ShareThis Page

Digital shift opens door to ransomware attacks

| Monday, May 30, 2016, 11:57 p.m.
Ongoing research by Christopher King, a vulnerability analyst at CERT (the computer emergency response team at Carnegie Mellon University’s Software Engineering Institute) looks at opportunities for criminals among emerging technologies such as driverless cars, drones and household devices.
Andrew Russell | Tribune-Review
Ongoing research by Christopher King, a vulnerability analyst at CERT (the computer emergency response team at Carnegie Mellon University’s Software Engineering Institute) looks at opportunities for criminals among emerging technologies such as driverless cars, drones and household devices.
Christopher King of Arlington, Va., a vulnerability analyst at CERT (the computer emergency response team at Carnegie Mellon University’s Software Engineering Institute), connects a dongle to collect data from a Chevy Volt on Thursday, May 26, 2016, at CMU's Electric Garage in Oakland.
Andrew Russell | Tribune-Review
Christopher King of Arlington, Va., a vulnerability analyst at CERT (the computer emergency response team at Carnegie Mellon University’s Software Engineering Institute), connects a dongle to collect data from a Chevy Volt on Thursday, May 26, 2016, at CMU's Electric Garage in Oakland.

As bad as it seemed when hackers locked up computer systems at Los Angeles' Hollywood Presbyterian Medical Center in February, demanding a $17,000 ransom, the attack could have been much worse, experts tell the Tribune-Review.

The cybercriminals used so-called ransomware that seeks victims through emails and websites, then locks their computer equipment until they pay a ransom.

When a victim pays the ransom — typically in digital bitcoins — the thieves provide a digital key to unlock the system. Yet hackers who aren't motivated by money could refuse to offer a key, said Brian Nussbaum, a former security intelligence analyst who teaches computer security at State University of New York at Albany.

“There is certainly the potential for you to have organizations where the data is simply gone,” Nussbaum said. “If they're not willing to sell you the key, then that Hollywood Presbyterian thing looks really different if people's medical records are just gone.”

That sort of worst-case scenario arose in a drill Nussbaum ran with New York state Homeland Security officials on the proliferation of ransomware.

The attacks have become pervasive, with hackers seeking targets of opportunity and almost always looking for a payday. For individuals, ransom can be as little as a couple hundred dollars, but for companies and large organizations, the ransom can run into the thousands of dollars — whatever the criminals believe a group will pay to restore its files.

They send out email messages embedded with malware, or embed that software in legitimate-looking websites. Because their business model depends on victims paying, hackers make the process easy and sometimes offer specific instructions on how to obtain and send the digital payment, Nussbaum said.

Hacktivists or nation-state computer hackers might not be as interested in blackmailing victims, said Matt LaVigna, interim president and CEO of the National Cyber Forensics and Training Alliance, a Pittsburgh-based nonprofit that works with the government and private companies to track online threats.

Incidents on the rise

The malware for ransomware attacks can be purchased in online black markets such as Tor, but hackers could use the malware for other purposes, such as to disrupt a targeted business or wreak havoc.

It's easier to target a specific victim than to send out many decoy emails for anyone to open, experts said. An attacker could send hundreds of messages to employees of a particular company and hope that a small percentage will open them.

“Then the victim is essentially hostage to the attacker,” LaVigna said.

Incidents of ransomware hit a high in 2015 and are on pace to set a record this year, the FBI recently warned. It said attackers are becoming more sophisticated, too, moving from just sending dangerous emails to “seeding legitimate websites with malicious code.”

The agency advises against paying the ransom, saying criminals do not always offer a key. Even when they do, the payment causes further problems.

“Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” the FBI said.

Creative about targets

The attack on Hollywood Presbyterian locked access to computer systems and prevented hospital employees from communicating electronically, said Allen Stefanek, hospital president and CEO.

The hospital contacted law enforcement for help but ultimately decided to pay the ransom of 40 bitcoins, or about $17,000, he added.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote in a statement. “In the best interest of restoring normal operations, we did this.”

Hackers are getting more creative about their targets, experts said.

Traditionally, ransomware has targeted computers, locking up records for individual users, but police departments, universities and large corporations also have been hit.

The Trib reported in 2014 about a police department in Swansea, Mass. , that paid a $750 ransom when hackers locked up its systems, including more than seven years worth of mugshots. That spring, federal prosecutors in Pittsburgh shut down one ransomware network and brought indictments against the Russian hackers it says were behind it. The ringleader, Evgeniy Bogachev, remains at large.

Hacking your car?

Ways to attack victims are increasing as more items go online, LaVigna said.

If ransomware attacks a company's computers, hackers could lock anything connected to the systems — industrial equipment, heating and cooling controls, door access panels, phones and more.

“All of the things that are being connected have vulnerabilities in them,” LaVigna said. “There are no industry standards right now as far as things that are connected. ... Those devices have inherent flaws and vulnerabilities, and there's no check-and-balance, so they're just being put out there as products.”

Even as Internet-enabled and automated systems make life easier for users, they can create unforeseen risks that make life easier for hackers, said Christopher King, a vulnerability analyst at CERT, the computer emergency response team at Carnegie Mellon University's Software Engineering Institute.

King's ongoing research looks at opportunities for criminals among emerging technologies such as driverless cars, drones and household devices. Hackers could set an Internet-connected washing machine to overflow or lock the controls on a car, he explained.

A driver might one day start his or her car and receive a ransom message to pay before the vehicle can be moved, King said.

“If you start networking — not just what we have with computers, but networking your vehicle, your thermostat, your washing machine or whatnot — into the Internet and providing adversaries potential avenues of access, we have to consider what that means when everything you have is now potentially accessible by an external entity,” King said.

Andrew Conte is director of the Center for Media Innovation at Point Park University and a Tribune-Review contributor on cybersecurity and media issues.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.