Ransomware recent developments and threats

New threats, spike in infections and attacks against the healthcare industry

On January 1st, 2016, an article published on Emsisoft’s blog1 has somehow confirmed a new wave of ransomware threats that were forecast in late-2015 and early-2016 by some security companies. The article gave details about Ransom32, a new strain of ransomware that is JavaScript-based and also being advertised on the DarkWeb as Ransomware-as-a-Service, in a kind of SaaS business model. The tool was apparently first publicly reported2 by a victim on December 29th, 2015, in a post made on a security forum. The authors of Ransom32 would be demanding a 25% fee3 4 on the profits obtained by cyber criminals using the service, which can be accessed over the Tor network. The tool is based on JavaScript frameworks NW.js and Node.js, what means it is cross-platform and the same code can theoretically infect devices running Windows, Linux and MacOS.

As stated before, the evolution of ransomware tools and the increase of such attacks were anticipated by some security companies, for instance in a ‘2016 predictions’ report5 from McAfee Labs and in an article6 published on Cisco’s OpenDNS blog. Still regarding the evolution of these tools, security researchers wrote in mid-February two reviews7 8 and an update9 about a new ransomware dubbed Locky. Despite this artefact is based on an old-fashioned installation method – a malicious Microsoft Word macro – it has managed to compromise10 hundreds of computers in Europe, United States, Russia, Pakistan and Mali.

In addition, a recent spike11 in the compromise of websites running the WordPress platform was reported in early-February. As a result, ransomware and other kind of malware were reportedly being delivered by the hacked websites to users who were using unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer. One of the malicious software delivered to victims was the TeslaCrypt ransomware. In a related story, the WordPress maintainers released an update that patches at least two security vulnerabilities12 in the content management platform, besides including several bug fixes to correct or improve some of its features. However, it is not yet clear whether this update fixes the vulnerabilities exploited in the recent mass-compromise of WordPress-based websites.


A likely outcome of current ransomware threat scenario was also seen in February: two hospitals in the US reportedly had its computer systems locked up by malicious software. One of the attacks affected the Hollywood Presbyterian Medical Center13 and, according to a supposed employee (a doctor who asked to remain unnamed), made the hospital’s IT systems inoperative for over a week. The attack would have also resulted in their staff being unable to access any patient records stored on computers. Although Allen Stefanek (Presbyterian’s CEO) stated the hospital has been only ‘sporadically impacted’ [sic], another employee supposedly said the Radiation Oncology sector was forbidden to turn on computers and thus could not adequately treat patients. The authors of the cyber attack demanded a payment in Bitcoin cryptocurrency to release the keys necessary to restore the encrypted files. Initially, it was rumoured the cyber criminals asked for 9,000 BTC (worth more than 3.7 million USD by the time this story was written), but Stefanek first declined to confirm the amount. A few days later, he said the hospital paid14 a ransom of 40 BTC, roughly 17,000 USD. Still in February, the Los Angeles County Department of Health Services was victim of another ransomware attack15, although in a smaller scale than the incident against the Presbyterian. The department’s spokesperson Michael Wilson claimed it affected only five work computers and that operations were not affected, besides saying no ransom was paid.

The healthcare industry has experienced an increase in ransomware threats since the beginning of 2016, but it is important to note that cyber attacks against this segment are not new, as many incidents have been identified in the past few years. The development of new tools together with the increase in Drive-By and Watering-Hole attack campaigns has actually worsened the situation. However, many industries are also very attractive targets for cyber criminals – especially those with high revenues or profit margins and the segments which are considered essential services to civil society and associated to a great ‘sense of urgency’. One of the best examples of such an attractive target is the healthcare industry itself, because criminals suppose they’ll get paid very fast in order to the affected services be quickly restored.

It is very important to mention that alongside with the recent ransomware attacks, some analysts started blaming Bitcoin on the increase of these threats. It is understandable that this association is made since the vast majority (if not all) of the attackers demands payment using this cryptocurrency. Many also consider that this is due to the fact that Bitcoin is an ‘anonymous’ currency and thus criminals don’t have to worry about being identified and prosecuted. As discussed in an article16 written by Peter Van Valkenburgh on the Coin Center website, this is not the reason why Bitcoin is so suitable for such ransomware campaigns. It is important to note, however, that Coin Center is a website which allegedly advocates for the better understanding and use of cryptocurrency technologies, for instance Bitcoin. Despite some may argue their opinions are thus biased, the arguments put forward in this particular article are solid.

According to Valkenburgh, the key reasons why Bitcoin is particularly useful for cyber criminals is that ‘it’s fast, reliable, and verifiable’ [sic]. Such claim is backed by very recent news about a Japanese bank that is considering using the blockchain technology (used by many cryptocurrencies) to speed up17 international securities transactions. Besides that, the Bitcoin currency is not that ‘anonymous’ by itself. If some technical precautions are not taken, the usage of blockchain can be of great value to discover IP addresses actually used by criminals. Indeed, blockchain transactions can be leveraged in investigations about ransomware attacks and have already led to the identification and prosecution18 of cyber crime members.

Even though Bitcoin may still be part of the problem that makes ransomware attacks so attractive for cyber criminals, it is definitely not the key factor. The root cause is likely more tied to hackers easily gaining unauthorized access to IT systems which contain valuable or sensitive information, be it from a big corporation, a large hospital or from an individual. If Bitcoin did not exist, criminals could still demand victims to pay ransoms using money mules and other means, be it electronic or not. Furthermore, by gaining unauthorized access to computers cyber criminals can still make other attacks, such as stealing PII (Personally Identifiable Information) to be used in financial frauds or even to blackmail people or organisations by demanding payments for preventing their secrets, sensitive information or medical records from being publicly exposed.

1 Meet Ransom32: The first JavaScript ransomware. Emsisoft’s blog. 1 January 2016. [ voltar ]

2 Ransom32 Ransomware Support Topic. Bleeping Computer’s forum. 29 December 2015. [ voltar ]

3 Ransom32: First-of-its-kind JavaScript-based ransomware spotted in the wild. Computerworld. 4 January 2016. [ voltar ]

4 Researchers uncover JavaScript-based ransomware-as-service. Ars Technica. 5 January 2016. [ voltar ]

5 McAfee Labs 2016 Threats Predictions report. McAfee Newsroom. 9 November 2015. [ voltar ]

6 Easy, Cheap, and Costly: Ransomware is Growing Exponentially.OpenDNS blog. 2 September 2015. [ voltar ]

7 Locky ransomware virus spreading via Word documents. Kevin Beaumont. 16 February 2016. [ voltar ]

8 The Locky Ransomware Encrypts Local Files and Unmapped Network Shares. Bleeping Computer. 16 February 2016. [ voltar ]

9 You, your endpoints and the Locky virus. Kevin Beaumont. 17 February 2016. [ voltar ]

10 “Locky” crypto-ransomware rides in on malicious Word document macro. Ars Technica. 17 February 2016. [ voltar ]

11 Mysterious spike in WordPress hacks silently delivers ransomware to visitors. Ars Technica. 4 February 2016. [ voltar ]

12 WordPress Update Fixes SSRF, Open Redirect Vulnerability. Threatpost. 3 February 2016. [ voltar ]

13 Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom. Computer World. 15 February 2016. [ voltar ]

14 Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. 18 February 2016. [ voltar ]

15 Los Angeles County health department targeted in ransomware attack. Los Angeles Times. 26 February 2016. [ voltar ]

16 Why Bitcoin is not the root cause of ransomware. Coin Center. 3 March 2016. [ voltar ]

17 Mizuho Bank speeds international securities transactions using blockchain. PC World. 9 March 2016. [ voltar ]

18 Collaboration between the Dutch police and Kaspersky Lab leads to the arrest of suspects behind the CoinVault ransomware attacks. Kaspersky Lab. 17 September 2015. [ voltar ]

Aceita-se formatação à la TWiki. HTML e scripts são filtrados. Máximo 15KiB.

Enviando... por favor aguarde...
Comentário enviado com suceso -- obrigado.
Ele aparecerá quando os moderadores o aprovarem.
Houve uma falha no envio do formulário!
Deixei uma nota para os admins verificarem o problema.
Perdoe-nos o transtorno. Por favor tente novamente mais tarde.