Security Technology Executive

JUL-AUG 2018

Issue link:

Contents of this Issue


Page 9 of 83

The Callout. 10 SECURIT Y TECHNOLOGY E XECUTIVE • July/August 2018 • www. TECH TRENDS By Ray Coulombe • Ray Coulombe is Founder and Managing Director of Securit ySpecifiers and the CONSULT Technical Securit y Symposium. Email him at ray@ Securit ySpecifiers. com, or contact him through LinkedIn at w w raycoulombe or follow him on Twitter: @RayCoulombe. W hen you used to hear the word "ran- som," you probably figured that someone was kidnapped or taken hostage where their return was con- tingent upon a payment or action. In many cases, meeting the demand of the hostage takers didn't necessarily lead to the victim's release. Today, cybercrime appears to be much easier and lower risk than physical intrusion or armed robbery, and thus "ransomware" has worked its way into our everyday jargon, as criminals hold data or services hostage through the use of targeted malware. Ransomware locks up data so it can only be decrypted with an encryption key, which is promised to the victim upon receiving the ransom payment – often paid in cryptocurrency such as Bitcoin. Recent High-Profile Ransomware Attacks WannaCry exploited a vulnerability in Microsoft Windows operating systems in the Server Message Block (SMB) protocol. It is believed that this was an outgrowth of the NSA's activity to warehouse exploits to discovered vulnerabilities. Code devel- oped for this exploit was termed "Eternal Blue" and was stolen by a hacker group called Shadow Brokers. Many vulnerabilities discovered by the government are not publicly released, but rather saved for future offensive operations. Although WannaCry attacks began in earnest on May 17, 2017, Microsoft had announced a patch on March 14, 2017 through Security Bulletin MS17- 010 and labeled it 'Critical.' Patched systems were protected, but many systems remain unpatched – particularly Windows XP – for which support had been discontinued but later provided for this vul- nerability. WannaCry is estimated to have infected more than 300,000 systems across 150 countries in a matter of days. It was later discovered that WannaCry was unable to determine which victims had paid the ransom, due to a code flaw which may have been intentional. Today, millions of Internet-connected XP systems remain in operation (netMarketShare estimates nearly 6 percent of desktops run Windows XP), most notably Britain's National Health Service. I would sur- mise that a very high number of Windows XP systems remain unpatched today. SamSam ransomware hit the City of Atlanta in March 2018. It infiltrates by exploiting vulnerabili- ties or guessing weak passwords in a target's public- facing systems (read more about weak passwords in my June SD&I column at www.securityinfowatch. com/12413836). SamSam has reportedly targeted protocols including Microsoft IIS (Internet Informa- tion Services), FTP (File Transfer Protocol) and RDP (Remote Desktop Protocol). Other victims include Hancock Health and Allscripts. GandCrab made its debut in 2018 and is commonly delivered with phishing emails about common sub- jects such as payments, tickets, invoices and orders. A JavaScript attachment is executed and downloads the malware from a malicious URL. Upon success- ful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instruc- tions on the next steps required to recover the files. Statistics indicate that only 25 percent of those who paid the ransom actually get their files decrypted. Ransomware by the Numbers Verizon, in its 2018 Data Breach Investigations Report, reports a number of interesting findings: • Email continues to be the most common social attack vector (96%) and malware vector (92.4%). • Bad websites account for 6.3 percent of the malware vectors. • 49 percent of non-POS malware was installed via malicious email. • Within the 1,379 incidents where a specific mal- ware functionality was recorded, ransomware (56%) is still the top variety of malware found. • Ransomware accounts for 85 percent of all malware found in healthcare systems. • On average, 4 percent of people in any given phishing campaign will click an infected link; however, just 17 percent of phishing campaigns were reported. • Java Script, Visual Basic Script, Microsoft Office, and PDF files are the most common bad actors, often leading to the eventual installation of a Windows executable file. Targeted: The Healthcare Market At this year's Cyber:Secured Forum in Denver, I had the pleasure of meeting Randall Frietzsche, CISO of Denver Health. I asked him about ransomware, given Ransomware Prep Why it is advisable to make the up-front investment than to pay a ransom with no guarantees Continued on page 16

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - JUL-AUG 2018