Story by João Paulo Campello, originaly published in May 2016 on the previous version of the Tempest Blog
On January 1st, 2016, an article published on Emsisoft’s blog has somehow confirmed a new wave of ransomware threats that were forecast in late-2015 and early-2016 by some security companies. The article gave details about Ransom32, a new strain of ransomware that is JavaScript-based and also being advertised on the DarkWeb as Ransomware-as-a-Service, in a kind of SaaS business model. The tool was apparently first publicly reported by a victim on December 29th, 2015, in a post made on a security forum. The authors of Ransom32 would be demanding a 25% fee on the profits obtained by cyber criminals using the service, which can be accessed over the Tor network. The tool is based on JavaScript frameworks NW.js and Node.js, what means it is cross-platform and the same code can theoretically infect devices running Windows, Linux and MacOS.
As stated before, the evolution of ransomware tools and the increase of such attacks were anticipated by some security companies, for instance in a ‘2016 predictions’ report from McAfee Labs and in an article published on Cisco’s OpenDNS blog. Still regarding the evolution of these tools, security researchers wrote in mid-February two reviews and an update about a new ransomware dubbed Locky. Despite this artefact is based on an old-fashioned installation method — a malicious Microsoft Word macro — it has managed to compromise hundreds of computers in Europe, United States, Russia, Pakistan and Mali.
In addition, a recent spike in the compromise of websites running the WordPress platform was reported in early-February. As a result, ransomware and other kind of malware were reportedly being delivered by the hacked websites to users who were using unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer. One of the malicious software delivered to victims was the TeslaCrypt ransomware. In a related story, the WordPress maintainers released an update that patches at least two security vulnerabilities in the content management platform, besides including several bug fixes to correct or improve some of its features. However, it is not yet clear whether this update fixes the vulnerabilities exploited in the recent mass-compromise of WordPress-based websites.
Outlook
A likely outcome of current ransomware threat scenario was also seen in February: two hospitals in the US reportedly had its computer systems locked up by malicious software. One of the attacks affected the Hollywood Presbyterian Medical Center and, according to a supposed employee (a doctor who asked to remain unnamed), made the hospital’s IT systems inoperative for over a week. The attack would have also resulted in their staff being unable to access any patient records stored on computers. Although Allen Stefanek (Presbyterian’s CEO) stated the hospital has been only ‘sporadically impacted’ [sic], another employee supposedly said the Radiation Oncology sector was forbidden to turn on computers and thus could not adequately treat patients. The authors of the cyber attack demanded a payment in Bitcoin cryptocurrency to release the keys necessary to restore the encrypted files. Initially, it was rumoured the cyber criminals asked for 9,000 BTC (worth more than 3.7 million USD by the time this story was written), but Stefanek first declined to confirm the amount. A few days later, he said the hospital paid a ransom of 40 BTC, roughly 17,000 USD. Still in February, the Los Angeles County Department of Health Services was victim of another ransomware attack, although in a smaller scale than the incident against the Presbyterian. The department’s spokesperson Michael Wilson claimed it affected only five work computers and that operations were not affected, besides saying no ransom was paid.
The healthcare industry has experienced an increase in ransomware threats since the beginning of 2016, but it is important to note that cyber attacks against this segment are not new, as many incidents have been identified in the past few years. The development of new tools together with the increase in Drive-By and Watering-Hole attack campaigns has actually worsened the situation. However, many industries are also very attractive targets for cyber criminals — especially those with high revenues or profit margins and the segments which are considered essential services to civil society and associated to a great ‘sense of urgency’. One of the best examples of such an attractive target is the healthcare industry itself, because criminals suppose they’ll get paid very fast in order to the affected services be quickly restored.
It is very important to mention that alongside with the recent ransomware attacks, some analysts started blaming Bitcoin on the increase of these threats. It is understandable that this association is made since the vast majority (if not all) of the attackers demands payment using this cryptocurrency. Many also consider that this is due to the fact that Bitcoin is an ‘anonymous’ currency and thus criminals don’t have to worry about being identified and prosecuted. As discussed in an article written by Peter Van Valkenburgh on the Coin Center website, this is not the reason why Bitcoin is so suitable for such ransomware campaigns. It is important to note, however, that Coin Center is a website which allegedly advocates for the better understanding and use of cryptocurrency technologies, for instance Bitcoin. Despite some may argue their opinions are thus biased, the arguments put forward in this particular article are solid.
According to Valkenburgh, the key reasons why Bitcoin is particularly useful for cyber criminals is that ‘it’s fast, reliable, and verifiable’ [sic]. Such claim is backed by very recent news about a Japanese bank that is considering using the blockchain technology (used by many cryptocurrencies) to speed up international securities transactions. Besides that, the Bitcoin currency is not that ‘anonymous’ by itself. If some technical precautions are not taken, the usage of blockchain can be of great value to discover IP addresses actually used by criminals. Indeed, blockchain transactions can be leveraged in investigations about ransomware attacks and have already led to the identification and prosecution of cyber crime members.
Even though Bitcoin may still be part of the problem that makes ransomware attacks so attractive for cyber criminals, it is definitely not the key factor. The root cause is likely more tied to hackers easily gaining unauthorized access to IT systems which contain valuable or sensitive information, be it from a big corporation, a large hospital or from an individual. If Bitcoin did not exist, criminals could still demand victims to pay ransoms using money mules and other means, be it electronic or not. Furthermore, by gaining unauthorized access to computers cyber criminals can still make other attacks, such as stealing PII (Personally Identifiable Information) to be used in financial frauds or even to blackmail people or organisations by demanding payments for preventing their secrets, sensitive information or medical records from being publicly exposed.
