July Monthly Review: Ransomware Evolving, Response Stagnates
During July 2019, ransomware attacks showed just how creative hackers can be. Spreading within social media platforms, forums, and even android networks, ransomware can have large effects on organisations and individuals. We bring you a fresh summary of malware attacks as government institutions and companies face difficulties in restoring their servers.
Even Police Not Safe from Ransomware Attacks
Since the introduction of ransomware, law enforcement had a hard task of locating culprits. Thus, it comes to no one’s surprise that even police can experience a ransomware attack at one point. Georgia Department of Public Safety and Georgia State Patrol (GSP) felt it first-hand on July 29th, when representatives announced that their computer network is compromised. Local news outlet, FOX5, reported that employee noticed that something was off with the network on his laptop.
So far, the State Capitol Police and the commercial enforcement division are affected by the attack. Staff members switched to manual labour and experience major difficulties in providing necessary services. Almost immediately after the attack, the FBI confirmed the incident and stated that it already cooperates with local authorities.
As a consequence of network shutdown, email, public website, and backend services are not functioning. Police officers have to use work phones and car radios to get information.
To counter the increasing damages, Georgia Tech Authority is using new security software while the old one remains offline. A spokesperson from GSP, Lt. Stephanie Stallings, told the local news outlet that police officers are turning towards “more traditional” work, through pen and paper, rather than laptops.
“This ransomware attack has certainly caused DPS to revert to a more traditional way of dispatching and patrolling. The technology we have become accustomed to, at present, is not readily available at the fingertips of the troopers, Motor Carriers Office, and the Capitol Police Officers in their patrol vehicles,” he said.
So far, it remains unclear who attackers are and whether they demanded a ransom.
Louisiana in the State of Emergency Following the Ransomware Attack
It seems that government authorities are taking ransomware attacks quite seriously in the wake of recent attacks. Namely, governor of Louisiana, John Bel Edwards, declared a state of emergency on July 24th following the vicious ransomware attack on local schools. Parishes of Oachita school’s systems, from City of Monroe District, experienced a complete computer and phone shutdown. As a response, school authorities reached for help throughout the State, towards numerous public bodies.
As a response, IT specialist from different agencies came in to help. Some of them included experts from the Louisiana State Police, the Louisiana National Guard, and GOHSEP (Governor’s Office of Homeland Security and Emergency Preparedness). With Louisiana’s new cybersecurity alert system set in place, the emergency declaration aims to limit the spread of the malware into other networks.
With attacks on schools increasing in recent years, the task force has a goal of not just removing malware but to prevent future attacks as well. The swift emergency call and the reaction of authorities pave the way towards better ransomware attack reaction.
Gadsden Schools Feel the Ransomware Pressure
Louisiana is not the only one that feels ransomware pressure as another school fell victim to malware attack. Gadsden Independent School District (GISD) of southern Doña Ana County announced on July 16th that its system was penetrated by ransomware. Thus, the officials decided to close down email service, due to the complete computer network lockdown by the virus. Following the incident, school representatives notified the New Mexico Public Education Department and law enforcement to deal with the issue.
IT department of the GISD worked for more than a week to restore systems back to operation. The work finally paid off on July 25th, when email service went back online. Within the announcement, representatives declared that no personal information was lost and that the payroll system continued to function without issues. “I want to ensure all employees that neither personnel information or the payroll system was affected,” school provided in the announcement.
Although losing huge email lists, it seems that no major damage occurred. Thus, the school did not provide information on whether hackers demanded a ransom as it was not paid. Superintendent Travis Dempsey stated to the local news that Ryuk ransomware is responsible for the attack. However, even with all systems back in function, a lot of work is yet to be done.
“I am no way going to pay any ransom whatsoever and what that means is we have to rebuild our network and our servers,” Dempsey said.
Bank Account Details Stolen by a Ransomware
The reason why ransomware can have such devastating effects on organisations is its ability to lock sensitive data. With recent attacks, companies and institutions are getting better at protecting their files. However, employees of phone company called Sure were not so lucky. On July 29th, ransomware penetrated firm’s defences. Hackers took away personal details of all staff members, including bank account information.
The telecoms service provider from the Isle of Man immediately contacted victims, including supply chain partners. An employee opened up the malicious link within the phishing email, spreading the malware across the network. The company did not wish to provide the name of the person who opened up the email for “security reasons.” With investigations underway, it remains to be seen how much damage employees will see.
Representatives did not provide details on whether hackers demanded a ransom. Less than 400 people are affected, including their bank account information.
Ransomware Returns to Android: the Case of Reddit
Recently, as ransomware returns to Android, communities are now debating on how to improve their online security. Many are led to believe that cyber threats mostly happen to businesses or governmental agencies. However, ransomware points out the importance of safe surfing on any type of device, mobile phones included. Cybercriminals are known for their creativity and ability to use base needs to spread ransomware.
Since July 12th, ransomware now known as Android/Filecoder.C emerged on Reddit and XDA forums. A cybersecurity firm ESET noticed the harmful software first and notified community regarding its tactics. Namely, hackers would post on forum groups and offer “free” VR sex simulation app experience. Then, users would download the app to try it out. However, they would inevitably allow cybercriminals to gain access to their devices.
While XDA forums (app development community) took down malicious posts, Reddit users were not so lucky. Thus, people that downloaded the supposed sex simulation apps experienced a lockdown of their phones. Moreover, the ransomware used the SMS system to send messages with compromised links to all victims’ contacts.
Finally, as to reach an even bigger audience, the ransomware app translated its content into 42 different languages. The sheer effort that went into this particular Android ransomware shows just how far hackers are willing to go.
4 IT Specialists: The Story of How They Saved the Day
Hospitals and other health care organisations are always a juicy target for hackers due to their outdated security systems. However, at the end of the day, it all depends on people and how they react to ransomware incidents. On June 28th, four IT specialists of Wickenburg Community Hospital from Arizona started their day unusually. They had a ransomware attack at their hands and very little time to save all files from being locked away.
They noticed that something was off when one of the computers showed a screen that had “Ryuk” written on it. The CIO of the organisation, Blue Beckham, decided against contacting hackers or paying any ransoms. He wanted to “get things back to normal” as soon as possible, without providing cybercriminals any funds.
Four IT specialists managed to shut down the network and began rebuilding the system from scratch. Although 12,000 patients did not feel any sort of disruptions, the network had quite a few issues to solve.
“We threw it [data sets] in the trash and started over from a software perspective. We sat down and decided what is most important, what was absolutely needed both short term and long term. And when I say short term, I mean in the next hour and long term is the next 12 hours.” Beckham said to the AZCentral.
Through enormous efforts, the system was back online. However, the IT team had to use backup files to begin reparations. Without it, numerous details regarding patients and organisation would have been irrevocably lost.
NAS Platforms Suffers Powerful Ransomware Attack
On July 19th, the Network Attached Storage (NAS) company, Synology, announced that its network has been compromised by a ransomware attack. Representatives of the firm warned customers that hackers are using brute force to crack password codes of the system. Attackers hope that once passwords are within their hands, they can encrypt data within the network. Next step would then be a demand for a ransom payment for a release of decryption codes.
Ken Lee, company’s Manager of Security Incident Response Team stated that this attack was definitely planned out beforehand. “We believe this is an organised attack. After an intensive investigation into this matter, we found that the attacker used botnet addresses to hide the real source IP,” Lee mentioned.
Apart from Synology, another NAS service provider faced a similar issue. Namely, QNAP had its network penetrated by ransomware called eCh0raix. The Taiwanese company had to shut down its entire network due to the brute force attack conducted by hackers. The AES technology firm received a note from cybercriminals demanding bitcoins for a decryption code. In both cases, attackers hid their IP addresses.
U.S. Hopes to Recover Funds from Bitcoin Exchange
Last month, we saw Riviera Beach Florida paying ransom demands to hackers of $600,000 value in Bitcoins. Thus, many would find it quite interesting how do cybercriminals then cash out cryptocurrencies. As U.S. authorities found out, online crypto exchanges are popular destinations for hackers to liquidate bitcoins.
The US Department of Justice (DOJ) filed a lawsuit against BTC-E, an online cryptocurrency exchange platform. US Treasury’s Financial Crimes Enforcement Network (FinCEN) made an order to FBI in 2017 to close the site.
The government aims to recover $88,596,314 from accounts that have been under investigation. Additionally, authorities plan to gain an additional $12 million from BTC-E owner and creator Alexander “Mr. Bitcoin” Vinnick before he is extorted to Russia. Vinnick is currently held in jail in Greece but is expected to serve the remainder of the sentence in Russia. Thus, U.S. law enforcement is in a hurry to gain these funds as a last-ditch effort.
BTC-E is found to be a source of income for many illicit activities, malware ransoms included. According to the DOJ findings, about $7 billion worth of Bitcoin passed through the BTC-E’s system. Criminal transactions accounting for $4 billion, over a half of entire transaction value BTC-E handled in its lifetime. Ransomware accounted for 95% of these transactions, making BTC-E one of the most popular sites for hackers to cash out bitcoins.
It is still unclear whether DOJ will succeed in recovering funds, as it depends on Greek and Russian authorities’ cooperation.
Charities and Health Care Institutions Popular Ransomware targets
It seems that health care providers and charities are quite a popular choice for hackers to attack. Park DuValle Community Health Centre was a victim of ransomware attack in June 2019. According to the local report, the organisation could not cope with the servers’ downtime and 20,000 patients’ data stolen. Representatives made a decision in July to pay hackers their demands, $70,000 worth of Bitcoins.
On the side of non-profit institutions, UK’s St John’s Ambulance became a victim to a ransomware attack on July 2nd. The first-aid charity announced the penetration of its networks and that ransomware did not cause major damages, as it did with Park DuValle. According to the official statement, “IT teams worked hard to isolate and resolve the issue as soon as we became aware of it“.
Thus, the issue was solved within 30 minutes, with no ransom being paid. Nevertheless, charity representatives field the case to the Information Commissioner’s Office (ICO) and the Charity Commission.
Cloud Backup: a Good Way to Protect Sensitive Data
The severity of ransomware attacks may vary according to the scale of the attack. However, security systems can make life easier or harder for hackers. Thus, quick response and backup function are crucial tools in battling malware.
Looking at the ransoms being paid by various institutions, the costs of online backup are very small in comparison. Cloud backup services that platforms like BOBcloud provide are a good way to secure your data and quarantine it from outside encryption.