Ransomware: Same Old Crime, New High Tech Methods

Ransom, as a crime, hasn’t really changed much over the years. The first American ransom note was used in a kidnapping in 1874 in Philly. In broken English, it read in part, “You wil have to pay us [ ] and pay us a big cent to…[I]f you put the cops hunting [ ] you is only defeeting yu own end.” (Source: Smithsonian.com, The Story Behind the First Ransom Note in American History, By Carrie Hagen, December 9, 2013)

hospital ransomware
Hollywood Presbyterian Medical Center paid a ransom of $17,000 to regain access to the hospital’s electronic medical records system and other computer systems after suffering a ransomware attack.

Fast forward 140 years, and we still face this very same crime with very much the same messages. What’s changed, of course, is the delivery method: criminals of all types (former employees, activists, terrorists, etc) can now deliver ransom-laden software, known as “ransomware,” to users’ computers by way of e-mail and websites, all towards taking something hostage (information, systems, networks) with the promise of releasing it only after getting paid.

Ransomware is defined as “a type of malware that prevents or limits users from accessing their system. [It] forces its victims to pay [a] ransom through certain online payment methods in order to grant access to their systems, or to get their data back. ” (Source: TrendMicro). Ransomware has been around a while (the first cases were reported in 2005 – 2006 in Russia); however, the last few years, and 2015 in particular, have witnessed a significant increase in these types of attacks. The first quarter of 2015, by way of example, “…saw a 165 percent increase in new ransomware…” (Source: betanews, “Ransomware sees 165 percent increase in 2015,” by Ian Barker, May 2015).

That growth of ransomware has continued into 2016:

ransomware CIO mag
A new kind of Android malware called Xbot steals online banking credentials and can hold a device’s files hostage in exchange for a ransom.

It’s now clear that ransomware is a serious and growing threat that can cost people and companies dearly (according to a Nov. 2015 report, Crypto Wall 3 ransomware was responsible for approximately $325 mil in damages since its discovery in Jan. 2015). (Source: LavaSoft, Cryptowall Ransomware Costs Users $325 million in 2015,” November 2, 2015). As such, for-profit organizations and non-profits alike will do well to be careful, vigilant and on the lookout for ransomware attacks, and make their employees aware of the same with training and awareness designed to stop these attacks before they begin.

Some Good News (and a little bad news) about Our Government’s Cybersecurity

Alright, we’ll do bad news first. Not because I’m a cynic (I’m not), but because I want to get it out of the way and talk about some positive things that are happening with the federal government as they relate to safeguarding American citizens’ personal and private information.

The bad news is we are continuing to see data breaches of federal government agencies. The list of departments suffering hacks resulting in the compromise of the personal information of hundreds of thousands of Americans continues, with two additional breaches publicized this week:

IRS PINs stolen
“The Internal Revenue Service was the target of an attack that used stolen Social Security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.”

These latest breaches come on the heels of numerous other federal agency breaches, most notably the breach of the Office of Personnel Management (“OPM”) announced in June of last year, which involved the records of more than 18 million people (some accounts put the number closer to 21.5 million) and which has been described by federal officials as, “…among the largest breaches of government data in the history of the United States.” (Source: Wikipedia, Office of Personnel Management Data Breach).

obama signs orders on cybersecurity
Seriously outdated technology, such as the Social Security Administration’s system that still runs on a platform written in the 1960s in the COBOL programming language, is adding to cybersecurity challenges.

Ok, so that’s the bad news. What’s the good news, then? Well the good news is that apparently (fingers -and toes – crossed), the feds have gotten the message and are now taking concrete steps to make changes towards securing the data of not only Americans who work for the government, but folks working in the private sector, as well.

According to news reports earlier this week, the Obama administration is taking a number of steps to “step up,” as it were, the cyber defenses of our Nation’s government, and to help guide private enterprise in the same mission. Here is a ‘short list” of what’s happening and what’s being requested:

  • the President sent to Congress a proposed 2017 budget that includes a request for $19 billion for IT upgrades and cyber initiatives (a 35% increase over 2016)
  • the President signed two (2) Executive Orders, that created two (2) new entities: (a) a Commission on Enhancing National Cybersecurity (CENC), and (b) a Federal Privacy Council (FPC)
  • the CENC “will be made up of business, technology, national security and law enforcement leaders who will make recommendations to strengthen online security in the public and private sectors. It will deliver a report to the president by Dec. 1″
  • the FPC “will bring together chief privacy officers from 25 federal agencies to coordinate efforts to protect the vast amounts of data the federal government collects and maintains about taxpayers and citizens.”
  • “The White House said it also plans to create the new position of Chief Information Security Officer to coordinate modernization efforts across the government, including a a $3.1 billion Information Technology Modernization Fund.”
  • the Administration’s plans include “training and shared resources among government agencies” and “48 dedicated teams to respond to attacks”
  • recruiting top IT talent will also be prioritized and bolstered through student loan forgiveness programs and incentives
  • there are also plans to encourage multi factor authentication and reduce the use of SSNs as unique identifiers for Americans

(Source: USA Today, Obama signs two executive orders on cybersecurity, by Gregory Korte, February 9, 2016)

There is a lot to like in these efforts, which if implemented should go a long way towards securing the private and personal information of millions of Americans. Of course, how long it will take and how effective these “good news” actions will be if and when they’re taken remain unanswered questions, the answers to which will say much about just how serious American elected officials are about cybersecurity and the privacy and security of their constituents.