Saturday, 13 August 2016

Cybersecurity Awareness: Behold The Ransomware Epidemic!

Cybersecurity: An Overview - Cybersecurity are measures or steps geared towards protecting electronic devices or information stored in cyberspace (cloud storage) against unauthorized or criminal access. Thanks to the penetration of internet and affordability of technological gadgets, we now live in a more interconnected world than ever before. An unintended consequence of proliferation of technology and enhanced interconnectivity is increased risk of cyberattacks – cybercrime, ransomware, cyber-extortion, cyberespionage, cyberbullying, and other variants.
A United States-based Consultancy firm – Accenture, submits that ‘’cyberattacks will cost hospitals in the U.S. more than $305 billion over the next five years and that one in 13 patients will have their data compromised by hackers’’. It will also interest you to know that as at September 2015, Google posited there were about 1.4 billion active Android devices worldwide. Now the bad news is that Hackers News reports that scores of malicious Apps on Google Play Store can root and hack about 90% of such Android devices. June 2016, French police was hit by a cybersecurity breach during which the personal details of 112, 000 officers (serving and retired, and their families) were uploaded to a Google Drive storage service.

 Imagine the far-reaching cybersecurity implications. To further buttress the import of cybersecurity or lack of it, few weeks after the account of Facebook CEO Mark Zuckerberg was hacked into, the hacking group which goes by the moniker – OurMine owned up to hacking the social media accounts of Google CEO Sundar Pichai. Oculus boss Brendan Iribe’s twitter account, Uber’s Travis Kalanick, Twitter’s Dick Costolo, CEO of Spotify and Amazon CTO Werner Vogels accounts have all been hacked.  Hacktivist group- OurMine says, "we are just trying to tell everyone that nobody is safe! Of a truth, they are not far from the truth. Nobody, organization or critical infrastructure can boast of a foolproof defense against cybersecurity threats. Cybersecurity experts are in agreement that it is not a matter of ‘if’ or ‘when’ your data will be hacked, but whether you'll ‘know’ when your data has been hacked.
 
What is Ransomware, Cyber-extortion?
Ransomware is coined from the word ransom - money demanded for the return of a captured person or something precious. In this case, ransomware is malicious software that encrypts, or holds valuable digital information, a website ‘hostage’ until a ransom is paid. Cyber-extortion is a form of cybercrime in which payment (ransom) is demanded to forestall actual or threatened cyber-attack on an individual’s or organizations electronic device, data, a website, computer network or system. Ransomware and cyber-extortion represent a new wave of cybercrime tantamount to physical kidnap for ransom and extortion (KRE). Difference here is that the former entails remotely infecting a computer, mobile device, and a website, amongst others, with a malware (virus). Trend Micro reportedly blocked more than 66 million ransomware-related spam, malicious URLs, and threats from January to May 2016. A ransomware cyberattack inter-alia affects business continuity, leads to financial losses, and undermines reputation of the organization. The challenge with ransomware is that it is stealth, works behind-the-scene. For instance a Trojan, malware like Acecard can infect an operating system and lie low for several months, even years, before it can be detected or starts causing havoc.

Modus Operandi of Ransomware, Cyber-extortionists

According to Security Week magazine, there are three main tactics employed by cyber-extortionists. They are: (a) the threat of a data compromise or a distributed denial of service (DDoS), (b) threat to release compromised data publicly in order to blackmail, extort money from the victim and (c) infecting the target device or website with ransomware usually via spam emails, malicious attachments, and links and demanding ransom payment before restoring access.

The Hacker News reports that variants of Cerber Ransomware recently targeted Microsoft Office 365 email users via spam or phishing emails conveying malicious attachments with an ability to bypass MS Office 365's built-in security tools. On the other hand, Locky and Dridex ransomware malware employ malicious Macros to hijack systems. Over $22 million was reportedly pilfered from UK banks with Dridex Malware which got triggered via a nasty macro virus.

Typical file extensions employed or targeted by ransomware include: .doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .bmp, .tiff, .png, .mpg, .mpeg, .avi, .3gp, .mp4, .m3u, .mp3, .wav, .zip and java extensions among others.

Prime Targets of Ransomware, Cyber-extortion?

From insurance firms to Financial institutions, Banks, hospitals, airlines, airports, critical infrastructure, educational institutions, state and local governments, law enforcement agencies, small and large businesses, individuals and in fact anything – device that can be connected to the internet or data stored on the Cloud, are susceptible to ransomware cyberattacks. For instance, in 2015, ‘’hackers stole the records of about 80 million customers of Anthem Inc., the second largest United States health insurer’’. Unlike physically kidnapping a victim for ransom and extortion which ordinarily entails collecting cash ransoms, the popularity of ransomware in the cybercrime world stems from the fact that the malware can be monetized anonymously and receipt of payment made almost untraceable using digital or cryptocurrency - Bitcoin.

Cyber Insurance and Ransomware-as-a-service (Raas)

The proliferation of ransomware attacks birthed a new insurance product known as cyber insurance - an insurance product used to protect businesses and individuals against Internet-based risks such as cyberattacks, cybercrime, hacking, amongst others. On the flip side, cybercriminals now also tout ‘ransomware-as-a-service’ (RaaS). This entails cybercriminals offering their tools or charging their clients a fee to help them propagate ransomware. Just lately, security researchers at Trend Micro discovered a new family of malware ­- banking-Trojan-as-service which was dubbed Manjit (BKDR_MANGIT.SM). The aforesaid ransomware was allegedly created and sold by a Brazilian hacker, one Ric or Ricardo Marques Silva and boasts of the capability to bypass multiple authentication processes employed by Brazilian banks.

Internet of Things (IoT), Interconnectivity Will Boost Ransomware Attacks

To this end, a cybersecurity special report postulates that ransomware will worsen due to vulnerabilities in Internet of Things (IoT), medical devices, web cameras, IP Phones, Internet Protocol CCTV Cameras, DVRs, SmartHouses or SmartCities, wearables such as SmartWatches, public Wi-Fi, proliferation of mobile Apps with malicious code, amongst others. Globally, an excess of 5 billion IoT devices were said to have been installed in 2015 and it is estimated that this will reach 20 billion by 2020. Cybercriminals exploit IoT devices because they have weak login credentials, have little or no secure communication channels and are online are 24/7. By the way, Internet of Things (IoT) is defined as ‘’a system of interconnected computing/mobile devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction or intervention’’. 

Ransomware Cyberattack Likened To An ‘Epidemic’

The United States Federal Bureau of Investigation (FBI) says more than 2,500 complaints were reported to the Internet Crime Complaint Center (IC3) in 2015. Crypto-ransomware attacks reportedly accounted for almost 90 percent of all ransomware attacks in Italy and Germany in 2015 whereas it was less than 10 percent in the previous year, 2014. Given its proliferation and sophistication (for instance a new Cerber ransomware variant is said to morph every 15 seconds to avoid detection), some cybersecurity experts have likened ransomware cyberattacks as an epidemic. It is trite that ransomware or cyberattacks are generally underreported. Kaspersky researchers say crypto ransomware variants such as: RANSOM_MIRCOP.A, TeslaCrypt, XORBAT, ZIPPY, CBT-Locker, CryptoLocker, CryptoWall, Linux.Encoder.1, CryptXXX, Bart ransomware and other strains encountered by users leapt from 131,111 to 718,536 from April 2015 to March 2016, i.e. nearly 500% increase. Canadian and United States governments issued a rare joint alert in March 2016, warning businesses of heightened ransomware attacks. In 2015, victims of ransomware in the United States reportedly paid about $325m; cybersecurity analysts estimate it will be much higher in 2016.

Typical Incidents of Ransomware Cyberattack

Several healthcare establishments in the United States such as - MedStar Health, Chino Valley Medical Center, Desert Valley Medical Center, and Methodist Hospital in Kentucky, Hollywood Presbyterian Hospital, and Kansas Heart Hospital – have all witnessed and reported ransomware attacks. Earlier in 2016, United States-based Hollywood Presbyterian Medical Center, with the Los Angeles hospital had to declare an "internal emergency" after cybercriminals infected its Information Technology systems with ransomware. The University of Calgary in Canada was forced to pay masterminds of a ransomware attack $20,000 in untraceable Bitcoin after its IT systems were hit by a massive and devastating ransomware attack on 28 May, 2016. The foregoing reinforces why ransomware cyberattack is said to be an epidemic and the biggest cybersecurity threat.

Nigeria, Africa Not Immune From Ransomware

As we have seen from the foregoing, ransomware is a global malaise but there is no concrete or acknowledged evidence of such incidents in Nigeria yet. This is not surprising given our penchant for playing the Ostrich or reactionary approach to issues. That this is not publicly acknowledged today doesn’t mean such threats are non-existent because a typical ransomware attack doesn’t manifest immediately, it can lie fallow for months, years before it bares its fangs. Going by the Nigerian Communications Commission assertion that, ‘’as at September 2015, over 97 million Nigerians used the Internet on a daily basis’’, it follows that Nigeria cannot be immune from the risk of ransomware attacks or other forms of cyberattacks. According to Kaspersky, ‘’45.3 percent of Kaspersky anti-virus users in Nigeria reportedly encountered malware that spread in local networks, through USBs and storage disks while 13.8 percent were said to have faced cyber threats from the internet in the third quarter of 2015’’.
 Kaspersky went further to assert that globally, Nigeria ranks as 64th most attacked country in terms of malware and 128th in terms of cyber threats. Similarly, Nigeria is said to lose N89 billion ($450 million) to cybercrimes annually, as at 2015. Recall that in January 2016 the infamous “Anonymous hacker collective launched a cyber-campaign against the Nigerian government, accusing it of corruption, greed, and theft. Granted ransomware cyberattack in Nigeria has not been acknowledged, it is a question of when it will be acknowledged. Though statistics of ransomware in South Africa is vague but anecdotal evidence suggests it is widespread. Ransomware is also said to have hit neighbouring Ghana. Recall that sometime in February 2016, cybercriminals broke into Bangladeshi Central Bank account domiciled at the Federal Reserve Bank of New York and got away with $81 million while attempting to siphon nearly $1 billion through the bank's SWIFT credentials. Forensic investigators say Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT (Society for Worldwide Interbank Financial Telecommunication).

 SWIFT, the international money transfer network owned up to a number of cyberattacks on its system and asked banks to update their software. Note that SWIFT’s messaging services are deployed by nearly 11,000 financial institutions spread across more than 200 countries. If Nigerian financial institutions are signatories to SWIFT and the platform has been repeatedly compromised, it will be a miracle that Nigerian institutions are immune against such attacks. A lot of cybersecurity awareness in needed in Nigeria which is why this writer penned this write-up. A Nigerian adage says it is better to search for a black goat during the day than at night. It is comforting that the Central Bank of Nigeria (CBN), commercial banks and other stakeholders in the electronic payment space, under the aegis of the Nigeria Electronic Fraud Forum (NeFF) recently held a meeting to brainstorm proactive solutions to forestall ransomware attacks in Nigeria.

In the words of Rod Piechowski, senior director of health information systems at HIMSS, ‘’security is everybody's business. It's not just up to the security or Information Technology department, if you work with or own electronic devices, it's your responsibility too."

To be continued…
The next tranche of this write up will discuss comprehensive best practices to prevent ransomware cyberattacks.

Written by:
© Don Okereke
(Security Junkie/Analyst/Consultant, Writer)
Follow me on Twitter: @donokereke
August, 2016