Ransomware – Extortion by any other name, would be as bad!

This is a companion blog posting to my Episode 0.5 (the Teaser) Podcast about Ransomware, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Ransomware is not new, but how many of you actually know when it first appeared?

Believe it or not, the very first Ransomware appeared in 1989; yes you read that right! Want to know more, then read on, and I’ll explain the history and major changes that have occurred since that very first Ransomware way back in 1989…

Back in Time

The very first Ransomware was the so-called AIDS Trojan which was supplied on a 5.25″ Floppy Disc to thousands of  attendees of the World Health Organisation’s AIDS Conference and also mailed out to over 20,000 individuals across Europe.

The disc was created by PC Cyborg which was the company run by Dr. Joseph Popp and it contained a program that claimed to work out your risk/chance of catching AIDS (now called HIV). If you inserted the disc into your IBM (or compatible) PC and ran the program, it would indeed do what it claimed; however after 90 boots/reboots the malicious payload (encryption) would trigger and you would see the following:

AIDS Trojan Ransomware

Ironically, if you actually read the EULA that came with the disc, it clearly explained that you needed to pay a licence fee to use it and that it would encrypt your system if you didn’t pay, sound familiar?

Here is part of the text of the supplied EULA:

"If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...
These program mechanisms will adversely affect other program applications...
You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others..."

Here is the full version:

EULA from the AIDS information diskette

Luckily the program used trivial encryption and soon a decryption tool was written by Jim Bates and given away for free. He also wrote up his analysis of the Trojan (the term Ransomware didn’t exist in 1989).

An arrest warrant was issued by New Scotland Yard and Popp was eventually arrested at Schiphol airport in Amsterdam during a routine baggage inspection.

From that date his behaviour became very erratic; he was held in Brixton prison until he was due to go to appear at court. There have been reports that he was known to wear a cardboard box whilst in prison, and that when he finally appeared in court, that he had curlers in his beard and a condom (prophylactic) on his nose, allegedly “to ward off radiation”. Whatever the real state of his appearance in court, he was declared “mentally unfit to stand trial” and returned to the United States without charge.

Other researchers (Yung and Young) analysed the Trojan in more detail and wrote a paper on it (in 1996) pointing out its many flaws, but the major one was that is used Symmetric (single key) encryption rather than Asymmetric (Public Key Cryptography, that uses two keys, a Public and a Private key). Most modern Ransomware uses the latter, and this means that unless you have access to the Private key, you can’t decrypt the encrypted data (unless the encryption methodology used is not properly implemented).

The Rebirth…

Not surprising, the Bad Guys n Girls were taking notes, and in the early Noughties we saw the re-birth of (or birth of modern) Ransomware. Of course it used Public Key Cryptography (PGP/GPG). Some of the early new versions were named PGP or GPGCoder. However, the problem was how to get the money from a victim without being caught or unmasked (always a tricky issue for any extortionist or blackmailer in the days before cryptocurrencies existed).

We saw a small (compared to the explosion that was to follow) number of these new Ransomware, but all was about to change in 2009 with the first launch of a little cryptocurrency called Bitcoin (invented in 2008).

It took a few years for the cyber-criminals (the Bad Guys n Girls) to catch on to the value of Bitcoin as a method of payment for Ransomware and other crimes, but by around the start of 2013, they had started to embrace Bitcoin and Ransomware exploded over the next 4-5 years. The first modern Ransomware that took full advantage of not only Public Key Cryptography, but also Bitcoin was known as Cryptolocker. Many saw the success of this malware, and promptly developed their own Ransomware strains.

The Business

Once Cryptolocker had arrived, Ransomware quickly became a thriving way to make money for the Bad Guys n Girls. Estimates appeared that claimed that in 2015 Ransomware netted (according to the FBI) over $24 Million USD, in the first three months of 2016 this had grown to over $209 Million USD, and Kaspersky claimed that Ransomware attacks tripled in 2016. Things just got worse in 2017 as we saw the first Worm-enabled Ransomware (which can move from system to system without human help). 2017 is remembered for two major Ransomware attacks, Wannacry in May, and then NotPetya in June (both Worms). The problem with NotPetya was although it acted like Ransomware, it was in reality a wiper, so even if you paid up, you wouldn’t get your data back!

According to Cybersecurity Ventures, they predict that Ransoware will cost $6 Trillion USD annually by 2021.

But read on dear reader, things are about to change, in 2018!

The Future?

As mentioned previously things were about to change in 2018 (actually from the last quarter of 2017)…

During 2018 we saw the number of Ransomware attacks shrink, but the average Ransom being charged increased (significantly), why?

  • The Bad Guys and Girls moved to a more targeted approach, often manually hacking an organisations infrastructure, mapping out there network, and then encrypting the organisations “crown jewels”. Often part of this mapping would identify where the backups were and these would either be erased (securely) or encrypted too. They started to look for high value targets, rather than use the previous scatter-gun (mass-mailing) approach they had used during 2015-2017.
  • Writing Ransomware is not trivial (if done properly), so the Bad Guys n Girls were also looking for other ways to monetise vulernable systems (ones they can hack, either manually or via an automated script). They decided to steal the processing power of compromised systems to “mine” cryptocurrency. Less work, less risk and more profit; it was a match made in heaven!

I blogged about the “Curse of Cryptojacking” recently.

However, I don’t think we have seen the back of Ransomware, the Bad Guys n Girls may have moved on to Cryptojacking and Sextortion scams, however, they will continue to hold data and systems to ransom where the payout is worth the effort. Increasingly this means Public Services (Government), Healthcare, Education, and Law Enforcement (including Law firms), as well as the more traditional targets (Retail, Travel, Finance, etc.)

Update March 20th: Ironically less than 24 hours after I posted this blog, Norsk Hydro was hit by manually deployed Ransomware (in this case is was LockerGoga) which uses the same approach as other manually deployed Ransomware (such as SamSam); the victims infrastructure in penetrated via a vulnerability or insecure open port, and the Bad Guys n Girls map out the network and then deploy their Ransomware personally.

Protection?

  • Harden and patch all systems, applications and Cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN. That includes RDP (Terimal Services), Telnet, SSH and others
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • Take BACKUPS, and store them physically off-site (not in the Cloud), and test that they work (do a RESTORE). That way you have the option to recover your systems and data without having to pay the Bad Guys n Girls.
  • If you are using O365 or GSuite enable 2FA/MFA and do NOT allow the services to be accessed via IMAP or POP3, as this will bypass Multi-Factor Authentication (you have been warned!)
  • If you have cyber or crime insurance, check that Ransomware is covered by the policy (most cyber insurance policies currently do cover this, but Property and Casualty policies usually don’t)…

Until next time, stay safe out there!

What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…

Effective End-User Training, Compliance and Testing

What do most staff think when they hear the words “end-user security training” or “security awareness training“?

They think, “Oh no, is it really that time of the year again? What a waste of my time; it is so boring and doesn’t teach me anything that is useful to me. Security is the IT department’s problem/job, not mine!

In many organisations security awareness training is dull, impersonal and does not use “real life or real world” stories to add colour and flavour and help explain the problem, the risks, and the impact of security breaches/incidents. In most cases the training is to read a policy document (Internet Usage Policy/Security Policy, etc.) or to watch a video or attend a webinar where they are preached to rather than being allowed to participate in an interactive or interesting session.

Staff need to understand that in today’s world, security is everyone’s job, because if your staff are not part of the solution, they are part (if not most*) of the problem!

[*] 95% of successful cyber attacks are the result of a phishing scam.
Source: (2017) Ironscales,Email Security Report.

Add to this that many staff treat end-point protection (anti-malware, personal firewall and related security tooling) as an “authentication” method; “if I can open this link/file in the email, go to this site, etc. and my system gets hacked/infected, it is not my fault, it is the security/IT departments fault!” This is captured very nicely in this cartoon.

Given the above perceptions of many staff/end-users, what can we do to try and reverse this situation, so that staff see security as part of their job/responsibility and become part of the extended security team?

What do you need to make end-user security training successful, rather than something that is hated/despised/loathed and avoided at all costs for as long as possible by most staff in almost every organisation?

Here are some top tips:

  1. Make it fun; use gamification, where they are engaged, entertained, involved and tested throughout each module.
  2. Keep it short and punchy; no longer than 20 minutes, backed up with bite-size (5 minute) modules to reinforce an individual topic/threat. Don’t try and do the whole organisation at the same time; do it in groups and stagger the roll-out to be more effective.
  3. If you can make it a competition; who can report the most spam/scams/phishing emails, etc. Give prizes, or at least recognition!
  4. Make is personal; teach them skills that they can use in everyday life, including at home.
  5. Phish your own staff (after training them, and before) so that you can gauge the effectiveness of the training, but do it wisely and sparingly as otherwise they will quickly become fatigued and disinterested.
  6. Don’t penalise those that fall for the phishing test emails; use this instead as a “teachable (not preachable) moment“, rather than shame or blame them, try to understand why they fell for it, and explain how they could have recognised it for what it was.
  7. Make sure you set-up an email address such as: “[email protected] which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and give them with the necessary tools/guidance to report a suspected phishing email, such as a “report-phish” button in their email program.
  8. Training is not a one-time or once a year thing; good awareness training is part of the culture of an organisation and needs to be topped-up and refreshed all the time to stay effective. Make sure all staff, from the C-Suite down to the most junior staff in the organisation are included, not just techies.
  9. Ask for feedback, especially ask them about what they are worried about, e.g. Ransomware, Scams, Sextortion, Social Networks, Privacy, Passwords, GDPR, Data Breaches and how it impacts them personally and the company/organisation/industry, etc.
  10. You could always bring in a real-life “hacker” (an Ethical one, also known as a Penetration Tester or White Hat Hacker) and let them talk to your staff and answer their questions; they will have lots of real-world stories and good advice. T here are some that are good at talking to non-techies without resorting to acronyms and technical jargon.  These rare individuals will use humour, analogies and stories to help illustrate and bring the subject to life; they will often be very passionate about security, and this will keep the audience engaged.

However, you will find that 10-20% of your staff will just not be trainable (from a security awareness perspective)and you need to identify them and work on ways to reduce the risk that they pose to your organisation.

As the old saying goes:
The Bad Guys n Girls only have to get lucky once;
the Good Guys n Girls have to be lucky all the time
“.

So, what is a good solution that isn’t going to break your budget, but still allow you to deliver most of the above as a managed service and tie in to your Active Directory do that you can assign training to groups or individuals and see the results (meta data) from the training and testing?

One vendor that I have found to be very effective in this space is Techguard Security, this is what they say about their offering:

“Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes.”

You can use the following link to find out more about Techguard and their offerings, including the end-user training and phishing testing offerings, and what’s more, if you decide you like what you see and sign-up with them, you will get 10% off the price!

To find out more and claim your 10% discount when you sign up, use this unique web link: https://www.techguard.com/omg-cyber-security/

If you don’t use that link to register your interest, you won’t get the discount when you sign up.

Don’t just take my word for the effectiveness of good Security Awareness training, here are some statistics:

  • According to research by Ponemon, even the least effective training programmes have a 7-fold return on investment.
  • Most cybersecurity training programmes result in a 37-fold return on investment.
    Source: (2015) Maria Korolov, Does security awareness training even work?

If you don’t train your staff and carry out phishing tests, the Bad Guys n Girls will, and the results won’t be pretty…

I have been doing security for over 30 years and I often state “The day I stop learning will be the day they bury me“, in other-words, I’m still learning and will continue to do so until I die.

Sextortion – Your Money, or Your Pride!

I have been hearing about the recent wave of sextortion emails (these are not a new phenomena) that many are receiving and I was feeling a little left out, as I haven’t received a single one of the new campaign…..until the other day!

Here’s an edited screen shot of the sextortion email I finally received on the 11th of October, 2018:

It included what it claims is not only my email address, but also my user ID and password for the site they claim I accessed.

Let’s look at this in a bit more detail…

Should I be worried, panic, and pay up?

Of course not, why?

  1. The credentials (user id and password) are ancient and lifted during one of the many data breaches over the last 10 years.
  2. I don’t visit porn sites (yes, really!)
  3. There is NO video, it is all a bluff to get you to panic and pay up, just in case…
  4. I stopped using FaceBook a while ago, in fact I closed my account and requested all my data to be deleted weeks ago (well before I got the sextortion email).
  5. I have been working in anti-malware and malware analysis for over 30 years, and I’m used to catching and analysing new malware; guess what, there is no malware on my systems (unless I put it there to analyse it, in a safe environment).
  6. There is NO unique pixel in the email (it is just pure plain ASCII text, no graphics, no HTML, no scripting, no risk). They do not know if you have received or read the email (there isn’t even a receipt request in the email).
  7. The Bitcoin address is not unique, it is used for the whole sextortion email campaign, so they have no way to see if you have paid or not. This is how many modern ransomware attacks and DDoS extortion attempts work; they have no intent in giving you back your data or actually carrying out any DDoS attack. It is all about getting you to believe in what they are telling you, so that they can make lots of money by frightening you in to paying up…

At the time of publishing this article, over 5 days had elapsed (so my pay up deadline had expired) and guess what happened?

NOTHING, NADA, ZILCH, etc.

Update 1st November, 2018: Well I checked out the Bitcoin Wallet this scammer was using, this wasn’t a very profitable scam as they had only two victims pay up, which is around 1,600 USD. A later variant of the scam I received managed to get thirteen victim to part with 700 USD each, netting around 9,100 USD.

I was at a conference last week and one of the delegates there approached me after my talk and showed me yet another variant of this scam, he was really concerned that his phone and system had been hacked (it hadn’t). I analysed the email and found no trace of any beacon, malware or any active content. This new scammer was more successful as he/she was asking for 803 USD per victim and eighteen paid up, netting the scammer almost 14,500 USD

Update 8th December, 2018:

More new campaigns and a few of them are starting to get more bitcoin payments, but others are getting almost nothing. Hopefully the word is getting out and less people are falling for this?

A new twist (but not unexpected), the Sextortion scammers are now including links to booby-trapped sites/files that contain Malware (mainly Ransomware, at the moment, but this will change). This means that clicking on ANY links in these Sextortion emails is now far more dangerous; just delete the email or report it, don’t click on any links in them, not even on how to buy Bitcoin!

Here is a screen shot of the activity for a number of Bitcoin wallets that were involved in Sextortion scams:

I will continue to monitor these Bitcoin Wallets and investigate new versions of this scam; stay tuned!

Update 18th March, 2019

A new version has just started to circulate, this time claiming to be from the CIA accusing you of accessing child pornography,  I’m naming this new variant “pextortion”, see the screen shot below of the version I received overnight:

Where you see (victim-email-address) that will be your email address that you received the pextortion for.

You might want to add the following IP address to your blacklist: 51.68.91.127

Again, I am tracking the Bitcoin Wallet(s) linked to this new campaign. I’ll post updates if anything interesting happens.

Update 15th April, 2019

More new campaigns with many of them using graphics (of the text) instead of plain text; this is an attempt to bypass spam filters. I must have received over 50 of these new variants in the last few weeks. The problem is that because even the Bitcoin Wallet address is now graphical, the chances of anyone taking to time to write down or transpose it manually to actually pay is almost nil.

Here’s a screenshot of one of the all graphics version (not plain text at all), as you can see it is spoofing my own email address as the sender (this is not real, it is just spoofed):

I’m also seeing lots of versions with both plain text and graphics, including a QR code image!

There are also versions running around that have a password protected ZIP file attached, supposedly with “proof” of your naughty activities inside. As the ZIP is password protected you can only see the folder and file names inside, not the actual file contents. This is yet another smoke screen to make you believe the lies they are telling you.

However, this is a growing crime wave and victims do fall for it, look at the statistics below to see how bad it can be, and what you should do if you receive such as threat:

  • What is sextortion?
    – Being blackmailed by cyber-criminals that claim they have got hold of explicit material of you or one of your children, including: Photos, Video, Chat, Text messages, etc.
  • How common is it and who are the main victims?
    – Over 1,304 reported cases in 2017, up from 428 in 2015, although the number is likely to be significantly higher as many of these crimes go unreported. This is just in the UK (not globally, and it is a global scam).
    –The target is usually male, in their teens or twenties. Although some girls have also been targeted.
  • How do they work?
    – Victims are usually groomed for weeks/months before the blackmail attempt.
    – Often this happens via fake social media accounts or via targeted phishing emails.
    – Occasionally this may start with a video call, such as via Skype.
    – Many are just scams, they have no data/video of you or a family member.
  • What should you do?
    – Don’t Panic.
    – Don’t Pay.
    – Call the Police (sextortion is a criminal act). It is a form of blackmail.
    – Don’t contact the blackmailers (stop all communication).
  • What are the costs?
    – Amounts requested vary, but typically between £300 and £3,000 is asked for
    – At least 5 males have taken their own lives due to being a victim of this type of blackmail/extortion

Stay safe and educate yourself about the risks and ways to reduce your own attack surface; that will make it harder for the Bad Guys n Girls to succeed.