From the book
From the book
From the book
World Domination
By the close of 2015, ransomware had become a dominant threat. "Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today," observed Symantec researchers in their 2016 Internet Security Threat Report.9 The Center for Internet Security dubbed 2016 "The Year of Ransomware."10 In February 2016, Hollywood Presbyterian Hospital in Los Angeles was famously shut down by ransomware, generating an intense media storm. The hospital ended up paying $17,000 to the hackers in exchange for recovering its data.11 The following month, Methodist Hospital in Kentucky was forced to declare an "internal state of emergency" after ransomware encrypted files throughout its IT infrastructure.
As the ransomware epidemic spread, cybercriminals took over computer systems around the world, including hospitals, schools, police stations, and more. When a ransomware infection was found, local IT staff typically worked to clean off the malware and restore data as quickly as possible. Victims rarely reported ransomware incidents to the public voluntarily, but in severe cases where day-to-day operations were impacted, word spread.
Within a few years, commercial ransomware software became a popular product on the dark web. Criminals could purchase turnkey malware, distribute it using common exploit kits, and rake in profits. To make it even easier, many vendors peddled "ransomware-as-a-service," where customers on the dark web paid a fee to rent ransomware platforms, which often provided user-friendly dashboards and easy-to-understand instructions.
Is Ransomware a Breach?
Victims traditionally took a "wishful thinking" approach to ransomware, assuming that even though attackers had locked up their data, they hadn't actually taken it. In the case of the Swedesboro-Woolwich School District, the superintendent reassured the public that the confidentiality of student data was not at risk. "Ransomware is more like an octopus," he said. "Its tentacles wrap around your data. There's no destruction or extraction."12
In keeping with this philosophy, most organizations treated ransomware exclusively as an operational issue. When an infected system was discovered, IT staff worked diligently to clean it, restore the data, and move on. "Because ransomware is so common, hospitals aren't reporting them all," said James Scott, senior fellow at the Institute for Critical Infrastructure Technology.13
Reality eventually caught up. Breach coaches who managed incidents realized that if an attacker had access to encrypt a victim's data, the cybercriminal could well have stolen it, too. And why not? Criminals could resell sensitive data on the black market and make money from denial extortion. To that end, ransomware developers added data-stealing capabilities to ransomware strains. For example, Cerber and Spora ransomware samples were updated to include keystroke loggers and password theft functionality. "By stealing credentials from victims, criminals are ensuring a double payday, because not only can they make money from extorting ransoms, they can also potentially sell stolen information to other criminals on underground forums," reported Danny Palmer of ZDNet.14
Ransomware is often the most visible sign of a compromise—but not the only component. Attackers frequently lurk in an organization's systems for months or years, stealing data or renting bots, before deciding to quickly monetize access by installing ransomware.
In 2016, the OCR caused waves throughout the healthcare industry by unequivocally stating that ransomware attacks should be treated as breaches. They published a "fact sheet" on ransomware and HIPAA, clearly stating that "when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired." That means that ransomware incidents should be treated as potential data breaches and must be reported unless the covered entity can demonstrate a "low probability" that PHI was compromised, as per the four-factor risk assessment outlined in the HITECH Breach Notification guidelines.15
For other types of data, it's not always clear whether ransomware constitutes a data breach. The level of investigation and conclusions vary considerably based on the experience and risk tolerance of the breach coach and victim organization. It is always wise to retain a sample of the malware whenever possible, so that forensic analysts can assess its capabilities if needed.