called because it is not Petya, another type of ransomware with which it was initially mistaken), brought down a significant chunk of the Ukrainian government, pharmaceutical company Merck, shipping firm Maersk, and the advertising agency WPP, as well as the radiation monitoring system at Chernobyl.

But while both outbreaks wrought huge costs on the organisations they infected, they were surprisingly unrewarding for their creators.

The WannaCry payment address has taken just $149,545 (£113,814) to date, while the NotPetya address took much less: £8,456 ($11,181).

The problem the criminals face, says Marcin Kleczynski, the chief executive of information security firm Malwarebytes, is that “people have become desensitised to common ransomware, where it just encrypts your files”.

The criminals hope that people will face the loss of their digital memories, or critical business documents, and pay a few hundred dollars for the key to decrypt them. In practice, says Kleczynski, a growing number of victims simply shrug their shoulders and restore from a backup.

“You look at the bitcoin addresses, they’re not well funded. You see a couple of thousand dollars at best,” he adds. “So how does the criminal step up his or her game?”

Kleczynski, and his colleague, Adam Kujawa, who directs research at Malwarebytes, predict that criminals will evolve new ways of encouraging victims, both corporate and individual, to pay up rather than simply restoring from backups and ignoring the payment request.

New on the scene is a form of ransomware known as “doxware”. “Basically what it says is ‘pay, or we’ll take all the stuff we encrypted and we’ll put it online with your name on it’,” says Kujawa.

The name comes from “doxing”, the term for publishing private information on the Internet to bully, threaten or intimidate, and the idea of automating it isn’t hypothetical.

A number of similar attacks have already occurred in the wild. At one end of the spectrum was the Chimera ransomware, which hit German companies in 2015. The malware encrypted files and asked for around £200 ($260) to return them, but also came with the warning that if victims did not pay up, “we will publish your personal data, photos and videos and your name on the internet”.

Chimera, however, didn’t actually have the capability to publish anything online – the warning was bluster, designed to scare victims into paying up. But in other cases, the threat of publishing data is very real.

In May, hackers stole files from a Lithuanian plastic surgery clinic, containing highly personal information about 25,000 former clients: names, addresses and procedures performed, as well as passport scans, national insurance numbers and nude photos of patients.

They put the database online through the encrypted network Tor, and asked for payments from individual patients to remove their personal information from the site. Prices started at €50 for those patients who just had names and addresses in the site, but rose to €2,000 for the more invasive information stolen.

Recently, HBO faced its own threat, with 1.5TB of video stolen by hackers, including unaired episodes of Game of Thrones, and being held to ransom.
 
But currently, the hack-and-leakers are working on a manual, boutique basis: picking their targets where they can find them, and doing the hard work of monetising the attack manually.

There’s no reason, however, why the same technique can’t be loaded in to a similar piece of software to WannaCry and NotPetya – a so-called “ransomworm”, which jumps from computer to computer automatically, encrypting information as it goes.

With WannaCry, Kleczynski said, the propagation side of the malware was a “cruise missile” – but the actual payload was a rubber bullet. The malware used an exploit stolen from the NSA by a mysterious hacker organisation calling itself the Shadow Brokers, which allowed it to jump between Windows machines with abandon.

A fix for the exploit had only been released a couple of months earlier, and many hadn’t installed it at all, allowing the malware to spread rapidly.

But when it did arrive on computers, it was nowhere near as bad as it could have been. WannaCry was shoddily put together, with a decryption key which was poorly hidden in the computer (allowing some affected machines to be decrypted for free if they hadn’t been restarted), a kill switch, rapidly discovered by a British researcher, that stopped it in its tracks. And even the worst-hit machines could be fixed from backups.

One line of thinking with both WannaCry and NotPetya says the failures to successfully monetise the outbreaks was deliberate.

Security experts have suggested that both malware variants may be the work of state-sponsored actors, WannaCry to N. Korea, according to GCHQ and the NSA, and NotPetya to Russia, according to Ukraine – and there is a possibility that the intention wasn’t to raise money at all, but to provide plausible deniability for simply damaging as many computers as possible.

Both North Korea and Russia have also been linked to hack-and-leak attacks, North Korea is believed to be behind the 2014 hack of Sony Pictures, while Russian actors are linked with the hacks on the Democratic Party during the US General Election. Those attacks show the potential effectiveness of a wider doxware outbreak.

A ransomworm anywhere near the scale of WannaCry that dumped information online would be one of the greatest privacy breaches in history, or one of the greatest moneymaking opportunities ever found through cybercrime. But this is just one potential future for ransomware.

“Imagine somebody that has a botnet,” says Kleczynski, referring to a collection of compromised computers, such as the Mirai botnet made out of millions of hacked Internet of Things devices. “[Imagine them] being able to point it at, say, the British airways ticketing system.”

A so-called distributed denial of service attack, literally overloading the site with traffic from hacked devices, is very difficult to guard against, and as long as it went on it would cost the target millions of dollars a day. “You aren’t holding files hostage, you’re holding uptime hostage. There’s no restoring from backup there.”

Instead of holding uptime hostage, what about drive-time? “Ransomware on your car is definitely possible,” said Craig Smith, research director of transportation at Rapid7. “It’s way easier to secure a car, but it isn’t too hard to put up a ransom screen. And who’s going to risk driving a compromised vehicle?”

Maybe that’s not science fiction enough. In December, an investigation of 10 implantable cardiac defibrillators found “serious protocol and implementation weaknesses”, allowing an attacker to trick the device into keeping its communication channels open until the battery is flat. Holding a heart hostage? You wouldn’t want to try and restore that from a backup.

Guardian

You Might Also Read:

Cyber Wae Takes a New Turn:

The Stage IsSet For Cyber War:

 

« 71% Of SMEs Unprepared For Cyber Risks
The Stage Is Set For Cyber War »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

Agenci

Agenci

Agenci are specialists in cyber security and information security and deliver ISO 27001 Certification.

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

LRQA Nettitude

LRQA Nettitude

LRQA Nettitude is an award-winning global provider of cybersecurity services, bringing innovative thought leadership to the ever-evolving cybersecurity marketplace.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

CYSEC Academy

CYSEC Academy

CYSEC Academy offer cyber certifications, cyber assurance and cyber defense training, hands-on learning training modules, public, private and bespoke training courses.

Uniwan

Uniwan

Uniwan is an IT services company specializing in networking and security.

HUB Security

HUB Security

Hub Security provide Ultra Secure, Military Grade HSM (Hardware Security Module) Solutions for Blockchain and Digital Assets.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

Fortify 24/7

Fortify 24/7

Fortify 24×7 provides a robust portfolio of managed cybersecurity solutions to help you identify and prevent attacks.

Aleo

Aleo

Aleo is building the world's leading developer platform for enabling absolute privacy on blockchains.

SignalFire

SignalFire

SignalFire invest across both enterprise and consumer sectors at the seed and early growth stages.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

Spirit Technology Solutions

Spirit Technology Solutions

Spirit Technology Solutions is a modern workplace services provider committed to delivering solutions that embody our core principles of security, sustainability, and scalability.