The rise of cyber ransom
Just three days before cyberattackers crippled Sony Pictures, the hackers sent an email to executives Michael Lynton and Amy Pascal that said they would do great damage to the company if they weren’t paid off.
The note, discovered by Mashable, was simple and straightforward, though sketchy on the payment details:
“We’ve got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You’d better behave wisely.
The email has been largely forgotten amid the blur of Sony-related cyberattack coverage, including stories about backstabbing emails and North Korea’s purported role in the hack over the film “The Interview.” But security experts say it’s not unusual for companies to receive emails from hackers who threaten to hold data hostage, or destroy it altogether, if payment isn’t made. In some cases, the attackers do hold systems for ransom and they do get paid.
“Recently we have seen an uprising in ‘cryptolockers’ and [malware that] is referred to as ‘ransomware,’ which allow the criminal to hold assets hostage in exchange for things not attached to the Internet, like the ability to block the release of a movie or even hostage exchange,” says Ryan Wager, director of product management at the security company vArmour.
Just this month, several hospitals were infiltrated by hackers demanding payment. (Hospitals, full of sensitive patient data, have been hit in the past, too.) The criminals’ playbook was pretty much the same as what’s used in most of these attacks. The hackers got in, used a type of ransomware to encrypt files and then demanded payment in return for the key. Here’s how David Wood, co-owner of an Australian medical center that recently got hit, described how it was hacked:
“They literally got in, hijacked the server and then ran their encryption software, ” he said, adding that the data was “secure in the sense that no one’s taken any of it.” A security expert told the news media that the damage was extensive enough that the hospital would probably have to pay.
Security researchers say the use of ransomware has exploded over the past year, largely because the black market for credit card numbers and other personal data is oversupplied. As prices plummet, creative attackers have looked for other ways to make money on lax corporate security.
A few years ago, hackers typically held information on individuals’ laptops for ransom. They still do that, but now they’re targeting small and midsize companies that don’t have the money or know-how to build big security systems. They’re also using employees’ personal laptops to tunnel into bigger networks.
“One of the scariest changes is that attackers are even getting better at getting to your back-up data,” says Marc Maiffret, the chief technology officer at the cybersecurity start-up BeyondTrust. Researchers say hacking groups looking to make more money with ransomware are also selling their services to the highest bidders, essentially, as hacker mercenaries. Maiffret says that’s one reason smaller countries and terrorist groups that traditionally haven’t had a strong cybercriminal presence are showing up more frequently now.
Only an estimated 2 percent to 3 percent of targeted companies pay a ransom, says Sagie Dulce, a data security engineer at Imperva. But even that tiny percentage can mean a lot of money. Dulce says a typical cryptolocker can take in $30 million in only a few months. “As electronic currency becomes more widely used, more people will pay,” he says, noting that most criminals want to be paid in Bitcoin.
The Sony attack made clear that hackers have the ability to do more than just take sensitive data. The increasing popularity of extortion shows that big companies won’t be the only targets. As vArmour’s Wager puts it, “The days of smash and grab attacks to simply steal credit card information and user information are far behind us.” Unless everyone starts thinking defensively, the greatest damage is yet to come.
The author is a Bloomberg View columnist who writes about technology, innovation and the cult and culture of Silicon Valley.
by Katie Benner