Phishing and Ransomware

Phishing Landscape Articles:


Brian Bentley, a Los Angeles-based copywriter, didn’t consider himself a risky web surfer vulnerable to hacking attacks. Yet, one day he found himself a victim of the latest fiendish fad in phishing: He got ransomwar-ed. This type of electronic extortion scheme is exploding across the Internet, ensnaring individuals as well as small businesses and corporations, police stations, and even hospitals. And the threat is only getting worse.

What is Ransomware?

Ransomware is a type of computer virus usually downloaded that attacks and takes over a computer, sometimes installing a password or encrypting the entire hard drive, preventing any access. The victim is then extorted for money, usually payable in Bitcoin, in order to unlock their precious data.

However, the first known ransomware attack happened before the Internet. In 1989 a Trojan horse was created by biologist Dr. Joseph Papp, who infected 20,000 diskettes that he labeled “AIDS Information – Introductory Diskette.” He then proceeded to hand them out to attendees at the World Health Organization’s AIDS conference that year.

Users who went home and put it in their disk drive unwittingly infected their computer, and were locked out after 90 reboots. On their computer monitor an announcement appeared saying their computer data was encrypted and the only way to unlock it was to send $189 to PC Cyborg Corporation, via a PO Box in Panama. (Dr. Papp claimed he was donating the money to AIDS research and was eventually declared mentally unfit to stand trial; he died in 2007.)

Dr. Papp’s encryption was very crude and tools to decrypt it were quickly released. Still, it was a significant moment in computer hacking and a concept that would really take off 30 years later.

The first major ransomware pirates emerged from the dark web of Russia around 2009 and quickly got very sophisticated with their encryption techniques and extortion methods. In addition to encrypting files or locking screens, other ransomware scams involve threatening to publicly release embarrassing information, like a user’s browser history, or threaten to plant child pornography on their computers and alert the FBI.

Today, the number of ransomware programs has exploded: The FBI estimated the cost of the attacks to be $209 million… in the first THREE MONTHS of 2016 alone. This is up from $24 million in all of 2015.

How Ransomware works

According to Norton, the majority of ransomware attacks today come from people visiting infected websites or clicking on an infected advertisement link. This is known as a “drive-by download,” where malicious software is installed on their computer in the background without the user knowing it. Main targets are outdated java or other web browser plug-ins or vulnerabilities in Windows or OS X.

Other delivery methods include malicious scripts contained in document downloads and, of course, good ol’ email phishing.

Those who have suffered from the experience say you will know the instant it takes over your computer. In some cases, pornography may open in hundreds of windows, preventing any access as well as potentially embarrassing the victim. Others simply go to locked screen, with their demands and instructions clearly spelled out.

And, while the majority of these attacks are on PC computers, Macs are also starting to be targeted – an OS X-based ransomware called KeRanger surfaced in March 2016. While it’s only the second one since 2014, TechRepublic notes what’s troubling about the malware is that it contained fragments of code that could be developed to eventually attack cloud servers and Time Machine backups.

And these scammers have started to get even more creatively cruel. In April 2016, reports surfaced of the Jigsaw Ransomware, which was modeled after the killer in the “torture porn” series Saw. Users that were infected were greeted with a video of the creepy puppet, just like in the movies. They were told they had to come up with the ransom within 24 hours or their files would slowly be deleted one by one and the price for saving them would dramatically increase.

Many of these ransoms are often quite small (Jigsaw starts at about $150), with the idea being that these small sums are more likely to be paid. Norton studied a ransomware attack and found that even just a 2.9 percent payout meant a profit for the pirates of $33,000 per day.

The Threat to Our Network of Services

And while many of the attacks appear to target all types of individuals and companies, there has been a sinister pivot to police, emergency services, and hospitals. In April of 2015, the Tewksbury Police Department of Massachusetts fell victim to ransomware, with the hackers requesting $500 to relinquish control of the department’s computer records. After a few days of deliberating, and feeling powerless to do anything else, they paid. They were just one of a growing list of police departments across the U.S. and Europe being held for ransom in a similar fashion.

Then, on February 5 2016, hackers really upped the ante. On this occasion they attacked the network of Hollywood Presbyterian Hospital, cutting off communication between staff and denying access to medical records. Their demand? Forty Bitcoin, the equivalent of $17,000. Hospital administrators, claiming it was literally a life or death situation, paid the ransom.

How the Ransom is Paid

With the original AIDS ransomware, money was to be sent via postal mail to an offshore PO Box. Nowadays, hackers have a much easier and faster method to take your money electronically. Bitcoin, a type of cyber currency that has been around since 2008, has become the de facto method of payment. What makes it particularly appealing to the black market is that it is completely untraceable. Bitcoin is known as a peer-to-peer payment system, meaning there is no middleman – all you need is the recipient’s Bitcoin address. Once the coins have been exchanged from one e-wallet to another, there is no way for another person to find out who has them or get them back.

Converting dollars or other currencies into Bitcoin used to be much more difficult but now, as the price of one BTC has skyrocketed to $600, it is becoming easier to use the currency, for better and for worse. In Los Angeles, Bitcoin ATMs began opening in 2014, and now there are many locations throughout the city to buy and sell them. Many law-abiding people enjoy using Bitcoin, perhaps for the novelty as well as its anonymity, and there is nothing wrong with the currency itself.

However, less savvy ransomware victims may find themselves in need of a Bitcoin Broker: a new type of bankster who is on the cutting edge of technology as well as the law. Many of these brokers will facilitate a Bitcoin transaction (for a fee, of course) but don’t want to know what it’s for. “They will hang up on you if you say it’s to pay a ransom,” Mr. Bentley remarked.

However, other hackers have realized the limitations of the Bitcoin currency and have been known to accept Paypal MyCash Cards, prepaid cards that can be bought at any grocery store; however, because of the greater risk for the pirate, the price is often doubled.

TeslaCrypt 3.0

On February 19, 2016 at 2:15 P.M., Brian Bentley was hacked with ransomware. He knows that date because it’s the date given to all the files on his computer. At that moment, he swears he was on an LA County website downloading traffic reports. He claims his infection was fallout from the Hollywood Presbyterian hack, citing the fact that the hospital has a .org suffix just like the County.

Regardless of where he picked up the virus, at that instant, all his computer files were given an .mp3 extension and hundreds of explorer windows began opening every second. At first he thought it was some kind of joke, but then the notice popped up on the screen. He said the program allowed him to decrypt one file and said he could get them all back for $500 in Bitcoin. After seven days, the price would increase.

The name of this rogue file is called TeslaCrypt 3.0, which, according to computer geek discussion boards, appeared in early February. These ransomware scripts are often written and dispersed quickly, with a self-destruct mechanism that makes them even harder to crack. “The virus destroys itself 10 minutes after the infection,” Bentley said.

Running up against this shadowy underworld, along with law enforcement and software companies are teams of “good guy” hackers, who make it their mission to try and de-fang these ransomware programs as quickly as possible, creating decoding hacks and posting them for others to use. However, as of this writing in April 2016, TeslaCrypt has not yet been cracked.

The Ransom: To Pay or Not to Pay

As we have shown, ransomware infections can leave people, companies, and governments in a pickle. Entities like police departments and hospitals often have older computers on their network, making them even more vulnerable to attacks. The risk of any downtime may cost lives and, since the ransom is usually only a few hundred dollars, it’s easy to see why many have capitulated to the hostage-takers’ demands.

Still, many experts are adamant: Do NOT pay the ransom. Aside from the moral implications of police departments and governments giving in to criminals, they say quite simply there is no way to know if there isn’t some other type of spyware located on the computer, or if they will actually release all the files. “Even if a person does pay the ransom, the cybercriminals often do not restore functionality,” said Norton is an article on the rising threat of ransomware.

However, others including the FBI, are less sanguine. “To be honest, we often advise people just to pay the ransom,” Special Agent Joseph Bonavolonta was quoted as saying at a cybercriminal conference in Boston. Other security experts advise that you don’t pay… unless you have no other option.

Preventing Ransomware

When it comes to preventing ransomware attacks, there is a little more unity: Keep all your software up-to-date, particularly your web browser’s Java and apps/extensions. Back up your computer’s contents to another hard drive that you can disconnect, or use cloud-based applications and/or backup services.

An antivirus program and firewall are also a good idea, although many of these viruses aren’t discovered until they’ve done too much damage before an update can be created. When surfing the web, avoid any websites that your browser warns you about, and always THINK before you click on any link. To this end, SecurityIQ has created a library of phishing simulators and educational materials to help users spot and avoid suspicious communications.

Mr. Bentley, a writer and videographer with thousands of one-of-a-kind documents that are now hopelessly encrypted, decided not to pay. With the help of a techie friend, he estimates it will take years for him to recover all the files.

“Ignore this story at your own risk: you may be next,” he warned.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Stephen
Moramarco

View more articles from Stephen