Cyber Warfare: Could It Be in Our Future?

Published with Permission by:
Lint, James R., “Cyber Warfare: Could It Be in Our Future?”, In Cyber Defense, 20 Apr. 2017, Web, http://incyberdefense.com/james-lint/cyber-warfare-future/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Last week, the Army published a new and unclassified document, Army Field Manual 3-12Cyberspace and Electronic Warfare Operations. However, it appears that U.S. cyber superiority is not as dominant as we believe.

The foreword of FM 3-12 says that in the past decade, “U.S. forces dominated cyberspace and the electromagnetic spectrum (EMS) in Afghanistan and Iraq against enemies and adversaries lacking the technical capabilities to challenge our superiority in cyberspace.” Unfortunately, this manual also gives bad news, stating “However, regional peers have since demonstrated impressive capabilities in a hybrid operational environment that threaten the Army’s dominance in cyberspace and the EMS.”

What is the significance of this statement? It means that not just the leading powers of Russia and China can impact our dominance of cyberspace, but smaller countries such as North Korea, Iran or similar economically inferior countries have the opportunity for cyber warfare as well.

Cyber Warfare Today Is Cheaper for Smaller Countries

The world has changed and many countries are investing in the brainpower needed for the relatively cheap weaponry of cyber. For example, the M1 Main Battle Tank per unit cost was $6.21 million in 1999. Now, the price of 10 cyber warriors (formally called geeks two decades ago) is much more cost-effective.

Cyber warfare can cause damage to defense and civilian infrastructures. Countries with smaller budget can now have field forces that can hurt the U.S. population and slow military deployments.

In the past, cyber warriors would have been a source of comedy, but not today. While M1 tank operators are well known for their swagger, now it’s the hackers who can do major operational or strategic damage while the tank operators can only influence a tactical battlefield.

Examples of Strategic Hacking

Ukraine has been the target of two large power disruptions in 2015 and 2016, which impacted a total of 100,000 to 225,000 people. The 2015 attack alone affected 225,000 people; a pro-Russian group called Sandworm was the suspected attacker. These hackers denied people heat during a cold Ukrainian winter.

The Sony Corporation hack in 2014 cost Sony $35 million in information technology repairs. If this attack had occurred in a government or military organization, the cost would be equally high. Imagine an attack on government or military research and development site. The price could easily climb to the cost of the Sony hack and could influence future national security and combat superiority at the same time. An attack on government organizations isn’t only expensive; it can have a huge effect on a country’s future.

US Readying Its Ability to Fight Cyber Wars

U.S. cyber leaders and the U.S. uniformed forces’ cyber commands are growing their cyber-fighting capabilities. With the publication of this new cyber field manual, the U.S. military has clearly recognized that cyber is a warfighting domain.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Ransomware Could Escalate into Strategic Attacks on the US

Published with Permission by:
Lint, James R., “Ransomware Could Escalate into Strategic Attacks on the US”, In Cyber Defense, 10 Apr. 2017, Web, http://incyberdefense.com/news/ransomware-escalate-strategic-attacks-us/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

After writing a series of articles on ransomware, I started thinking about how ransomware could be used in a strategic attack nationwide, rather than the attacks we’ve seen so far on business and personal computers. While a hospital’s $17,000 payout to ransomware thieves is considered big news, the consequences of a national ransomware attack on U.S. computers would be even more devastating.

Taking the tactical attack to the next logical level means a strategic attack that is bigger in impact and payout. Remember, the 9/11 Commission Final Report stated that the “most important failure” leading to the attacks was “one of imagination.” It concluded, “We do not believe leaders understood the gravity of the threat.”

Former New Jersey Governor Tom Kean, the chairman of the 9/11 Commission, said: “[The attackers] penetrated the defenses of the most powerful nation in the world. They inflicted unbearable trauma on our people, and at the same time, they turned the international order upside down.”

Are we again failing to use our imagination? What would be the worst scenario involving ransomware, a relatively new and growing hackers’ tool in 2016-17? This type of thinking sounds like a depressing way to make a living, but that is what our nation’s intelligence analysts must think about and anticipate. Thinking in the same way as an enemy requires special training, and that training must continually improve.

What If Hackers Were Able to Control a Vital US Installation?

Joseph Marks, writing in NextGov, discussed the potential of hackers holding government infrastructure hostage. “If hackers were able to seize the controls of a critical infrastructure asset such as a dam or airport where they could cause major property destruction and loss of life, the ransom demand could be huge, [McAfee Chief Technology Officer Steve] Grobman said, and there’s a good chance the asset owner or the government would have to pay up.”

What would happen if the attack came from someone other than a conventional criminal hacker? Suppose the attacker was a nation-state or terrorist group that took control of a major dam and demanded that the U.S. government pay a ransom to prevent an area or town from being flooded? What if a small country wanted money to turn the electricity back on in New York City after an outage caused by ransomware?

In March 2016, Bloomberg Technology reported, “Hackers linked to the Iranian government launched cyber-attacks on some four dozen U.S. financial institutions and a flood-control dam north of New York City in forays meant to undermine U.S. markets and national security, according to federal prosecutors.”

Beginning in 2011, Iran-based hackers targeted the New York stock exchange, NASDAQ, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc. “One of them gained unauthorized remote access to a computer controlling the Bowman Avenue Dam in Rye, New York, for about three weeks beginning in 2013, according to the indictment,” the article reported.

The hackers were thought to be working for the Tehran government and the Islamic Revolutionary Guard Corps, a well-disciplined military organization. Following the indictments, the United States placed sanctions on Iran.

Now Is the Time to Prepare for a Strategic Ransomware Attack

Hackers have been indicted in China and sanctions have been levied against North Korea for hacking. A number of countries have already studied our networks. Most of the focus has been on the tactical ransomware on businesses and people. It does not take a lot of imagination to see the potential impact of a strategic attack on our nation’s infrastructure.

The impact of a strategic attack is huge. Now is the time to prepare for a ransomware attack from a wily enemy, its aftermath and crisis management. Let’s not be guilty of another “failure of imagination.”

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Handling An Ransomware Attack When It Happens

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Handling An Ransomware Attack When It Happens”, In Cyber Defense, 05 Apr. 2017, Web, http://incyberdefense.com/james-lint/handling-ransomware-attack-happens/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security                

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the fifth article in a series on ransomware. 

When you have a ransomware attack on your computer system, your first reaction will be: Can the attack be stopped? Although you want to scream, “Do something!,” this is only effective if you have a business with an IT team that has kept up with ever-changing developments in the ransomware industry and can properly manage the ransomware attack. In some businesses, this type of data loss also destroys their intellectual property and reputation.

You can also ask your employees if they made backup copies of your business data. If they did, then you have an advantage against the attacker. A backup system is also useful in recovering data, even though you might not initially want the extra cost.

If you do not have the luxury of your own IT team and there are no backups of your data, then you have a decision to make: Pay the ransom or lose your files permanently.

After an attack is initiated, it takes some time for the ransomware to encrypt all of your files. By the time the ransom notice pops up on your computer or in your system, it is too late to thwart the attack.

Still, all may not be lost, especially if you do not wait to be attacked.

Mitigating Damage from a Ransomware Attack

There are several actions you can take to handle a ransomware attack. These steps will help you to detect when ransomware first infects your computer and to minimize the damage ransomware causes.

Discovery Tactics

  • Call in a ransomware expert to find a list of previously known ransomware programs and the types of telltale files associated with those ransomware programs. The expert can search for these files in your computer and eliminate them. This technique may work for older, more established ransomware programs. However, note that this search is only good until one of your employees clicks on a link in a ransomware email later.
  • Have the expert scan your system to find other telltale ransomware files that don’t normally belong in your computer system. For example, “ransom.exe” could be an example of a ransomware file.
  • Keep large junk files such as a large, picture-loaded PowerPoint in the C:\ directory and open it often to see if the images are still present. In some ransomware programs, the images will be gone after the PowerPoint has been encrypted and you can more quickly detect when your computer is under attack.

Delay and Recovery Tactics

  • If you accidentally clicked on a link that downloaded ransomware to your computer and it appears your machine is starting the encryption process for ransomware, try to change the file extensions of your computer files so that they won’t attract the ransomware. For example, a .pdf file extension could be changed to .myp to hide the file from a ransomware search and encryption. Some system owners can also write an emergency script, but this type of script needs to be prepared in advance.
  • You can also try using a ransomware recovery tool. However, the tool may or may not be effective depending on the age of the ransomware program that infects your computer.
  • Try to delay the attack, which can take up to 12 hours to fully encrypt and lock up a large computer system. Ransomware scans files from your C:\ drive, and it encrypts files in alphanumeric order. Large junk files in your C:\ directory will help slow down the attack on good, useful files and give yourself more time to cope with the situation.

It is important to remain calm, even though it is not easy to stay calm during an attack. When an attack happens, you may not be able to shut down your computer through the Ctrl-Alt-Delete keys or by accessing the control panel, so it is easy to become frustrated.

Also, remember that it is important to keep up with ransomware’s evolution. Ransomware code writers are smart people who change their ransomware programs to negate techniques to slow them down.

Other Ways to Prevent and Recover from Ransomware Attacks

The simplest prevention method is to back up your files before you have any problems. If your backups are done correctly, you can return to normal operations with 95% or more of your files. The best technique is to back up multiple versions of your files over time, so you can recover files not affected by malware or ransomware.

External hard drives are also vulnerable to ransomware attack. So if you have an external hard drive, only connect it to your computer when you’re backing up your files. By keeping your external hard drive disconnected from your computer whenever possible, you prevent the ransomware from jumping into your hard drive.

If you have multiple drives with multiple versions of your files, then you may be able to go to another backup system to restore your files. Ideally, your backup system should be off-site in case of fire, which could destroy your computer and backup files.

DVD-ROMs can also be used for backing up your files. Although DVD backups require more disks due to larger hard drives, they do offer reliable storage that can’t be affected by ransomware because users normally take a DVD out of the computer after use. Additionally, DVDs are easy to move to another site for storage. Some businesses and professionals such as attorneys even keep them in a bank safe deposit box.

Network automated storage is another backup plan that must be set up by an IT professional. However, it is a business cost that must be maintained.

Cloud storage services are an option, depending on the storage service’s version capability. If a cloud provider only offers the ability to store one version of your files, there is a possibility that the ransomware will jump into the files on your cloud’s server.

Larger cloud storage companies, such as Google Drive, Dropbox, Amazon, Backblaze and CrashPlan, keep multiple versions of your files. The file history is usually available as well.

One exception is Microsoft OneDrive, which does not currently allow you to have a file history and is therefore not good for countering ransomware. (Note: OneDrive for Business does have a file history system for recovering older versions of files.)

Prevent Ransomware from Ruining Your Day

When ransomware attacks your computer or your system, it’s going to be a bad day. How bad that day is depends on how well you’ve backed up your files beforehand and whether or not those files are securely stored off-site.

Backing up your files is good insurance against ransomware and also helpful if your office is affected by fire or flooding. While it costs money, time and effort to back up your files and maintain your security, the extra security leaves you with greater peace of mind.

Stay secure!

[Related articles: Ransomware Targets Continue to Pay Hackers

Ransomware: Its History and Evolution

Ransomware Is Everywhere, So Protect All of Your Electronic Devices

Ransomware: Its Aftermath and Payment Process]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware: Its Aftermath and Payment Process

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware: Its Aftermath and Payment Process”, In Cyber Defense, 31 Mar. 2017, Web, http://incyberdefense.com/james-lint/ransomware-aftermath-payment-process/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the fourth article in a series on ransomware. 

After a ransomware attack, you must assess the damage to your system. You also need to explore payment methods.

If your antivirus software has stopped working or has been deleted by the attacker, it is too late to protect your computer system. Often, a hacker is quick to take control of your antivirus protection in hopes of using your computer as a spam bot or to spread viruses to new victims. Both of these actions may add to the income of hostile actors, but they may also use your machine or contact list to spread ransomware.

Operating System Programs Often Stop Working after Ransomware Attack

When a computer has been taken over by ransomware, some operating system programs often become inoperable. The Ctrl-Alt-Delete keyboard sequence for rebooting your computer will not work, which prevents you from bypassing the ransomware.

In addition, you may not even be able to access your computer’s control panel. There are many different types of ransomware, but these examples are some of the activities you will lose when a hacker takes control of your computer system.

The machine will no longer allow you to boot up from safe mode to degrade the ransomware or to bring in tools to negate the ransomware’s effects.

Ransomware blocks operating system updates. As a result, a software manufacturer cannot install updates with improvements to render the ransomware ineffective.

Ransomware also removes Windows rollback points, preventing you from resetting the computer to a time before the ransomware attack.

How Victims Pay Ransomware Attackers

Ransomware attackers are commonly paid through digital cryptocurrencies; Bitcoin is the best-known and most widely used method for a ransom payment. The system is allegedly secure without an intermediary.

Hackers favor Bitcoin because its payments are believed to be hidden from police or Treasury officials. This is how Bitcoin became so popular in the ransomware community.

Alternative Payment Venues

Ransomware attackers have also tried to get funds via Amazon gift cards, Apple iTunes gift cards and many other cards. But most hostile actors return to Bitcoin because criminals find it reliable and secure.

A few ransomware operations require a SMS (text) or a call to a premium mobile phone number. This could quickly result in a phone bill of $200 to $1,000. Some of those incoming phone numbers are then sold to phone scammers.

Ransomware Attacks Cause Time-Consuming Disruptions that Victims Want to Quickly Stop

Hostile actors depend on creating havoc. When your computer gets hit by ransomware, your day and schedule are destroyed. You quickly learn how much of your computer system you no longer control.

A ransomware attack can affect a system as large as a hospital, which might pay as much as $17,000 to unlock the system. It can also affect a single computer whose owner gets a bill for $50. Even police stations have been among ransomware’s victims.

The ransomware attackers normally set a ransom price that is cheaper and easier than hiring computer security experts to fight the ransomware. The cost benefit analysis for businesses often relies on paying the ransom promptly and getting back into operation.

Time is money, and cyber hostile actors understand this principle. It is no wonder that most targets have chosen to pay a ransom to regain control of their systems.

[Related articles: Ransomware Targets Continue to Pay Hackers, Ransomware: Its History and Evolution, and Ransomware Is Everywhere, So Protect All of Your Electronic Devices]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware Is Everywhere, So Protect All of Your Electronic Devices

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware Is Everywhere, So Protect All of Your Electronic Devices”, In Cyber Defense, 23 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-everywhere-protect-electronic-devices/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the third in a series of articles on ransomware.

Ransomware attacks have been on the rise in recent years. In 2016, these attacks increased 6,000% over 2015.

“Ransomware targeting Android users has increased by over 50 percent in just a year, as cybercriminals increasingly take aim at what they view as an easy ecosystem to penetrate,” ZDNet reports. Author Danny Palmer says the increase “comes as users increasingly turn to mobiles as their primary devices, storing more and more valuable data on them.”

Increased use of cloud storage also contributes to the explosive growth of ransomware attacks. As InfoSec Institute notes, “Cloud storage ransomware usually self-propagates after being installed on cloud servers. Virlock is a typical example of cloud storage ransomware. It impersonates FBI authorities and requests victims to pay the fine of $250 due to alleged misconduct on behalf of the victims.”

Many ransomware programs impersonate the FBI in an attempt to make their demands for payment look legitimate. However, no police department or federal investigative organization will ever request payment, especially via the Internet.

Ransomware and the Internet of Things = Jackware?

Between 2015 and 2016, there were at least 15 major industrial incidents involving ransomware attacks, according to a Booz Allen Hamilton Industrial Cyber Security Threat Briefing. These incidents included the following:

  • In April 2016, cybercriminals delivered ransomware via phishing to the corporate network of Board of Water & Light (BWL), a Michigan-based public electric and water utility. Administrators shut down the corporate network to isolate the ransomware and prevent it from potentially moving into the operations-technology environment.
  • In June 2015, a cybercriminal advertised the sale of SCADA access credentials on a Dark Web forum dedicated to selling stolen data. The post included a screenshot of a SCADA graphical user interface, IP addresses and virtual network computing passwords for a SCADA system managing a hydroelectric generator.

Also in 2015, hackers demonstrated that they could control a Jeep Cherokee from 10 miles away. They were able to cut the Cherokee’s engine and apply the brakes, sending the Jeep into a spin.

Future Ransomware Targets Could Include Household Devices

There are also many potential targets that could be exploited in the future. Think of the electronic devices in a smart home, part of the Internet of Things (IoT). Lights, alarms, music systems and even electric coffeemakers offer hackers potential targets.

Because all manner of IoT devices are linked to the Web, your lights could be turned on at 1:30 in the morning, followed by music from your iTunes collection. If you were asked for a small payment of, say, $30 by 2:30 a.m. that same day, would you pay? What if the payment demands were to increase each hour?

What if your home security system was turned off remotely and you were susceptible to an increased risk of theft or home invasion? How much would you be willing to pay to restore your peace of mind and security?

The future could include the destruction of data from wearable devices (such as Fitbits) or the sale of tracking data. Hostile attackers could turn on your electric coffeemaker while you are away and perhaps cause a house fire if you do not meet their demands for payment.

Protect Yourself from Ransomware by Increasing Your Electronic Security

One way to increase your personal security is to protect the electronic devices that run your life. Your computer serves as your IoT central control and your smartphone is often synchronized with your computer files, so both devices need protection from ransomware.

First, update your antivirus software on your computer, tablets and mobile devices. All devices have patches for your operating system. And be sure to check for updates on any mobile devices.

Second, make your passwords long and difficult to decipher. The days of the eight-character password are gone. The 12- or 14-character password is now the way to help protect your devices and data. Use a hard-to-guess password with numbers, uppercase and lowercase letters, and special characters.

Third, back up your files often. Keep those backups separate from your system, so they will not be compromised if your devices are attacked.

Fourth, always be aware of what you download. Downloading programs from unknown sites is risky. Always use only the sites you know or trust.

Similarly, opening attachments in emails or clicking on URLs in email increases your system’s vulnerability to attack. These practices can permit the downloading of ransomware.

Carefully examine unexpected emails from known or unknown senders. If you know the sender, check with him or her about the email and its attachment before you open it. Also, hover your cursor above a URL in an email to see if it actually goes to a legitimate source and double-check the sender’s email address for accuracy.

Future Protection Against Ransomware

The hope is that future new technology will have better security built into it. Currently, that hope is not realized. The potential for hostile actors to disrupt our life is increasing. It is our job to look for ways to make disruption a bit harder and hope attackers move to an easier target.

[Related: Ransomware Targets Continue to Pay Hackers and Ransomware: Its History and Evolution]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies, and his own start-up company.

Ransomware: Its History and Evolution

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware: Its History and Evolution”, In Cyber Defense, 21 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-history-evolution/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Dr. Yoohwan Kim
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

Note: This blog post is the second in a series of articles about ransomware.

In the infantry and the intelligence field, a basic tenet is to know your enemy. In 2016, ransomware attacks spiked 6,000%, with more than 4,000 attacks occurring daily. That makes ransomware an enemy worth knowing.

But to truly understand ransomware, it is necessary to first examine its history and how attackers plant this software in victims’ computer systems for illicit gain.

1989: First Known Use of Ransomware

In 1989, 20,000 attendees at the World Health Conference received free floppy disks. The disks contained a real survey about AIDS, but they also contained a Trojan Horse virus that encrypted the users’ files after a fixed number of reboots. The virus demanded that each victim send $189 to a post office box in Panama.

The creator of the virus, an AIDS researcher named Dr. Joseph Popp, was arrested by the FBI and extradited to Britain.

His virus used only symmetric key cryptography, but the level of ransomware sophistication has increased ever since.

1996: Researchers Connect Cryptography to Ransom

In 1996, researchers Adam Young (Columbia University) and Moti Yung (IBM) published a paper “Cryptovirology: Extortion-Based Security Threats and Countermeasures.” The co-authors proposed the use of public-key cryptography, which would make reverse engineering impossible.

While Young and Yung’s academic paper showed the writers’ expertise, it also showed “how cryptography can be used to implement viruses that are able to mount extortion-based attacks on their hosts,” as the co-authors wrote. Unfortunately, too many readers recognized the article’s potential use in criminal attacks.

Interestingly, the co-authors also coined the terms “crypto-viral extortion” and “cryptovirology.” This new terminology moved cryptography from a defensive position to an offensive position.

2005 – 2006: Russians Become Involved in Ransomware

In 2005 and 2006, organized crime figures in Russia created some ransomware. Their software was among the first discovered to be ransomware programs.

The principal targets were Russian citizens and others living in Russian-speaking countries. Later ransomware programs would move from victim to victim using common language paths.

After the victim downloaded the program, the software would take the computer’s file types, zip them into a password-protected folder and delete the originals. The victim would be required to transfer $300 into an E-Gold account, an early version of Bitcoin.

2005: “Ransomware” Becomes a Term

In September 2005, Susan Schaibly wrote an article, “Files for Ransom,” for NetworkWorld magazine which contained the first known use of the term “ransomware.” Another interesting term used to describe ransomware was “Filenapper.” But a more appropriate term is extortionist.

2005-2009: Ransomware Payment Methods Increase in Sophistication

In 2005, GPCoder was a frequently used Trojan Horse virus that encrypted files and demanded a ransom of between $100 and $200 in E-Gold or as a deposit to a Liberty Reserve account.

E-Gold was a digital currency operated by a Florida-based company. The U.S. government banned its use in 2009. Liberty Reserve was a Costa Rica-based digital currency that was harder for the U.S. government to shut down.

Bitcoin was introduced in 2008, followed by the release of its open-source software in January 2009. These developments led to an incredible spike in ransomware attacks that have continued to increase ever since.

2012: Ransomware Mimics Law Enforcement Organizations

In 2012, a public stir was created by the appearance of Reveton ransomware, which impersonated police departments and the FBI. This type of software was used to scare victims into paying to unlock their computer data.

Typically, a message would appear on the victim’s screen claiming that the user was caught conducting illegal online activity. The message would also threaten the victim with imminent arrest unless a “fine” was paid promptly.

The on-screen logos of authentic law enforcement organizations made the scam appear real. The idea was to cause victims to panic and pay up quickly, not giving them time to realize that law enforcement organizations do not demand payment from the public, especially via Bitcoin.

2013: The First Major Ransomware Appears

The year 2013 saw the birth of Cryptolocker, a crypto-ransomware that was spread via email. Cryptolocker demanded that the victim pay $400 in Bitcoin within 72 hours.

This ransomware infected half a million computers, and 1.3% of the victims paid the ransom. The attackers netted an estimated $27 million from their victims.

An international collaborative effort called Operation Tovar was formed to crack down on Cryptolocker and another ransomware program, the Gameover Zeus botnet. As a result, Russian hacker Evgeniy Mikhailovich Bogachev was caught and charged as an administrator of both Cryptolocker and Gameover Zeus.

The criminals’ command and control server was also recovered during Operation Tovar. The information on that server gave 500,000 victims the key to unlock their data without paying the ransom.

However, California-based network security firm FireEye warns that CryptoLocker has evolved and has started again to compromise users’ devices.

2014: Copycat Ransomware Like CryptoDefense Appears

Over time, copycat ransomware like CryptoDefense also evolved. This ransomware would double the victim’s ransom if it was not paid within four days.

But CryptoDefense was poorly designed because the decryption key was easy to find in the program. CryptoDefense proves that even hackers make mistakes.

Over time, many crypto-ransomware programs evolved further and acquired business and market differentiations. Some crypto-ransomware included a voice feature like Cerber ransomware, while others overwrote the master boot record and disable booting.

Some ransomware targeted healthcare facilities; others targeted gamers. One variant known as Silent Shade demanded a ransom of only $30, easily affordable for most victims.

2016: Ransomware Offers Opportunity to Avoid Ransom by Purposely Infecting Others

In December 2016, ransomware took on a new angle: deliberately infecting friends or colleagues. A program called Popcorn Time offered free decryption if the victim infected two other people, normally friends, via email. The new victims would open their trusted friend’s email and click on a link. Then, their systems would be attacked.

The attackers offered victims two ways to retrieve their data. The victims could choose the “nice way” and make a payment, or the “nasty way” by infecting the computers of two other people.

Ransomware Is An Equal Opportunity Attack on All Computer Systems

Ransomware isn’t limited to just one type of computer or mobile device. Operating systems of Mac devices can be attacked by a ransomware called KeRanger. It typically activates within three days of the infection and charges a ransom of $400.

Similarly, Linux systems are attacked by KillDisk. This ransomware demands 222 Bitcoins or $218,000. Researchers, however, recently found a key for KillDisk.

Ransomware is starting to exploit smartphones and even cloud servers. Cyber defenders will need to work diligently to overcome these ransomware infections.

The Best Protection against Ransomware: Back Up Your Data

Backing up your data is one form of protection against ransomware. If you have backups of your recent files and your computer is infected, it may be easier to wipe your machine and start over. You could also opt to buy a new machine if your computer or mobile device is old.

Overall, the data you store is much more valuable than your computer. Be sure to protect your data by backing it up to a hard drive kept offline.

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications, and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and 6 patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware Targets Continue to Pay Hackers

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware Targets Continue to Pay Hackers”, In Cyber Defense, 15 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-targets-continue-pay-hackers/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

By Yoohwan Kim, Ph.D.  
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

Ransomware attacks spiked 6,000% in 2016, with more than 4,000 attacks occurring each day. This is an increase from 1,000 attacks a day in 2015.

As famed bank robber Willie Sutton once said, “I rob banks because that is where the money is.” Contemporary bank robbers are seldom as successful and certainly nowhere close to these ransomware statistics. Ransomware is the new criminal money-making industry.

Co-author Dr. Yoohwan Kim, a speaker at the Las Vegas USSS Electronic Crimes Task Force quarterly meeting on March 3, 2017, provided research for this article. Some of that research came from an IBM Security Report, which also noted the 6,000% spike in 2016.

Ransomware Is a Costly Problem for Many Organizations

Ransomware is a type of malware that prevents users from accessing their computer systems. This malware targets critical data and systems for the purpose of extortion, either by locking the system’s screen or by locking the victims’ files until a ransom is paid.

Check Point’s ThreatCloud World Cyber Threat Map currently contains 250 million addresses and 11 million malware signatures. There is a steady increase in ransomware successes by hostile actors. More than 2,000 new ransomware programs are developed every month.

Perhaps a better term would be crypto-ransomware: Your files are encrypted and you are locked out from important data. The criminals then demand payment for the key to unlock the encryption.

Who Is Vulnerable to Ransomware?

Hollywood Presbyterian Medical Center in California lost control of its data for more than a week due to a ransomware attack. The hospital paid the ransom with 40 bitcoins worth $17,000 and the hospital regained control of its data.

Allen Stefanek, president and CEO of HPMC, said: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

The San Francisco Municipal Transportation Agency was attacked on November 28, 2016. The hostile actors demanded 100 bitcoins or $73,000. The attack took all ticket machines offline for the day and affected more than 2,000 systems and computers. Rather than shut down the rail system, the agency allowed users to travel for free.

Police Departments Can Be Targets

The police department in Tewksbury, Massachusetts, made a $500 payment after enlisting the help of the FBI. Similarly, a police computer in Swansea, Massachusetts, was hit with a ransomware attack. The police department decided to pay the ransom of two bitcoins (about $750) rather than try to figure out how to break the lock.

There are many similar targets, and most victims pay the scammers rather than risk losing critical data. The targets can be anyone. And when threat actors live outside the United States, U.S. money can be an enticing target due to the high cost of living in many of the home countries of ransomware operations.

Ransomware Business Is Booming and Growing More Professional

Revenue from the Cryptowall 3.0 program – the most popular ransomware program among hostile actors – reached $325 million through October 2015, according to the Cyber Threat Alliance.

In all, hostile actors earned $24 million in 2015. The FBI said hackers earned $209 million in the first quarter of 2016.  Experts project that criminals will use ransomware to earn over $1 billion in 2017.

An interesting phenomenon is that ransomware is becoming more business-like in its operations, including live customer support to negotiate fees and deadlines. Good customer service gives ransom victims the confidence to pay and regain control of their files. Bitcoin virtual payments provide secure transactions for the criminals.

If an extortionist attacks your computer with ransomware, report the attack to local authorities and the FBI’s Internet Crime Complaint Center (IC3) as soon as possible. This practice will allow law enforcement to track the growth of the ransomware industry. It will also help all of us to understand new ransomware trends and potential methods to protect ourselves.

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has 6 patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he has had broad experience in the IT industry as a management information systems consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Don’t Protect Your Valuable Photos the Way Grandpa Did

Published with Permission by:
Lint, James R., “Don’t Protect Your Valuable Photos the Way Grandpa Did”, In Cyber Defense, 7 Mar. 2017, Web, http://incyberdefense.com/news/dont-protect-valuable-photos-way-grandpa/

Commentary By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Today, most people take many more digital photos of family, friends and vacations than previous generations did with film cameras. In fact, the ease of use and the low cost of digital photography consigned Kodak, Fuji and Polaroid cameras and film to the museums of 20th century technology.

For example, Polaroid stopped manufacturing its instant film in 2008, leaving this Waltham, Massachusetts, manufacturer with just 150 employees. Thirty years earlier, Polaroid was an iconic company with a “peak” global employment of nearly 21,000 employees.

Today, lots of people have never heard of Polaroid. But their valuable digital pictures often receive the same poor level of protection that an album or scrapbook full of Polaroid or Kodak prints used to provide – not much.

Many people born in the 1960s and 1970s could never imagine storing pictures on a thumb drive, DVD or even a CD.

In a digital world, we need better protection for our valuable photos and other documents because technology is always changing. The 3.5 disk might have been a nice improvement over a 5.25 floppy disk, but today, many computers don’t even have a disk drive.

Technology Changes Rendered Some Familiar Devices Obsolete

Think of that rapidly deteriorating album of black and white photos your grandfather gave you. The negatives of those pictures disappeared long ago. It might be a good idea to convert those album photographs to JPG files for later use. And those old 35 mm slides you used to project onto a screen at home to bore your neighbors? It’s not easy to find a working projector today, much less a new one.

Some people paid to have their slides transferred to VHS tapes and then they threw away the slides. But it’s hard to play VHS tapes these days.

Just as you should “never put all your eggs in one basket,” you should never store valuable digital files in just one place.

Never Save Digital Files in One Place

If you had a one-of-a-kind item, you would want to protect it. The cost to reconstruct PowerPoint programs or Word documents from a damaged laptop is extremely intensive in terms of man-hours. The cost often exceeds the cost of the laptop.

Yet, it’s surprising how many people save their cherished photos and documents only on their laptops or desktop devices. That computer could become infected with a virus or, worse, ransomware could attack it. If someone steals your laptop, those cherished family photos are gone forever.

Many Security Programs Can Save Your Photos

There are multiple solutions to the issue of saving digital images. Which solution is best for you depends on your situation.

For example, there are many types of software backup programs. Some programs save their files to an off-site cloud server.

Some computer owners save their photos on a thumb drive or on an external hard drive. They can be unplugged and should be stored separately from your computer so a virus or ransomware attack on your device will not affect them. These devices enhance your protection.

Another form of security can be as simple as having a friend or business colleague hold an encrypted hard drive of your data, with you repeating the favor for that person. If one or both laptops are lost by theft or destroyed in a fire, neither of you will lose your data. This is inexpensive security that saves you the cost of a cloud backup.

Federal organizations are working hard to protect the public from cybercrimes, but we also must take some responsibility for our own protection. By taking some extra time to protect your images and other digital files, you’ll enjoy greater peace of mind knowing your files are protected.

The inspiration for this and several future articles came from a meeting at the US Secret Service (USSS), Electronic Crimes Task Force (ECTF) in Las Vegas. Future articles will discuss concepts and actions to counter ransomware and the experiences of individuals and businesses.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.