A hospital in Southern California made news last week after being the victim of ransomware for 10 days. Hollywood Presbyterian was only able to regain access to its electronic medical records (EMR) system after paying 40 bitcoins, or roughly $17K.
Sophos put the impact of the ransomware on Hollywood Presbyterian bluntly: "This was no joke: ambulances were diverted, electronic medical records disappeared, email was unavailable, and there was no access to X-ray or CT scan information. Radiation and oncology departments apparently pretty much shut down; their employees apparently banned from even turning on their computers."
This is the most recent example of what will likely be a popular business model among cybercriminals—holding a network hostage to extort payment, instead of harvesting valuable data and selling it on the secondary market.
One of the reasons why this is likely a growing business model is the easy availability of the Ransomware as a Service (RaaS), which makes it very easy individuals or groups to rent the infrastructure required to compromise a network and hold it hostage. The cybercriminals know that very few businesses could stay in business after losing access to their essential data and systems, like Hollywood Presbyterian.
Impact on you
- Ransomware is a growing threat: The FBI's Internet Crime Complaint Center reported between April 2014 and June 2015 it had received almost 1,000 "ransomware" complaints, costing victims more than $18 million in losses.
- Ransomware typically compromises a network via a phishing attack. Phishing attacks are still a popular method because they continue to succeed. According to the 2015 Verizon Data Breach Report, “…a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey…”
- Based on information posted on LinkedIn, Facebook, and other social media, it’s likely that a focused cybercriminal could quickly determine whom to impersonate in your organization to fool the targeted employees into opening malware-carrying email.
How AlienVault Helps
The LevelBlue Labs team continues to research and update the ability of USM to detect ransomware-related activity. Last week, the Labs team updated the USM platform’s ability to detect several families of ransomware by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by ransomware.
These ransomware updates are included in the latest AlienVault Threat Intelligence update available now:
New Detection Technique - Ransomware
The LevelBlue Labs team added the following correlation rules and IDS signatures to detect new ransomware families:
- System Compromise, Ransomware infection, JobCrypter
- System Compromise, Ransomware infection, Pottieq
In addition to that, the team updated some rules and added new IDS signatures to improve the detection of previously known ransomware families:
- System Compromise, Ransomware infection, Alphacrypt
- System Compromise, Ransomware infection, Teslacrypt
- System Compromise, Ransomware infection, HydraCrypt
- System Compromise, Ransomware infection, JobCrypter
- System Compromise, Ransomware infection, Pottieq
For more information on a wide range of ransomware families, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed:
https://otx.alienvault.com/browse/pulses/?q=ransomware&sort=-created
