How hackers hijack

No one is immune. Call it ransomware, malware or Trojan horses — cybercriminals are finding new ways to make money with your data. Put a plan in place to keep them at bay and your information safe.

About a year ago, the audit and finance committee of the Royal Ottawa Health Care Group’s board of trustees decided that it should explicitly add cybersecurity to its risk management mandate. According to committee chair Bill Tholl, the group retained a large accounting firm to oversee a stress workup that involved a battery of tests.

“We passed,” says Tholl, who is the outgoing president and CEO of HealthCareCAN, the umbrella organization that represents all Canadian hospitals. Royal Ottawa shared its experiences with the Ontario Hospital Association and set about implementing some of the consultant’s recommendations, including better education of new staff and more timely installation of software patches — upgrades released by software vendors that can block the rapidly mutating viruses that circulate with fearsome consequences in the world’s computer networks.

So in mid-May, when the so-called WannaCry ransomware attack locked down hundreds of thousands of computers running older Windows systems around the world, Royal Ottawa found itself in the fortunate position of being a spectator rather than a victim. “We’d done the patch,” Tholl says. “Not everybody did.”

Indeed, among the many victims, NBC reported, hospitals in about a fifth of the UK’s National Health Service regions were hobbled by a form of malware that freezes the computer and issues a demand for a ransom payment — in this case, up to US$600. The attack led to the cancellation of thousands of appointments and operations and lasted for days until a 22-year-old cybersecurity expert discovered WannaCry’s so-called kill switch.

As the crisis played out and the virus spread around the world, Microsoft disclosed that WannaCry was based on some code that had been stolen from the National Security Agency, one of the US’s secretive spying agencies.

But many Canadian hospitals, Tholl notes, also ducked the bullet because most still haven’t gotten to the point where physicians and patients can access their (relatively recently created) electronic health records (EHR) from the Internet. While interoperability is seen as the end-goal of the multi-year-long push to set up EHRs for patients across Canada, the lack of connectivity, plus the patches, supplied the sort of cyber-immunization that other systems in other countries didn’t have.

Cybersecurity experts hope the WannaCry ransomware attack is a wake-up call, especially in sectors such as healthcare, which is particularly vulnerable because hospital networks tend to have so many devices of varying ages. “This was one of the most virulent attacks we’ve seen in a long time,” says Matt Anthony, vice-president of incident response at Herjavec Group. Duncan Stewart, Deloitte Canada’s director of technology, media and telecommunications research, thinks executives have begun to take notice, saying that he fielded several requests from IT managers begging him to really push the message about how organizations need to take these threats more seriously. “Our CEO is unable to use his computer,” said one desperate note he received during the onslaught.

The WannaCry attack could in fact mark a critical moment in the evolution of cybercrime. While computer network security has long been a preoccupation of IT experts and corporate risk-management executives, public perception of the magnitude and consequences of the ransomware threat is relatively recent. Growing awareness may be linked to a significant uptick in the number of incidents in the past few years. According to software security giant Symantec, ransomware attacks detected by its systems doubled between 2013 and 2014, reaching 8.8 million that year. The growth curve is exponential: during May’s WannaCry incursions, Symantec blocked 22 million attempted attacks.

The reason for the shift, explains Anthony, is the profit motive for cybercriminals who’ve seen the return from other forms of hacking wane. “Ransomware is the tool they’re using to monetize attacks.” What’s more, the increased use of bitcoin — the digital peer-to-peer currency introduced in 2009 — has made this kind of shakedown scheme much easier to perpetrate because there are no intermediaries in exchanges, and therefore the parties are harder to trace. “That has become the engine of ransomware,” he says.

THE EVOLUTION OF RANSOMWARE

The earliest reports of ransomware as a subspecies of computer virus surfaced in the mid-2000s with heightened public concern about spyware. With computer users and network administrators fretting about incursions by viruses programmed to detect what the user was doing, cybercrime groups and hackers engineered a new virus that would appear as a free (but fake) anti-spyware download. A user would then be asked to pay for subscriptions.

By the early 2010s, with the advent of bitcoin, ransomware had evolved into something more malicious. According to eWeek, a computer journal, the malware platform Citadel distributed a form of ransomware called Reveton that would lock a user’s computer and then display a message demanding a relatively modest sum to unlock the system and the data files. The freezing mechanism is a complex encryption code; the cybercrime groups that deploy ransomware frequently threaten victims by notifying them that the code to decrypt the data will be destroyed, rendering the data permanently inaccessible.

Ransomware code, like many other forms of computer viruses, became widely available on the so-called dark net, with as many as 44,000 new samples emerging each day. According to Anthony, many types of ransomware can now spread without the usual types of incursions, such as email-based phishing or links to infected websites.

Some variants proved to be very effective at prompting victims to take panicked steps to pay the ransom. A common one: a message purporting to be from the FBI suddenly pops up on the user’s screen, saying the computer has been frozen because of illegal Internet activity, such as downloading child porn. In some cases, the notification will include a recent photo of the user taken from the computer’s webcam. The user is then directed to a website for payment, but the secondary site may also be infected with other Trojan viruses.

TO PAY OR NOT TO PAY

The question of whether or not to pay the ransom is a key issue in this form of cybercrime. Most ransom demands tend to be modest — a few hundred dollars — and the criminal organizations behind such schemes make their money using a volume model. Anthony says he never advises his clients to pay and points out that a payment hardly guarantees that users will regain access to their frozen files. (The profitability of ransomware may have waned: while earlier attacks netted millions or tens of millions, estimates of the WannaCry haul were much lower.)

Others say the decision is more complicated. “It’s not an easy question to answer,” says KPMG Canada cybersecurity partner Yassir Bellout. “Personally, I wouldn’t pay, but it’s not my decision to make. It has to be a corporate decision based on risk and what preparation you’ve done before.” He adds that if a company does decide to pay, an accountant should be consulted to answer such questions as how the transaction will be made and whether it would be expensed.

Most of Bellout’s clients don’t pay, but that choice is partly a function of their preparedness: depending on whether they have adequate backup and recovery systems in place, or cyber insurance, which is a relatively new underwriting product that often requires customers to have fulfilled a number of preventative measures.

Ransomware experts also warn that companies or individuals who’ve been shaken down for a few hundred or thousand dollars will get little help from law enforcement agencies, which field huge volumes of complaints but often lack the resources or jurisdiction to track the perpetrators. (Bellout says that cybercriminals are rarely caught.)

HOW TO PREPARE

Sufficient preparation is the best form of security. That includes frequently updated and patched software and operating systems, especially for Windows devices. Education, experts say, is crucial: just as employees are urged not to click on links or open attachments in unknown emails, or use dubious thumb drives in company devices, Stewart says the critical behaviour to prevent ransomware attacks is for users to ensure that their automatic software updates function is on. To do otherwise is like turning off the smoke detector in the kitchen.

Anthony points out that the latest ransomware viruses spread through a previously undetected Windows vulnerability, a so-called server message block that left the file transfer protocols exposed — essentially, an unlocked back door.

But installing a patch, as both Stewart and Anthony point out, isn’t enough: organizations need to ensure that they’ve got functioning and up-to-date backup systems that aren’t infected, and that their recovery measures have been tested to ensure they actually work. They also need to be diligent about ensuring that employees take the necessary measures, especially if they are using personal mobile devices that communicate with company computers. Older Android phones with dated operating systems should be a particular focus as a potential source of vulnerability (Apple’s iPhones are less likely to be running on out-moded software).

As Stewart notes, the WannaCry attack highlights the dangers of ransomware. Network administrators and executives should also be aware that mobile devices are not immune to ransomware attacks, and can serve as a conduit, allowing these viruses to infiltrate a firm’s networks and hold valuable data hostage.

For organizations that have invested in robust security, the WannaCry event proved to be a moment when they could reap the benefits of those fire drills. “You get to test your security systems and that’s always useful,” says Anne Marie Aikins, a spokesperson for Metrolinx, the Greater Toronto and Hamilton transit agency. As soon as word began to circulate about the WannaCry attacks, the agency’s security team started looking for patches and monitoring how recently installed security protocols functioned. Metrolinx’s defences worked but, as Aikins adds, the agency knows the threat will continue to evolve.

Although Stewart concedes that previous high-profile cyber-attacks didn’t produce sustained changes in behaviours, he has heard from many clients who have told him that they’ve realized they need to replace creaky network software. “Everybody is thinking, should I be using an eight-year-old operating system? I’m hearing people saying, I’m going to upgrade in the next 12 months.”

Despite the reduced profitability of the May attack, KPMG’s Bellout describes ransomware as a cybercrime trend with plenty of staying power. “WannaCry is far from being the last attack. It’s clear [this episode] is not the end.”