Popcorn Time: A New Scheme in Ransomware

A Q&A with Asaf Cidon of Barracuda

The recent reports about Popcorn Time—a ransomware attack that involves a Ponzi scheme encouraging targets to in turn spread the malware to contacts—show that criminals are becoming ever more creative in their approaches to cybersecurity exploits. I spoke with Asaf Cidon, VP of Content Security at Barracuda about Popcorn Time and what companies need to know about the current threats from hackers.

Continue Reading

Ransomware: What Can Go Wrong, Might

Q&A with Chris Novak of Verizon

Even as public awareness around ransomware grows, many companies find they are still unprepared for this malicious exploit when it hits. Often, organizations find that despite their best intentions to cooperate with the perpetrators, they still may not get their data back. I talked to Chris Novak, global director of the RISK Team at Verizon Enterprise Solutions, about some of the pitfalls associated with this increasingly common crime.

Continue Reading

WannaCry and Why the Surprise Ransomware Attack Shouldn’t Have Surprised Anyone

A Q&A with Matt Ahrens, The Crypsis Group

Last week, the devastating WannaCry attack— considered unprecedented in its scale and speed—hit more than 230,000 computers in 150 countries, including the National Health Service, FedEx, Deutsche Ban and LATAM Airlines, among others. I asked Matt Ahrens of The Crypsis Group about the attack, what made it so dangerous and what it means for organizations trying to improve their cyber security posture.

Continue Reading

Ransomware v2: Facing the Latest Cyber Security Threats

A Q&A with Winston Krone of Kivu Consulting

There’s no doubt that ransomware attacks are on the rise and they’re becoming more insidious. I spoke with Winston Krone, global managing director of Kivu Consulting about what the latest version of ransomware looks like and what risk managers should do if it strikes their organization.

Continue Reading

Ransomware Dos and Don’ts

A Q&A with John Mullen of Lewis Brisbois

In recent months, ransomware attacks have become more frequent, particularly in the healthcare space. While these attacks with their demand for payment give their victims few options for responding, companies can still prepare themselves to act quickly and effectively. Better yet, they can avoid ransom-seeking malware in the first place with sound security policies. I spoke with attorney John Mullen of Lewis Brisbois about best practices.

Continue Reading

Paying Ransom

RansomwareA Q&A with Luke Emrich of RSM

Recently, a lawyer contacted us, inquiring about how to find and obtain bitcoins for a client’s data that was being held ransom. As ransomware becomes more common, more organizations will need to ask hard questions about how and when to pay off criminals to protect their data. I spoke with Luke Emrich, security and privacy supervisor at RSM US about this growing phenomenon and what organizations need to know.

Continue Reading

Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach

A Q&A with Darin Bielby and Jeremy Batterman of Navigant Consulting’s Information Security & Investigations Practice
During a recent Risk and Insurance Management Society (RIMS) panel discussion, Navigant Managing Director Darin Bielby asserted that 50 percent of the organization’s information security forensic investigations yield evidence that enables legal counsel to counsel companies that a data breach did not occur. These findings typically demand no further action or notification about the event, though some organizations proceed with additional precautionary measures. I talked with Bielby and his colleague Jeremy Batterman about the reality of data privacy events and what forensic investigators are seeing.

Continue Reading

Ransomware: A Law Enforcement Perspective

Ransomware medA Q&A with Benjamin Stone of the FBI
It’s becoming an increasingly common story: Cyber perpetrators lock systems down with malware and then demand payment to release them. I asked Benjamin Stone, Supervisory Special Agent of the FBI’s Cyber Criminal Squad in Philadelphia, about ransomware and current conditions for cyber criminal activity.

Continue Reading

Zero-Day Malware Worries

A Q&A with Greg Wasson of ICSA Labs
The term zero-day malware refers to threats that take advantage of existing but unknown (to the owner or developer) loopholes in the system. I spoke to Greg Wasson, program manager at ICSA Labs, about zero-day vulnerabilities and the risks they pose for companies.

Continue Reading

Unpacking CryptoLocker

A Q&A with Michael Tanji of Kyrus
The introduction of CryptoLocker “ransomware” poses a new security threat to organizations—in fact, one of our customers was recently hit with this hostage-taking nuisance. To get a better sense of what CryptoLocker does and how it can be stopped before any damage is done, I spoke with Michael Tanji of Kyrus.

Can you please explain in layperson terms what this virus is and what sort of damage it can wreak on an organization?
We call CryptoLocker ransomware because when it infects a system it encrypts the files and keeps the encryption key locked away, so that the only way to get access to those files is to pay a ransom. Ransomware is not a new class of malware, but CryptoLocker is far and away the best of this class. It’s only a couple of months old and it’s already infected a wide range of organizations of various sizes—it’s pretty indiscriminate. Just who is behind CryptoLocker is not known. We do know that they are pretty sophisticated in their understanding of cryptography and they have been able to deal with a large volume of victims so that speaks to their ability to operate to scale. It may be weird to say this about a criminal endeavor, but this is really an enterprise IT operation.

What do the people perpetrating the crime, whoever they may be, stand to gain from this?
The motive is purely financial. There has to be a level of trust there, too—if they were going around and taking ransoms and not turning over the keys the whole thing would fall apart, so these are very business-oriented people. They’ve probably made millions of dollars and they’re not going to jeopardize that by being unreliable.

How does it work? How might CryptoLocker slip through traditional security defenses such as antiviral software (AV)?
There’s no actual malware or virus in the initial attachment, so it’s not something that would be detected. It’s a very simple program. Once you double click on that benign-looking attachment, usually sent to you in an email—it might appear as a zipped PDF or audio file like a voicemail coming from someone you know—and then it downloads the malware. At that point it’s already bypassed the AV and it’s encrypting files. By the time an AV company figures out the file used the perpetrators will change it, so AV will detect it after the fact—it won’t prevent it.

What can be done, then, to mitigate or prevent it?
To detect and stop CryptoLocker before it can encrypt all your files, you’d have to have a security solution such as Carbon Black in place, monitoring the system constantly for CryptoLocker-type of behavior—not the files used by CryptoLocker per se. Carbon Black is unique because it runs all the time so you could catch CryptoLocker in the act. It is equally important to ensure that your backups are working. Test them! We’ve had a number of customers who thought their backups were working only to find out once they become victims that they were wrong. Finally, train employees to be suspicious of attachments; it only takes one click to get infected, and in a large enterprise that’s sharing files and drives, that one click will enable CryptoLocker to access everything. If employees do notice errors or corruption warnings when they try to open files, they should turn their computers off to stop CryptoLocker from working on that system. At that point forensics could pull any unencrypted files from the victim’s drive.

What steps must be taken to remedy the damage?
Once it’s run, you really only have two options. If you have a backup you can restore your system from that. But if you don’t, you have to pay the ransom demanded, and you won’t get your files back unless you do. Some people have a serious ethical problem with paying for the ransom and I don’t disagree, but you have to put your morals and emotions aside in this case—if there are no backups you stand to lose the lifeblood of your business. Calling a security company to do traditional incident response will cost more than the ransom and in the end it won’t help because no amount of forensics will get the key needed to unlock your files. It’s best to think of it as a business transaction.

Assume you do pay the ransom: what’s the procedure and what’s the typical cost?
The magic of CryptoLocker is that the ransom is always more cost effective than any kind of incident response. If you pay within 72 hours, it’s usually 300 dollars, payable in Bitcoins. Beyond 72 hours the cost goes up. If you call an incident response company they should not charge you any more than a few hundred dollars to help with the transaction and decryption. The perpetrators even provide a program to decrypt the files and maintain an online forum with FAQs to help people having trouble getting their files back.

In summary…
We thank Mr. Tanji for illuminating this emerging tricky threat for the cyber liability insurance industry. We’ve already seen CryptoLocker in action on a firsthand basis with several of our clients. The unfortunate reality is that while staff education about threats (e.g., don’t click on email attachments from strangers) can help prevent some attacks, awareness campaigns are not a perfect salve and bad guys will always be able to exploit this weak spot.

No more posts.