Ransomware

 

Another area of cybercrime which has mushroomed on the back of technology and social media is the use of ransomware.

 

What actually is ransomware?

 

On-line direct or indirect criminal activity initiated by people using technology to threaten, blackmail, disable or impact IT systems and/or computers in order to illicit the payment of a ransom from its victims.

in order to punish them and/or in order to put them back in the position they were in before the attack.

 

At the end of the day cyber criminals are interested in one main thing and that is how to steal your money. According to Kaspersky lab, there were over 6 million reported ransomware attacks in 2017 (to end March 2017) compared to 3 million in total for 2016.

There are reportedly now over 250 000 “ransomware” type attacks per day.

 

 

This is what is known about the latest global cyber ransom attacks:

What happened?

 

Computers around the globe were hacked beginning on Friday 12th May 2017 using a security flaw in Microsoft's Windows XP operating system, an older version that was no longer given mainstream tech support by the US giant.

 

The so-called WannaCry ransomware locks access to user files and demands money -- in the form of the virtual currency Bitcoin - in order to decrypt them.

How many countries were affected?

 

Certainly dozens, but precise numbers vary.

The Finland-based cyber security company F-Secure said 130 000 systems in more than 100 countries had been affected. Kaspersky Lab said it had recorded incidents in 74 countries, mostly in Russia, but noted that its visibility "may be limited and incomplete."

The latest global attack which is thought to have been originated by syndicates around the world and not just in Russia, has seen the operations of major organisations severely disrupted. Some high-profile victims included hospitals in Britain (NHS), the Spanish telecoms firm Telefonica, French carmaker Renault/Nissan – who halted production at French sites, US package delivery firm FedEx, Chinese traffic systems, Russia's interior ministry and German rail operator Deutsche Bahn.

 

How did the attack spread worldwide? 

 

Experts said the ransomware programme appears to support dozens of languages, showing that the hackers wanted to corrupt networks worldwide.

The virus spread quickly because the culprits used a digital code believed to have been developed by the US National Security Agency - and subsequently leaked as part of a document dump, according to researchers at the Moscow-based computer security firm Kaspersky Lab.

Russia and India were particularly hard-hit because many there were still using Windows XP.

Who was behind the attack?
So far not entirely known but security agencies in affected countries were scrambling to find out.

The US security firm Symantec said the attack appeared to be indiscriminate with small factories and schools also impacted.

 

Why did the attack work?

 

This attack worked because of a "perfect storm" of conditions, including a known and highly dangerous security hole in Microsoft Windows, coupled with  tardy users who didn't apply Microsoft's March software fix, and malware that was designed to spread quickly once inside universities, businesses or government networks.

How can users protect their computers?
Microsoft took the unusual step of reissuing security patches first made available in March for Windows XP and other older versions of its operating system.

Kaspersky said it was seeking to develop a decryption tool "as soon as possible."

How much ransom was asked?

Victims were asked for payment of $300 in Bitcoin. Given the attack's widespread nature, even such a small sum would stack up quickly. To date the dollar equivalent of about $50000 has been paid over by affected parties.

Payment was demanded within three days or the price is doubled, and if none is received within seven days, the files will be deleted, according to the screen message. Experts advised users not to pay, as it would only encourage the attackers.

Another attack in early May has involved Disney. They are not the only movie company to be hit as Netflix has been targeted too.

The cyber-thieves demanded to be paid in online currency Bitcoin and are threatening to release five minutes of the movie, followed by 20-minute segments until the ransom is delivered.

Disney chief Bob Iger said that hackers claiming to have access to one of the company's unreleased movies, speculated to be the latest in the Pirates of the Carribbean series, were demanding a "huge" ransom to stop the unofficial release and leaking of the movie on-line. It is also being speculated that two new other mega releases from Disney had also been targeted – namely the latest Star Wars and the Cars animation movie. The hack follows a recent cyber attack on internet streamer Netflix that led to 10 episodes of Orange is the New Black being leaked ahead of release.

Ransomware attacks are not only focused on organisations.

Below is a summary of events which highlight the impact of a ransomware attack on the owner of a South African business and his family which in turn then had a major impact on the operations of his group.

 

  • The owner of the billion rand Century Property Development Company, Mark Arthur Corbett and his family have been the victims of a vicious multi-national cyber terrorism campaign. Corbett said in his affidavit that he, his family, employees, business partners and anyone connected to him in some way began receiving threatening emails from different, untraceable Gmail accounts. Aside from death threats, bomb threats were directed at his company’s malls and lodges.  Corbett said the loss to his businesses was enormous. Every time a mall received a bomb threat, they had to be evacuated and shops closed, causing damages worth billions.

 

Even the sporting events he was associated with were affected. A bomb threat was directed at the 94.7 Cycle Challenge, which was also associated with Century. The organisers had to take extra precautions. Reddam schools were placed on high alert due to the threats, Corbett said. International investors put future projects to the value of R600 million on hold and did not want to invest in South Africa.

 

The personal damage to his family was far greater.  He was forced to withdraw his children (aged 5, 7 and 9 respectively) from school since October 2016 to the end of the school year, as he could not sufficiently protect them or the other children at their school, who might also be endangered if they continue to go to school.

 

They traced the bomb threats to a domain originating in the Philippines. They used prepaid sim cards from the Philippines to roam in South Africa. Corbett said the perpetrators were sophisticated, hid their identity and changed their modus operandi often.

 

One of the threats came from the email address tinswalopropertygroup@gmail.com. Corbett said he emailed back one day in a desperate attempt to get the threats to stop. A man using the pseudonym John Wayne replied. He said he was up for sale and would stop if given money. John Wayne said there was a contract for $50 000 of which $15 000 had been paid. They would stop if Corbett paid the balance. He paid the money into a bank account in the Philippines.

 

John Wayne said they would reveal who had hired him and he sent on the name of the person cited as the second respondent in the court papers. Corbett was sent Facebook and WhatsApp correspondence, allegedly between the respondent and John Wayne, where Wayne was asked to destroy Corbett and to send bomb threats. According to a plan, family members would be shot or abducted on February 17, 2017.

Corbett was given the logins for these accounts and started communicating with the respondent. At first he was not sure who he was speaking to, but as time went on he said he became certain it was the respondent using the Facebook profile.

 

The last message sent was one where the respondent instructed John Wayne to shoot either Corbett’s parents or his wife and “if they die so much the better”. They said they wanted Corbett shot and a real bomb planted in two of the shopping centres. Another message stated that Corbett’s children must be given Easter eggs as it would be their last Easter.

 

Corbett said he had had business dealings with the two respondents. The threats seemed to originate from a personal vendetta over land worth R140 million purchased from the respondents’ company in order to build a private school. This led to a dispute and arbitration.

 

Police had since swooped on the alleged perpetrators of the threats and through a search-and-seizure warrant had removed electronic devices such as cellphones, cameras, USB devices, memory cards, tablets, and computers.

What do you then need to do?

Exposure of everyone to ransomware is inevitable. Cyber resilience needs to be built up in terms of both processes and technology. You have to focus on vulnerabilities and patch them. Latest security patches for operating systems must be updated. How the business responds to an attack and how a business recovers from an attack, are critical aspects for consideration. Continual refinement of controls is required by businesses and users alike. A cyber security expert has warned people not to open any unknown emails and to urgently update their security software. These start as unsolicited mails that appear to come from reputable sources. Once the links are clicked on, the malware spreads rapidly due to the worm embedded in it.

 

As these attacks are multi-layered, a similar approach is needed in dealing with them. There needs to be awareness among users/staff, application of automated technology solutions around e-mails etc, focus on back up of and encryption of data and a focus on recovery plans.

 

As terrifying as the unprecedented global "ransom-ware" attack was, cybersecurity experts say it is nothing compared to what might be coming - especially if companies and governments don't take preventative measures and make major fixes. Had it not been for a young cybersecurity researcher's accidental discovery of a so-called "kill switch", the malicious software would likely have spread much further and faster than it did.