The FBI has issued a warning that ransomware attacks are on the rise, along with some tips for how to deal with the threat.
Ransomware is a form of hacker mischief in which a virus, usually delivered by email, locks down a computer system until the victims pay a ransom to the hackers. The FBI bulletin includes a good description of what ransomware threats look like and what happens when an infected file or hyperlink is accessed:
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.
One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
According to the Bureau, the frequency of ransomware attacks increased dramatically in 2015, and they’re on track to “grow even more in 2016, if individuals and organizations don’t prepare for these attacks in advance.”
Unfortunately, defending against ransomware is very difficult, especially since hackers began using “spear-phishing” techniques to spread their malware. Spear-phishing has become the weapon of choice for hackers. Instead of sending the sort of obvious spam emails users have learned to filter out or avoid, spear-phishers obtain personalized information to make their toxic emails look more legitimate, or make them appear to come from trusted sources. It has become all too easy to open a virus-laced attachment file, believing it’s a legitimate document from a friend or colleague.
Also, as the FBI notes, ransomware gangs have begun infiltrating legitimate websites with malicious code, making it dangerous to merely visit infected websites. Refusing to open attachments or click on links no longer guarantees protection.
Ransom attacks are a disturbingly effective cyber-crime, because once a large system is locked down, it may become far more affordable to pay the ransom than to fight the infection. InfoSecurity notes there have been reports in the past of the federal government advising ransomware victims to pay up, but in the new bulletin, FBI Cyber Division Assistant Director James Trainor definitively advised against cooperating with the criminals.
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom,” Trainor said. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
The new FBI bulletin appears to have been prompted by a ransomware attack on the Lansing Board of Water and Light in Michigan last week.
According to InfoSecurity, “no personal information was compromised and the delivery of water and electricity was unaffected,” but “administrative functions were crippled by the attack,” as the utility company had to lock its corporate network down to contain the infection.
Security firm Kaspersky Labs reported that the Lansing Board of Water and Light was still recovering from the ransomware attack this week. The company has declined to release details of the attack, or the corrective measures it took, while law enforcement investigations were ongoing.
The FBI has previously said that ransomware is on pace to become a billion-dollar annual crime. CNN noted one example was a South Carolina school district that paid hackers $10,000 to get its servers unlocked. Hackers have grown adept at demanding amounts their targets can afford to pay, and are likely to view as affordable alternatives to fighting the malware. Security experts believe some victims don’t come forward, preferring to pay the ransom quietly and resume normal operations as quickly as possible.
The FBI was criticized for its response to the ransomware threat in April by Senator Barbara Boxer (D-CA), after hospitals were subjected to a string of attacks, with at least one targeted medical center paying a hefty ransom to recover access to their data.
“I am concerned that by hospitals paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks,” Boxer said in a letter to FBI Director James Comey, as reported by the Washington Times.
The Washington Times article quoted an FBI cyber-agent musing that “the easiest thing may be to just pay the ransom,” and speculating the “overwhelming majority of institutions” give in to their attackers’ demands.
There has evidently been enough of a backlash to such observations, including Boxer’s inquiry, for the FBI to make an unambiguous statement against paying the ransom. Boxer wanted the FBI to prepare a list of steps potential victims can take to protect themselves, and a few weeks later, the Bureau has produced just such a document.
Unfortunately, preventive measures are limited. In addition to raising employee awareness of malware threats and encouraging them not to open suspicious files or links, and reducing the number of users with high-level administrative access that could jeopardize an entire network, most of the FBI’s helpful advice consists of the same anti-virus measures security experts have been recommending for many years: make regular data backups, ensure the backups are stored in a sealed location so they can’t be contaminated, ensure all system updates and anti-virus shields are up to date, and keep a tight lid on which websites network users are permitted to access.
It’s all very good advice, but it’s not new advice, and none of it will make a difference once a system is actually infected. Ransomware is a growing threat because the basic calculation made by the criminals is correct: paying them off is cheaper than fighting an aggressive malware infestation in a large network, with users resorting to pen-and-paper while the battle rages. Hard-to-trace systems like Bitcoin have made getting away with the crime fairly easy for hackers, who apparently work largely out of Russia and Eastern Europe. Not very many of them are getting caught.
“Criminals know this is an area where it’s low risk, high yield in terms of what they do. You can do everything behind a keyboard, in a country thousands of miles away,” said supervisory special agent James Lamadrid of the FBI, in a Monday story on KSL News about a Salt Lake City chiropractor who fell victim to a ransomware attack.
Lamadrid thought it was possibly only half to one-third of these crimes are reported. KSL admitted it had been hit by ransomware itself but was able to recover on its own by restoring carefully prepared backups. The chiropractor wasn’t so fortunate — he paid a $500 ransom, but was never given the promised decryption key.