Posts

Fileless Malware: A New Threat in the Cybersecurity Field

Published with Permission by:
Lint, James R., “Fileless Malware: A New Threat in the Cybersecurity Field”, In Cyber Defense, 29 June 2017, Web, http://incyberdefense.com/james-lint/fileless-malware-new-threat-cybersecurity-field/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Currently, threats to your computer often involve some type of virus or hostile file. But fileless malware is a new and growing hazard in cybersecurity. Consequently, it presents a danger to companies and individuals.

Fileless Malware Leaves Few Traces on Your Computer

What is fileless malware? Zeltser Security Corporation defines fileless malware as “malware that operates without placing malicious executables on the file system. Though initially fileless malware referred to malicious code that remained solely in memory without even implementing a persistence mechanism, the term evolved to encompass malware that relies on some aspects of the file system for activation or presence.”

The fact that there is no file to detect, similar to a virus, makes fileless malware difficult for your antivirus software to find. It also makes protection against malware more difficult, now and in the future.

Cybersecurity Community Becoming Aware of Fileless Malware Threat

In June, the Cyber Security Awareness Lunch and Learn event in Las Vegas hosted by MJ Computer Concepts featured a speaker from the US Secret Service (USSS).  This was the same Special Agent  who also hosted the USSS Electric Crimes Task Force (ECTF) in Las Vegas.  The speaker at the Task Force meeting was Dr. Anthony J. Carcillo on the topic of fileless malware.

The U.S. Secret Service has two major areas of responsibility. The traditional and best-known mission is the protection of senior executive branch leaders. The older mission for the USSS is financial crimes, which include the prevention and investigation of counterfeit U.S. currency, U.S. treasury securities and the investigation of major fraud. This second mission has the modern USSS involved with modern cybercrimes.

During the Lunch and Learn, by MJ Computer Concepts and the ECTF meeting with Dr. Cardillo both discussed the need to protect your computer system. Both of these speakers had similar comments on the criticality of software updates and backups. The information from Dr. Carcillo was thought-provoking because there is very little information in the public domain about fileless malware.

Staying Informed Is Your Best Protection against Fileless Malware

The United States Computer Emergency Readiness Team (US-CERT) regularly publishes information about cybersecurity threats. Reviewing the US-CERT website is a useful way to learn about current threats. Also, you can sign up for tips and emails on new cyber vulnerabilities.

Failing to Update Software Increases Vulnerability to Attack

Discussions at recent cybersecurity events have shown that there is a common reason why victims are selected and attacked. Hackers commonly exploit security weaknesses in computers with outdated software, because those computers are more vulnerable to attackers. In some cases, computer owners neglected to install software updates to protect their computers and data.

What You Can Do to Improve Your Security

There are simple measures you can take to protect your computer. CNN Money Tech stated, “First, install any software updates immediately and make it a regular habit. Turn on auto-updaters where available (Microsoft offers that option). Microsoft also recommends running its free anti-virus software for Windows.”

Another way to protect your files is to use a cloud-based storage service. Cloud storage companies normally keep all their systems updated with the newest software protection and backups in case of a problem.

There are other ways to protect your computer from an attack:

  • Use a backup program for your personal or business computer.
  • Buy two or more USB hard drives and use them to run incremental backups. Use one USB hard drive at a time and set it to back up your computer files for a week. Then, change to a different hard drive and conduct backups.

If you use multiple drives for backups, valuable files and pictures will remain safer, even if your current drive gets corrupted or attacked by ransomware. The more hard drives you have in your rotation, the more likely it is that your earlier files will not become corrupted.

  • Do not click on a link that you do not recognize or download files from sources you do not know.

Although updating your systems and backing up your files is time-consuming, these computer tasks are necessary to protect you from cyberattacks. With all of the problems that viruses, ransomware and malware create, simple protective measures are worth your time and money.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

WannaCry Ransomware Leads to Discovery of Earlier Hack

Published with Permission by:
Lint, James R., “WannaCry Ransomware Leads to Discovery of Earlier Hack”, In Cyber Defense, 06 June 2017, Web, http://incyberdefense.com/news/wannacry-ransomware-leads-discovery-earlier-hack/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

There is a new attack related to the recent international WannaCry (also known as WanaCrypt0r 2.0) hack that occurred between May 12 and May 14. As of May 14, this hack had affected more than 70,000 computers and netted the hackers at least $15 million.

Yahoo Tech News reported that “The new attack targets the same vulnerabilities the WannaCry ransomware worm exploited but, rather than freeze files, [it] uses the hundreds of thousands of computers believed to have been infected to mine virtual currency.”

Bitcoin and other cyber currencies can be mined by allowing your computer to be used to solve math problems. In the past, it has been something that people volunteered to do to earn cybercurrency.

Filipino news source Agence France-Press states, “virtual currencies such as Monero and Bitcoin use the computers of volunteers for recording transactions. They are said to “mine” for the currency and are occasionally rewarded with a piece of it.”

WannaCry Hack Led Researchers to Discover Earlier Malware Attack

ABC News reported that “While investigating the WannaCry ransomware attacks, researchers at the cybersecurity firm Proofpoint stumbled upon another ‘less noisy’ form of malware called Adylkuzz that, the firm says, has likely generated millions of dollars in cryptocurrency for the unknown attackers.” Monero, a cybercurrency, has been named as a target for Adylkuzz.

“I would say the real-world impact of this attack is going to be more substantial than WannaCry,” Ryan Kalember, the senior vice president for cybersecurity at Proofpoint, told ABC News. “Ransomware is painful, but you can restore operations relatively quickly. Here, you have a huge amount of money landing in some bad people’s hands. That has geopolitical consequences.”

Proofpoint identified Adylkuzz attacks dating back to May 2. Those attacks predate the WannaCry attacks, making Adylkuzz the first known widespread use of the leaked NSA hacking tools. It remained undetected for so long, Kalember says, because its impact on users is far less noticeable than ransomware.

“It takes over your computer, but you probably don’t notice anything other than that the system runs really slow,” Kalember said. “Your computer might be mining cryptocurrency for some very bad people.”

Does the US Dominate the Strategic Cyber Battlefield?

The U.S. Army has published doctrine for Army Field Manual 3-12, “Cyberspace and Electronic Warfare Operations.” This manual notes that the U.S. may not dominate the cyber battlefield. The doctrine seeks to upgrade tactics and techniques for cybersecurity, while realizing that cybersecurity is a domain of combat, just as air, land and sea are domains.

Ryan Kalember at Proofpoint and many others have indicated that North Korean-backed hackers called the Lazarus Group might be responsible for the WannaCry hack. This group has been linked to a similar cryptocurrency mining attack in late 2016. However, no final attribution for the WannaCry hack has been determined, because attribution often takes months to complete.

North Korea Could Be Earning Funds from Cyber Attacks

North Korea has suffered sanctions for decades. Pyongyang’s recent actions of increasing construction of nuclear and missile facilities and missile tests have caused other countries to call for increased sanctions.

How is North Korea able to afford its nuclear program? The country could be behind cybercurrency mining.

The cyber battlefield is level with many countries focusing on cyber tools. Some of these countries are experiencing financial difficulties due to sanctions and embargoes.

By turning to cybercurrency, these countries are attempting to solve their financial problems through cybercurrency mining or ransomware. Their actions could be solutions to the diplomatic actions against them. While diplomatic and military tactics controlled rogue nations in the past, they are less effective in today’s cyber environment.

How to Protect Your Computer from Ransomware Attacks

To better protect your own computer, update your operating system often. Microsoft issued the first patch to prevent the WannaCry attack in March 2017.

A second update has been issued to block Adylkuzz. If you do not take care of your computer, you will be at risk. You will be vulnerable to ransomware and other attacks. If your computer’s operating system is running slowly, be sure to update it and your antivirus software at the same time.

Stay secure!

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Ransomware Escalates To a Near Nation-State Attack in the UK

Published with Permission by:
Lint, James R., “Ransomware Escalates To a Near Nation-State Attack in the UK”, In Cyber Defense, 15 May 2017, Web, http://incyberdefense.com/james-lint/ransomware-escalates-near-nation-state-attack-uk/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
In Cyber Defense and Contributor, In Homeland Security

On Friday, May 12, the BBC reported an international ransomware attack involving hackers using ransomware called WanaCrypt0r 2.0. The BBC stated, “There have been reports of infections in as many as 74 countries, including the U.K., U.S., China, Russia, Spain, Italy and Taiwan. Computers in thousands of locations have apparently been locked by a program that demands $300 in Bitcoin.”

CNET reported, “The ransomware attack that hit 16 National Health Service (NHS) hospitals in the U.K. and also hit up to 52,000 devices across other countries using an exploit called the WanaCrypt0r 2.0 ransomware. The majority of the new malware was targeting Russia, Ukraine and Taiwan, Avast Threat Lab team lead Jakub Kroustek said.”

WanaCryptor 2.0 Attack’s Impact on UK Hospitals

Multiple hospitals in the NHS pushed information via social media to the local population to contact their hospitals before traveling to determine if those hospitals were open for operations. The NHS is the government-run, major medical system in the U.K., so hackers have only one system to breach and install ransomware.

The advantage to the American healthcare system is that we have multiple hospital systems. While there have been major hacks against a few major U.S. hospitals and insurance companies, it is more difficult to penetrate all of these unconnected systems.

If the U.S. healthcare system were to migrate to a single health system like the NHS, the security of our healthcare system would require more safeguards. But these multiple healthcare systems provide some additional security for patient data; the competition provides some additional security.

Ransomware Could Escalate into Strategic Attacks on the US

It is possible that the use of ransomware could escalate and ransomware could be used for strategic attacks against the United States. Imagine the potential of ransomware that attacks an entire sector of a country, such as healthcare and hospitals.

For example, what if there was a ransomware attack that affected both a hospital’s computer system and its interconnected phone system? In the U.K., you must contact the hospital before bringing in a patient for treatment. Patient care would be unnecessarily delayed as the problems with that hospital’s computers and phone system were solved.

Although a hospital’s managers could theoretically shut down uninfected computer and phone systems to prevent ransomware infections, that security measure would be self-defeating and would replicate the impact of a ransomware attack. Without access to phones or health records, hospital employees would have difficulty doing their jobs properly.

Ransomware Attacks Could Impact Strategic Actions and Confidence in Government

Taking major hospital systems offline and causing hospitals to tell their patients not to go to specific hospitals causes a public lack of confidence in government systems. Patients become worried and uneasy when they are told that their health data records are unavailable and “the hospital is not in control of your personal health records at this time.”

In Latin American insurgencies in the 1980s, the goal of insurgents was to destabilize countries and make the population unsure that the government can protect them. The same type of impact could happen with a strategic cyberattack or strategic ransomware.

Potential Solution to the WanaCrypt0r 2.0 Ransomware Attack

Microsoft released a patch in March for the vulnerability that the WanaCrypt0r 2.0 ransomware exploits. Unfortunately, many computer systems have not been updated. This lack of action could leave a legal avenue for customers to sue for damages caused by the company’s negligence in performing software updates.

Long-Term Impact of WanaCryptor 2.0 Ransomware Attack

The WanaCrypt0r 2.0 ransomware attack that impacted so many countries could end in a multitude of ways. As the attack is investigated, we may see that the attack was caused by criminals trying to make money. But if the attack involved a nation-state intent on destroying other countries’ computer systems and holding systems for ransom, this situation could become more serious and potentially lead to war.

The news that some of the ransomware demands payments in small sums of $300 to $600 to restore access indicates this attack is a criminal matter. The scope and impact of the WanaCrypt0r 2.0 attack is wide.

But the WanaCrypt0r 2.0 ransomware attack may have one positive outcome. With the number of countries involved in this latest ransomware attack, there may be an increase of cooperation between law enforcement agencies across the world on cyber crimes.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Ransomware Could Escalate into Strategic Attacks on the US

Published with Permission by:
Lint, James R., “Ransomware Could Escalate into Strategic Attacks on the US”, In Cyber Defense, 10 Apr. 2017, Web, http://incyberdefense.com/news/ransomware-escalate-strategic-attacks-us/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

After writing a series of articles on ransomware, I started thinking about how ransomware could be used in a strategic attack nationwide, rather than the attacks we’ve seen so far on business and personal computers. While a hospital’s $17,000 payout to ransomware thieves is considered big news, the consequences of a national ransomware attack on U.S. computers would be even more devastating.

Taking the tactical attack to the next logical level means a strategic attack that is bigger in impact and payout. Remember, the 9/11 Commission Final Report stated that the “most important failure” leading to the attacks was “one of imagination.” It concluded, “We do not believe leaders understood the gravity of the threat.”

Former New Jersey Governor Tom Kean, the chairman of the 9/11 Commission, said: “[The attackers] penetrated the defenses of the most powerful nation in the world. They inflicted unbearable trauma on our people, and at the same time, they turned the international order upside down.”

Are we again failing to use our imagination? What would be the worst scenario involving ransomware, a relatively new and growing hackers’ tool in 2016-17? This type of thinking sounds like a depressing way to make a living, but that is what our nation’s intelligence analysts must think about and anticipate. Thinking in the same way as an enemy requires special training, and that training must continually improve.

What If Hackers Were Able to Control a Vital US Installation?

Joseph Marks, writing in NextGov, discussed the potential of hackers holding government infrastructure hostage. “If hackers were able to seize the controls of a critical infrastructure asset such as a dam or airport where they could cause major property destruction and loss of life, the ransom demand could be huge, [McAfee Chief Technology Officer Steve] Grobman said, and there’s a good chance the asset owner or the government would have to pay up.”

What would happen if the attack came from someone other than a conventional criminal hacker? Suppose the attacker was a nation-state or terrorist group that took control of a major dam and demanded that the U.S. government pay a ransom to prevent an area or town from being flooded? What if a small country wanted money to turn the electricity back on in New York City after an outage caused by ransomware?

In March 2016, Bloomberg Technology reported, “Hackers linked to the Iranian government launched cyber-attacks on some four dozen U.S. financial institutions and a flood-control dam north of New York City in forays meant to undermine U.S. markets and national security, according to federal prosecutors.”

Beginning in 2011, Iran-based hackers targeted the New York stock exchange, NASDAQ, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc. “One of them gained unauthorized remote access to a computer controlling the Bowman Avenue Dam in Rye, New York, for about three weeks beginning in 2013, according to the indictment,” the article reported.

The hackers were thought to be working for the Tehran government and the Islamic Revolutionary Guard Corps, a well-disciplined military organization. Following the indictments, the United States placed sanctions on Iran.

Now Is the Time to Prepare for a Strategic Ransomware Attack

Hackers have been indicted in China and sanctions have been levied against North Korea for hacking. A number of countries have already studied our networks. Most of the focus has been on the tactical ransomware on businesses and people. It does not take a lot of imagination to see the potential impact of a strategic attack on our nation’s infrastructure.

The impact of a strategic attack is huge. Now is the time to prepare for a ransomware attack from a wily enemy, its aftermath and crisis management. Let’s not be guilty of another “failure of imagination.”

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Handling An Ransomware Attack When It Happens

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Handling An Ransomware Attack When It Happens”, In Cyber Defense, 05 Apr. 2017, Web, http://incyberdefense.com/james-lint/handling-ransomware-attack-happens/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security                

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the fifth article in a series on ransomware. 

When you have a ransomware attack on your computer system, your first reaction will be: Can the attack be stopped? Although you want to scream, “Do something!,” this is only effective if you have a business with an IT team that has kept up with ever-changing developments in the ransomware industry and can properly manage the ransomware attack. In some businesses, this type of data loss also destroys their intellectual property and reputation.

You can also ask your employees if they made backup copies of your business data. If they did, then you have an advantage against the attacker. A backup system is also useful in recovering data, even though you might not initially want the extra cost.

If you do not have the luxury of your own IT team and there are no backups of your data, then you have a decision to make: Pay the ransom or lose your files permanently.

After an attack is initiated, it takes some time for the ransomware to encrypt all of your files. By the time the ransom notice pops up on your computer or in your system, it is too late to thwart the attack.

Still, all may not be lost, especially if you do not wait to be attacked.

Mitigating Damage from a Ransomware Attack

There are several actions you can take to handle a ransomware attack. These steps will help you to detect when ransomware first infects your computer and to minimize the damage ransomware causes.

Discovery Tactics

  • Call in a ransomware expert to find a list of previously known ransomware programs and the types of telltale files associated with those ransomware programs. The expert can search for these files in your computer and eliminate them. This technique may work for older, more established ransomware programs. However, note that this search is only good until one of your employees clicks on a link in a ransomware email later.
  • Have the expert scan your system to find other telltale ransomware files that don’t normally belong in your computer system. For example, “ransom.exe” could be an example of a ransomware file.
  • Keep large junk files such as a large, picture-loaded PowerPoint in the C:\ directory and open it often to see if the images are still present. In some ransomware programs, the images will be gone after the PowerPoint has been encrypted and you can more quickly detect when your computer is under attack.

Delay and Recovery Tactics

  • If you accidentally clicked on a link that downloaded ransomware to your computer and it appears your machine is starting the encryption process for ransomware, try to change the file extensions of your computer files so that they won’t attract the ransomware. For example, a .pdf file extension could be changed to .myp to hide the file from a ransomware search and encryption. Some system owners can also write an emergency script, but this type of script needs to be prepared in advance.
  • You can also try using a ransomware recovery tool. However, the tool may or may not be effective depending on the age of the ransomware program that infects your computer.
  • Try to delay the attack, which can take up to 12 hours to fully encrypt and lock up a large computer system. Ransomware scans files from your C:\ drive, and it encrypts files in alphanumeric order. Large junk files in your C:\ directory will help slow down the attack on good, useful files and give yourself more time to cope with the situation.

It is important to remain calm, even though it is not easy to stay calm during an attack. When an attack happens, you may not be able to shut down your computer through the Ctrl-Alt-Delete keys or by accessing the control panel, so it is easy to become frustrated.

Also, remember that it is important to keep up with ransomware’s evolution. Ransomware code writers are smart people who change their ransomware programs to negate techniques to slow them down.

Other Ways to Prevent and Recover from Ransomware Attacks

The simplest prevention method is to back up your files before you have any problems. If your backups are done correctly, you can return to normal operations with 95% or more of your files. The best technique is to back up multiple versions of your files over time, so you can recover files not affected by malware or ransomware.

External hard drives are also vulnerable to ransomware attack. So if you have an external hard drive, only connect it to your computer when you’re backing up your files. By keeping your external hard drive disconnected from your computer whenever possible, you prevent the ransomware from jumping into your hard drive.

If you have multiple drives with multiple versions of your files, then you may be able to go to another backup system to restore your files. Ideally, your backup system should be off-site in case of fire, which could destroy your computer and backup files.

DVD-ROMs can also be used for backing up your files. Although DVD backups require more disks due to larger hard drives, they do offer reliable storage that can’t be affected by ransomware because users normally take a DVD out of the computer after use. Additionally, DVDs are easy to move to another site for storage. Some businesses and professionals such as attorneys even keep them in a bank safe deposit box.

Network automated storage is another backup plan that must be set up by an IT professional. However, it is a business cost that must be maintained.

Cloud storage services are an option, depending on the storage service’s version capability. If a cloud provider only offers the ability to store one version of your files, there is a possibility that the ransomware will jump into the files on your cloud’s server.

Larger cloud storage companies, such as Google Drive, Dropbox, Amazon, Backblaze and CrashPlan, keep multiple versions of your files. The file history is usually available as well.

One exception is Microsoft OneDrive, which does not currently allow you to have a file history and is therefore not good for countering ransomware. (Note: OneDrive for Business does have a file history system for recovering older versions of files.)

Prevent Ransomware from Ruining Your Day

When ransomware attacks your computer or your system, it’s going to be a bad day. How bad that day is depends on how well you’ve backed up your files beforehand and whether or not those files are securely stored off-site.

Backing up your files is good insurance against ransomware and also helpful if your office is affected by fire or flooding. While it costs money, time and effort to back up your files and maintain your security, the extra security leaves you with greater peace of mind.

Stay secure!

[Related articles: Ransomware Targets Continue to Pay Hackers

Ransomware: Its History and Evolution

Ransomware Is Everywhere, So Protect All of Your Electronic Devices

Ransomware: Its Aftermath and Payment Process]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware: Its Aftermath and Payment Process

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware: Its Aftermath and Payment Process”, In Cyber Defense, 31 Mar. 2017, Web, http://incyberdefense.com/james-lint/ransomware-aftermath-payment-process/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the fourth article in a series on ransomware. 

After a ransomware attack, you must assess the damage to your system. You also need to explore payment methods.

If your antivirus software has stopped working or has been deleted by the attacker, it is too late to protect your computer system. Often, a hacker is quick to take control of your antivirus protection in hopes of using your computer as a spam bot or to spread viruses to new victims. Both of these actions may add to the income of hostile actors, but they may also use your machine or contact list to spread ransomware.

Operating System Programs Often Stop Working after Ransomware Attack

When a computer has been taken over by ransomware, some operating system programs often become inoperable. The Ctrl-Alt-Delete keyboard sequence for rebooting your computer will not work, which prevents you from bypassing the ransomware.

In addition, you may not even be able to access your computer’s control panel. There are many different types of ransomware, but these examples are some of the activities you will lose when a hacker takes control of your computer system.

The machine will no longer allow you to boot up from safe mode to degrade the ransomware or to bring in tools to negate the ransomware’s effects.

Ransomware blocks operating system updates. As a result, a software manufacturer cannot install updates with improvements to render the ransomware ineffective.

Ransomware also removes Windows rollback points, preventing you from resetting the computer to a time before the ransomware attack.

How Victims Pay Ransomware Attackers

Ransomware attackers are commonly paid through digital cryptocurrencies; Bitcoin is the best-known and most widely used method for a ransom payment. The system is allegedly secure without an intermediary.

Hackers favor Bitcoin because its payments are believed to be hidden from police or Treasury officials. This is how Bitcoin became so popular in the ransomware community.

Alternative Payment Venues

Ransomware attackers have also tried to get funds via Amazon gift cards, Apple iTunes gift cards and many other cards. But most hostile actors return to Bitcoin because criminals find it reliable and secure.

A few ransomware operations require a SMS (text) or a call to a premium mobile phone number. This could quickly result in a phone bill of $200 to $1,000. Some of those incoming phone numbers are then sold to phone scammers.

Ransomware Attacks Cause Time-Consuming Disruptions that Victims Want to Quickly Stop

Hostile actors depend on creating havoc. When your computer gets hit by ransomware, your day and schedule are destroyed. You quickly learn how much of your computer system you no longer control.

A ransomware attack can affect a system as large as a hospital, which might pay as much as $17,000 to unlock the system. It can also affect a single computer whose owner gets a bill for $50. Even police stations have been among ransomware’s victims.

The ransomware attackers normally set a ransom price that is cheaper and easier than hiring computer security experts to fight the ransomware. The cost benefit analysis for businesses often relies on paying the ransom promptly and getting back into operation.

Time is money, and cyber hostile actors understand this principle. It is no wonder that most targets have chosen to pay a ransom to regain control of their systems.

[Related articles: Ransomware Targets Continue to Pay Hackers, Ransomware: Its History and Evolution, and Ransomware Is Everywhere, So Protect All of Your Electronic Devices]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware Is Everywhere, So Protect All of Your Electronic Devices

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware Is Everywhere, So Protect All of Your Electronic Devices”, In Cyber Defense, 23 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-everywhere-protect-electronic-devices/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Yoohwan Kim, Ph.D. 
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

This is the third in a series of articles on ransomware.

Ransomware attacks have been on the rise in recent years. In 2016, these attacks increased 6,000% over 2015.

“Ransomware targeting Android users has increased by over 50 percent in just a year, as cybercriminals increasingly take aim at what they view as an easy ecosystem to penetrate,” ZDNet reports. Author Danny Palmer says the increase “comes as users increasingly turn to mobiles as their primary devices, storing more and more valuable data on them.”

Increased use of cloud storage also contributes to the explosive growth of ransomware attacks. As InfoSec Institute notes, “Cloud storage ransomware usually self-propagates after being installed on cloud servers. Virlock is a typical example of cloud storage ransomware. It impersonates FBI authorities and requests victims to pay the fine of $250 due to alleged misconduct on behalf of the victims.”

Many ransomware programs impersonate the FBI in an attempt to make their demands for payment look legitimate. However, no police department or federal investigative organization will ever request payment, especially via the Internet.

Ransomware and the Internet of Things = Jackware?

Between 2015 and 2016, there were at least 15 major industrial incidents involving ransomware attacks, according to a Booz Allen Hamilton Industrial Cyber Security Threat Briefing. These incidents included the following:

  • In April 2016, cybercriminals delivered ransomware via phishing to the corporate network of Board of Water & Light (BWL), a Michigan-based public electric and water utility. Administrators shut down the corporate network to isolate the ransomware and prevent it from potentially moving into the operations-technology environment.
  • In June 2015, a cybercriminal advertised the sale of SCADA access credentials on a Dark Web forum dedicated to selling stolen data. The post included a screenshot of a SCADA graphical user interface, IP addresses and virtual network computing passwords for a SCADA system managing a hydroelectric generator.

Also in 2015, hackers demonstrated that they could control a Jeep Cherokee from 10 miles away. They were able to cut the Cherokee’s engine and apply the brakes, sending the Jeep into a spin.

Future Ransomware Targets Could Include Household Devices

There are also many potential targets that could be exploited in the future. Think of the electronic devices in a smart home, part of the Internet of Things (IoT). Lights, alarms, music systems and even electric coffeemakers offer hackers potential targets.

Because all manner of IoT devices are linked to the Web, your lights could be turned on at 1:30 in the morning, followed by music from your iTunes collection. If you were asked for a small payment of, say, $30 by 2:30 a.m. that same day, would you pay? What if the payment demands were to increase each hour?

What if your home security system was turned off remotely and you were susceptible to an increased risk of theft or home invasion? How much would you be willing to pay to restore your peace of mind and security?

The future could include the destruction of data from wearable devices (such as Fitbits) or the sale of tracking data. Hostile attackers could turn on your electric coffeemaker while you are away and perhaps cause a house fire if you do not meet their demands for payment.

Protect Yourself from Ransomware by Increasing Your Electronic Security

One way to increase your personal security is to protect the electronic devices that run your life. Your computer serves as your IoT central control and your smartphone is often synchronized with your computer files, so both devices need protection from ransomware.

First, update your antivirus software on your computer, tablets and mobile devices. All devices have patches for your operating system. And be sure to check for updates on any mobile devices.

Second, make your passwords long and difficult to decipher. The days of the eight-character password are gone. The 12- or 14-character password is now the way to help protect your devices and data. Use a hard-to-guess password with numbers, uppercase and lowercase letters, and special characters.

Third, back up your files often. Keep those backups separate from your system, so they will not be compromised if your devices are attacked.

Fourth, always be aware of what you download. Downloading programs from unknown sites is risky. Always use only the sites you know or trust.

Similarly, opening attachments in emails or clicking on URLs in email increases your system’s vulnerability to attack. These practices can permit the downloading of ransomware.

Carefully examine unexpected emails from known or unknown senders. If you know the sender, check with him or her about the email and its attachment before you open it. Also, hover your cursor above a URL in an email to see if it actually goes to a legitimate source and double-check the sender’s email address for accuracy.

Future Protection Against Ransomware

The hope is that future new technology will have better security built into it. Currently, that hope is not realized. The potential for hostile actors to disrupt our life is increasing. It is our job to look for ways to make disruption a bit harder and hope attackers move to an easier target.

[Related: Ransomware Targets Continue to Pay Hackers and Ransomware: Its History and Evolution]

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at the University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has six patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies, and his own start-up company.

Ransomware: Its History and Evolution

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware: Its History and Evolution”, In Cyber Defense, 21 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-history-evolution/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Co-Authored by Dr. Yoohwan Kim
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

Note: This blog post is the second in a series of articles about ransomware.

In the infantry and the intelligence field, a basic tenet is to know your enemy. In 2016, ransomware attacks spiked 6,000%, with more than 4,000 attacks occurring daily. That makes ransomware an enemy worth knowing.

But to truly understand ransomware, it is necessary to first examine its history and how attackers plant this software in victims’ computer systems for illicit gain.

1989: First Known Use of Ransomware

In 1989, 20,000 attendees at the World Health Conference received free floppy disks. The disks contained a real survey about AIDS, but they also contained a Trojan Horse virus that encrypted the users’ files after a fixed number of reboots. The virus demanded that each victim send $189 to a post office box in Panama.

The creator of the virus, an AIDS researcher named Dr. Joseph Popp, was arrested by the FBI and extradited to Britain.

His virus used only symmetric key cryptography, but the level of ransomware sophistication has increased ever since.

1996: Researchers Connect Cryptography to Ransom

In 1996, researchers Adam Young (Columbia University) and Moti Yung (IBM) published a paper “Cryptovirology: Extortion-Based Security Threats and Countermeasures.” The co-authors proposed the use of public-key cryptography, which would make reverse engineering impossible.

While Young and Yung’s academic paper showed the writers’ expertise, it also showed “how cryptography can be used to implement viruses that are able to mount extortion-based attacks on their hosts,” as the co-authors wrote. Unfortunately, too many readers recognized the article’s potential use in criminal attacks.

Interestingly, the co-authors also coined the terms “crypto-viral extortion” and “cryptovirology.” This new terminology moved cryptography from a defensive position to an offensive position.

2005 – 2006: Russians Become Involved in Ransomware

In 2005 and 2006, organized crime figures in Russia created some ransomware. Their software was among the first discovered to be ransomware programs.

The principal targets were Russian citizens and others living in Russian-speaking countries. Later ransomware programs would move from victim to victim using common language paths.

After the victim downloaded the program, the software would take the computer’s file types, zip them into a password-protected folder and delete the originals. The victim would be required to transfer $300 into an E-Gold account, an early version of Bitcoin.

2005: “Ransomware” Becomes a Term

In September 2005, Susan Schaibly wrote an article, “Files for Ransom,” for NetworkWorld magazine which contained the first known use of the term “ransomware.” Another interesting term used to describe ransomware was “Filenapper.” But a more appropriate term is extortionist.

2005-2009: Ransomware Payment Methods Increase in Sophistication

In 2005, GPCoder was a frequently used Trojan Horse virus that encrypted files and demanded a ransom of between $100 and $200 in E-Gold or as a deposit to a Liberty Reserve account.

E-Gold was a digital currency operated by a Florida-based company. The U.S. government banned its use in 2009. Liberty Reserve was a Costa Rica-based digital currency that was harder for the U.S. government to shut down.

Bitcoin was introduced in 2008, followed by the release of its open-source software in January 2009. These developments led to an incredible spike in ransomware attacks that have continued to increase ever since.

2012: Ransomware Mimics Law Enforcement Organizations

In 2012, a public stir was created by the appearance of Reveton ransomware, which impersonated police departments and the FBI. This type of software was used to scare victims into paying to unlock their computer data.

Typically, a message would appear on the victim’s screen claiming that the user was caught conducting illegal online activity. The message would also threaten the victim with imminent arrest unless a “fine” was paid promptly.

The on-screen logos of authentic law enforcement organizations made the scam appear real. The idea was to cause victims to panic and pay up quickly, not giving them time to realize that law enforcement organizations do not demand payment from the public, especially via Bitcoin.

2013: The First Major Ransomware Appears

The year 2013 saw the birth of Cryptolocker, a crypto-ransomware that was spread via email. Cryptolocker demanded that the victim pay $400 in Bitcoin within 72 hours.

This ransomware infected half a million computers, and 1.3% of the victims paid the ransom. The attackers netted an estimated $27 million from their victims.

An international collaborative effort called Operation Tovar was formed to crack down on Cryptolocker and another ransomware program, the Gameover Zeus botnet. As a result, Russian hacker Evgeniy Mikhailovich Bogachev was caught and charged as an administrator of both Cryptolocker and Gameover Zeus.

The criminals’ command and control server was also recovered during Operation Tovar. The information on that server gave 500,000 victims the key to unlock their data without paying the ransom.

However, California-based network security firm FireEye warns that CryptoLocker has evolved and has started again to compromise users’ devices.

2014: Copycat Ransomware Like CryptoDefense Appears

Over time, copycat ransomware like CryptoDefense also evolved. This ransomware would double the victim’s ransom if it was not paid within four days.

But CryptoDefense was poorly designed because the decryption key was easy to find in the program. CryptoDefense proves that even hackers make mistakes.

Over time, many crypto-ransomware programs evolved further and acquired business and market differentiations. Some crypto-ransomware included a voice feature like Cerber ransomware, while others overwrote the master boot record and disable booting.

Some ransomware targeted healthcare facilities; others targeted gamers. One variant known as Silent Shade demanded a ransom of only $30, easily affordable for most victims.

2016: Ransomware Offers Opportunity to Avoid Ransom by Purposely Infecting Others

In December 2016, ransomware took on a new angle: deliberately infecting friends or colleagues. A program called Popcorn Time offered free decryption if the victim infected two other people, normally friends, via email. The new victims would open their trusted friend’s email and click on a link. Then, their systems would be attacked.

The attackers offered victims two ways to retrieve their data. The victims could choose the “nice way” and make a payment, or the “nasty way” by infecting the computers of two other people.

Ransomware Is An Equal Opportunity Attack on All Computer Systems

Ransomware isn’t limited to just one type of computer or mobile device. Operating systems of Mac devices can be attacked by a ransomware called KeRanger. It typically activates within three days of the infection and charges a ransom of $400.

Similarly, Linux systems are attacked by KillDisk. This ransomware demands 222 Bitcoins or $218,000. Researchers, however, recently found a key for KillDisk.

Ransomware is starting to exploit smartphones and even cloud servers. Cyber defenders will need to work diligently to overcome these ransomware infections.

The Best Protection against Ransomware: Back Up Your Data

Backing up your data is one form of protection against ransomware. If you have backups of your recent files and your computer is infected, it may be easier to wipe your machine and start over. You could also opt to buy a new machine if your computer or mobile device is old.

Overall, the data you store is much more valuable than your computer. Be sure to protect your data by backing it up to a hard drive kept offline.

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications, and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and 6 patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he had broad experience in the IT industry as a management information system consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Ransomware Targets Continue to Pay Hackers

Published with Permission by:
Lint, James R. & Kim, Dr. Yoohwan, “Ransomware Targets Continue to Pay Hackers”, In Cyber Defense, 15 Mar. 2017, Web, http://incyberdefense.com/news/ransomware-targets-continue-pay-hackers/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

By Yoohwan Kim, Ph.D.  
CISSP, CISA, CEH, CPT Associate Professor Computer Science Department University of Nevada Las Vegas

Ransomware attacks spiked 6,000% in 2016, with more than 4,000 attacks occurring each day. This is an increase from 1,000 attacks a day in 2015.

As famed bank robber Willie Sutton once said, “I rob banks because that is where the money is.” Contemporary bank robbers are seldom as successful and certainly nowhere close to these ransomware statistics. Ransomware is the new criminal money-making industry.

Co-author Dr. Yoohwan Kim, a speaker at the Las Vegas USSS Electronic Crimes Task Force quarterly meeting on March 3, 2017, provided research for this article. Some of that research came from an IBM Security Report, which also noted the 6,000% spike in 2016.

Ransomware Is a Costly Problem for Many Organizations

Ransomware is a type of malware that prevents users from accessing their computer systems. This malware targets critical data and systems for the purpose of extortion, either by locking the system’s screen or by locking the victims’ files until a ransom is paid.

Check Point’s ThreatCloud World Cyber Threat Map currently contains 250 million addresses and 11 million malware signatures. There is a steady increase in ransomware successes by hostile actors. More than 2,000 new ransomware programs are developed every month.

Perhaps a better term would be crypto-ransomware: Your files are encrypted and you are locked out from important data. The criminals then demand payment for the key to unlock the encryption.

Who Is Vulnerable to Ransomware?

Hollywood Presbyterian Medical Center in California lost control of its data for more than a week due to a ransomware attack. The hospital paid the ransom with 40 bitcoins worth $17,000 and the hospital regained control of its data.

Allen Stefanek, president and CEO of HPMC, said: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

The San Francisco Municipal Transportation Agency was attacked on November 28, 2016. The hostile actors demanded 100 bitcoins or $73,000. The attack took all ticket machines offline for the day and affected more than 2,000 systems and computers. Rather than shut down the rail system, the agency allowed users to travel for free.

Police Departments Can Be Targets

The police department in Tewksbury, Massachusetts, made a $500 payment after enlisting the help of the FBI. Similarly, a police computer in Swansea, Massachusetts, was hit with a ransomware attack. The police department decided to pay the ransom of two bitcoins (about $750) rather than try to figure out how to break the lock.

There are many similar targets, and most victims pay the scammers rather than risk losing critical data. The targets can be anyone. And when threat actors live outside the United States, U.S. money can be an enticing target due to the high cost of living in many of the home countries of ransomware operations.

Ransomware Business Is Booming and Growing More Professional

Revenue from the Cryptowall 3.0 program – the most popular ransomware program among hostile actors – reached $325 million through October 2015, according to the Cyber Threat Alliance.

In all, hostile actors earned $24 million in 2015. The FBI said hackers earned $209 million in the first quarter of 2016.  Experts project that criminals will use ransomware to earn over $1 billion in 2017.

An interesting phenomenon is that ransomware is becoming more business-like in its operations, including live customer support to negotiate fees and deadlines. Good customer service gives ransom victims the confidence to pay and regain control of their files. Bitcoin virtual payments provide secure transactions for the criminals.

If an extortionist attacks your computer with ransomware, report the attack to local authorities and the FBI’s Internet Crime Complaint Center (IC3) as soon as possible. This practice will allow law enforcement to track the growth of the ransomware industry. It will also help all of us to understand new ransomware trends and potential methods to protect ourselves.

About the Authors

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.

Dr. Yoohwan Kim is an Associate Professor in the Department of Computer Science at University of Nevada Las Vegas (UNLV). He received his Ph.D. degree from Case Western Reserve University in 2003 in the area of network security (DDoS attack mitigation). His research expertise includes secure network protocols, unmanned aircraft systems (UAS) communications and cyber-physical system (CPS) security. He has published over 90 papers in peer-reviewed journals and conferences, and has 6 patents granted or pending. His research has been sponsored by Microsoft Research, the U.S. Air Force, Naval Air Warfare Center, Oak Ridge National Laboratory, National Security Technologies and the National Science Foundation. Before joining UNLV, he has had broad experience in the IT industry as a management information systems consultant at Andersen Consulting (now Accenture), a database programmer at Cleveland Clinic Foundation, a software engineer at Lucent Technologies and his own start-up company. 

Will We See a Decline in Cyber Threats in 2017?

Published with Permission by:
Lint, James R., “Will We See a Decline in Cyber Threats in 2017?”, In Cyber Defense, 15 Feb. 2017, Web, http://incyberdefense.com/news/will-see-decline-cyber-threats-2017/

Commentary by James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

It’s still early enough in the New Year to make predictions about cyber threats and malware attacks in 2017.

Ransomware Exploitation

First, I think ransomware attacks will likely decline by the end of the year. Ransomware is malicious software that extortionist hackers use to lock a target’s computer with encryption and then demand payment to unlock the computer.

Criminally obtained funds from a single type of ransomware has yielded as much as $325 million, according to McAfee Labs Threats Predictions. This gives cyber extortionists the funds for research and development to overcome anti-ransomware technologies.

McAfee Labs forecasts that the effectiveness of ransomware attacks will be reduced partly due to initiatives like “No More Ransom!” and the development of anti-ransomware technologies.

Ransomware attacks might also decrease due to their widespread use in recent years and the increasing costs to mount them due to law enforcement action. There is also hope that continued law enforcement actions, including arrests and the accompanying loss of hackers’ funds, will make ransomware operations too expensive to continue.

The issue will come down to which side will overcome the other.

‘Drone Jacking’ Places Threats in the Sky

Drones have become the new tool for shippers, law enforcement, news photographers and farmers. And new uses for drones are being developed all the time. Dronejacking too is new and the threats to drones are increasing.

The McAfee Labs report states, “Recently, we saw an example of a drone outfitted with a full hacking suite that would allow it to land on the roof of a home, business, or critical infrastructure facility and attempt to hack into the local wireless network.”

The DEFCON 2015 hacking convention showed the proof of concept that an individual could take control of a toy drone. While a small toy drone is interesting, the software in it is similar to the software in more expensive and larger drones. “Dronejacking” has now entered our vocabulary and threat matrix and should be of concern to all cyber defenders.

With drone shipping, high-value items and medicines could be diverted from their intended address to another landing area. A dronejacker could sit in a pickup truck, direct a targeted drone to land in the pickup bed and steal the drone’s cargo.

Such illegal activities would precipitate a technology race for shippers to put encrypted trackers on drones to thwart hacker attacks. Drone hackers, of course, will try to develop new tools to destroy drone communications and control. In the end, it will be up to industry to build better safeguards into the drone systems and ground stations

Depending on the industry, the development of useful drones will determine when we will see the first spectacular drone hack. The first one will be for underground notoriety but after that, drone jackings will be for criminal profits. Look for drone jacking in the news near the end of 2017 or in first half of 2018.

Another prediction is that if captured drones are destroyed or lost, shippers will soon find drones too expensive to use and end the practice. An end to drone shipping would also eliminate use of the word drone jacking.

Machine Learning Accelerates Social Engineering Attacks

The McAfee Labs report warns “that cybercriminals are leveraging machine learning to target victims. We expect that the accessibility of machine learning will accelerate and sharpen social engineering attacks in 2017.”

Hackers routinely access corporate networks and collect a great deal of information on their executives and key financial personnel. Machine learning tools to conduct complex analyses are publically available, creating the opportunity for cyberattacks far more sophisticated than simple target selection. Such attacks could include probes into decision makers’ business plans, proprietary information and ancillary activities such as executives’ vacations, travel or ill relatives.

The FBI calls these well-researched cyber attacks Business Email Compromise (BEC) scams. The hackers target personnel with financial responsibility or authority to write checks. For example, by analyzing hacked corporate data, the hackers learn that the CEO is taking a trip out of the country.

The trip includes many hours of air travel, poor communications and time zone changes. That is when the threat actors send an email in the executive’s name to a company financial officer to cut a large check and send it to an account number that belongs to the threat actors.

The McAfee report further states: “Cybercriminals know that sending a well-crafted email to a financially responsible team member, purporting to be from a leader of an organization and indicating urgency, results in a meaningful success rate in completing fraudulent transactions.”

This information is all mined and analyzed with machine learning tools. These tools are much quicker and give the best advantage for threat actors because machine learning keeps improving.

Machine learning use in criminal activity and BEC will increase in 2017. The money made by organizations using machine learning and the ability to crunch large data sets will give actionable intelligence for criminal activity. This will cause an increase of the use of machine learning for crime. In the end, machine learning is cost-effective, with a business case shown by FBI statistics that “more than $3 billion has been stolen, with victims in all 50 states and 100 countries.”

Cyber Espionage Will Continue to Target Intellectual Property and Stat Secrets

“Cyber operations from China are still targeting and exploiting U.S. government, defense industry, academic and private computer networks,” U.S. Cyber Command Admiral Michael S. Rogers said last April during testimony before a Senate committee.

The McAfee Labs report agrees with Adm. Rogers. “Cyber espionage will always be present, either as part of a nation-state’s intelligence operations or run by organized groups that will hunt for proprietary intelligence and offer it for sale.”

The greatest threat will be to U.S. government organizations and defense contractors. Cyber espionage against defense organizations and contractors will continue to be a weak link exploited by adversary nation states. In the past, a spy passing off a duffel bag of classified material to his foreign handler was considered a successful spy operation. Today, with small hard drives or thumb drives, the theft of terabytes of data is not unusual.

In the last three years, there has been an increased focus by the federal government to protect classified information from traitors and cyber theft. With this emphasis, there may be more successful apprehensions like that of former NSA contractor Harold T. Martin, who has been charged with stealing 50 terabytes of classified information over a 20-year period.

Technology created some of the vulnerabilities, and technology is fixing some of the vulnerabilities. The expectation is that the duel between cyber criminals and cyber defenders will be a draw or a tied game at the end of 2017.

Police and Hackers Will Have More Successes in 2017

No one will predict an overwhelming success for either side of the battle. The police have learned and created successful takedowns in 2016 of Botnets, DDoS and ransomware attacks. But until the threat actors evaluate the risk as too high, they will not stop their attacks.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.