The notoriety of ransomware is so great that the United States Department of Health and Human Services has issued guidance specific to this threat, and the FBI has confirmed the devastation of ransomware, indicating that no industry is immune.
The ransomware family of threats are not new by any means. The legitimate roots of this threat vector started around 2008, but at that time it was better known as “scareware.” While that initial effort was largely a failure, the basic premise of the attack was solid. One can imagine these hackers saying to themselves at the time, “we have something to work with here, and it can be improved to generate revenue.”
Fast forward about six years: The Cryptowall ransomware variant hit the market in June of 2014. Cryptowall was a significant breakthrough for its creators. Cryptowall created a legitimate situation that received ransom payments to the tune of $325 million dollars in 2014. At that point, the “business model” for ransomware was validated, and numerous ransomware variants would enter this lucrative market.
Ransomware in 2017
Ransomware is no longer simply a “hack” or a cybersecurity threat; it is a viable and wildly successful business model that exists to generate revenue.
Ransomware is not like other typical cybersecurity threats. Rather than seeking to give the attacker remote control of systems or exfiltrate data that can be sold or used for nefarious purposes, ransomware is a product for profit.
It is crucial for tech and legal professionals to look ahead and consider the technical and legal implications that surround ransomware. For cybersecurity experts, this is an interesting but uncomfortable conversation. In order to stay ahead of emerging threats, cybersecurity specialists work to predict the future and hope that their predictions don’t happen.
In regards to ransomware, we have identified eight separate ransomware product enhancements. One prediction (and fear) was that a ransomware variant will self-propagate internally (i.e. wormable).
In the early 2000s, wormable malware such as MSBlaster, Code Red and SQL Slammer inflicted extreme damage and kept cybersecurity experts on their toes. While predictions of this type of attack have existed for some time now, we have maintained hope that it would never come to fruition.
Unfortunately, on Friday May 12, such an attack did indeed materialize.
As you may have seen on the news on Friday, a massive worldwide ransomware cyber-attack quickly spread across more than 70 countries. This ransomware attack by the variant known as WannaCry is making unprecedented headlines from NBCNews, FoxNews and CNN — because unlike previous ransomware variants, it is “wormable” (which means that it can spread by itself, without requiring users to pass it on to other systems) and has the ability to infect an entire network from the inside.
For many of us in the industry, this is reminiscent of MS Blaster or SQL Slammer, but the impact is much greater. This “Wormable Ransomware” is something the cybersecurity community has feared for years, and unfortunately it looks like it has finally materialized. Impacted organizations are those that failed to implement Microsoft’s MS17-010 patch, which was released to close holes that were publicly disclosed in Shadow Brokers’ public release of stolen National Security Agency hacking tools. Everyone should be aware that proper patching is essential.
If you’re wondering what you can do to insulate your organization against an attack, download this ransomware checklist for a series of steps take. For additional guidance or assistance with ransomware, contact a professional for advice.
Bill Dean is a senior manager in LBMC’s Information Security Services division and is responsible for incident response, digital forensics, electronic discovery and overall litigation support. Bill has more than 20 years of information technology experience with a specialty in information security and digital forensics for the past 10 years. Contact him at 865-862-3051 or email@example.com.
Originally printed in The Tennessean.