Column: 2016 is shaping up as the year of ransomware -- and the FBI isn’t helping
The year in ransomware began on Feb. 5, when computers at Hollywood Presbyterian Medical Center became infected with malware that shut down their communications capabilities. Ten days later, after the 434-bed hospital had been reduced to keeping records with pen and paper, the facility paid a ransom of 40 bitcoins -- about $17,000 -- and regained access to its system.
More than a week later, computers at the Los Angeles County Department of Health Services became infected with a program that blocked access to their data. The agency was able to isolate the infected devices and has refused to pay the attackers.
In cybersecurity, people are considered the weakest link. They are also both the most abundant resource and the most susceptible target.
— James Scott, cybersecurity expert
Get ready, because this trend is just beginning. Institutional targets such as hospitals, government agencies, school districts and police departments have been hit, but they may account for a minority of ransomware cases; lockdowns of individuals’ computers and mobile devices, accompanied by demands for a few hundred dollars, may be the norm. As more household devices become networked to the “Internet of Things” and left unsecured, more opportunities will tempt criminals into cyber hostage-taking.
Within the last few days, security experts discovered a ransomware program aimed at Apple device users -- a relatively rare target -- embedded in Transmission, a client app for the peer-to-peer system BitTorrent. Apple promptly upgraded its devices’ security software to block the program, but an estimated 6,500 computers were infected within the first day and a half. The malware encrypts files on the victims’ computers and flashes a message instructing them to send one bitcoin, valued at about $410, via a digital address. Similar attacks have been aimed at Windows PC and Android smartphone users.
What’s insidious about these attacks is that the sums demanded hit the cybercriminal’s sweet spot: They’re small enough to seem like a nuisance charge victims will simply pay to regain access to personal files that may include heirloom photos and important papers, yet can spell big profits to hackers who target enough victims. Each individual loss is so small that even in the aggregate they remain a minor concern of law enforcement, especially because sensitive files aren’t being stolen and sold. They remain on the victims’ computers, but out of reach.
The rise of ransomware points to a gaping flaw in individuals’ “cyber hygiene,” in the words of James Scott, a fellow at the Institute for Critical Infrastructure Technology, a consortium of security firms and experts. Individuals are increasingly likely to entrust crucial personal data and heirloom materials such as family photographs to computers, but not very likely to keep secure backups or protect them from digital invaders; as few as 25% of home computer users are estimated to regularly back up their data.
“In cybersecurity, people are considered the weakest link,” Scott said. “They are also both the most abundant resource and the most susceptible target.”
That shows another facet of the ongoing battle between Apple and the FBI, which is seeking essentially a company-devised “back door” to gain access to data on an iPhone used by one of the San Bernardino attackers. “Back doors are basically vulnerabilities,” Scott told me by email. “Adversaries seek out vulnerabilities to exploit. I think anyone in the cybersec community will have a problem with backdoors for anyone, including law enforcement because bad actors will always find them.”
Nor does the FBI offer much in the way of solace for ransomware victims. Last year, its cybercrime chief in Boston, Joseph Bonavolonta, was quoted telling a gathering of cybersecurity experts, “To be honest, we often advise people just to pay the ransom.”
At a more official level, the FBI asks targets of ransomware to notify the bureau. But it acknowledges that there’s little it can or is willing to do in individual cases. “The FBI doesn’t make recommendations to companies,” a spokesperson explained to the IT security firm Sophos. “Instead, the Bureau explains what the options are for businesses that are affected and how it’s up to individual companies to decide for themselves the best way to proceed. That is, either revert to backup systems, contact a security professional or pay.” The Horry County, S.C., school system last month paid a ransom of $8,500 to decrypt its servers after the FBI was unable to suggest an alternative.
The spread of ransomware attacks may be a new wrinkle in cybercrime, but the approach itself has a long history. According to Scott’s paper, the first known such attack dates back to 1989. That’s when a prominent biologist named Joseph L. Popp distributed a virus on 20,000 infected floppy disks to attendees at an international AIDS conference. After the infected machines had been booted up 90 times, the malware locked up the computer and flashed a message instructing its owner to send $189 to a post office box in Panama.
A workaround was quickly developed and Popp was arrested, but he was determined to be mentally unfit to stand trial. He later gained an alternative measure of fame as the founder of a butterfly conservatory in upstate New York.
Since Popp’s exploit, ransomware has become harder to break and the approach more sophisticated. Ransomware programs are traded and sold on the gray market, so the attackers don’t necessarily need expertise in anything but sending it out. The infection can be spread by phony emails or compromised downloadable applications, and falls into two main categories: “locker” and “crypto.” Locker programs leave users’ data untouched but keep owners from accessing it on their devices. Crypto programs leave users with access to their computers but encrypt the files; once the ransom is paid, a key is sent to allow their decryption.
As Scott observed, individuals are the best targets because they seldom have the expertise at hand to deal with a computer-based attack. Some attackers even impose a time limit, after which the targeted data may be permanently deleted. “People do not think rationally under time limits,” he said. “The victim is subject to the anxiety of the ticking clock ... and the fear of regret if the data is lost forever.” Many people will count a fee of a few hundred dollars as cheap under the circumstances.
There isn’t much that individuals can do to protect themselves against ransomware other than remaining especially vigilant about clicking on email attachments, even from friends (whose computers may themselves be infected), or downloading applications from any but the best-authenticated sources. Regular backups are essential, so that people’s most sensitive files can be recoverable. Institutions often are no better at protecting their systems than are individuals; indeed, many malware infections start with unwary individuals at big institutions.
Scott argued that a “never pay the ransom” policy is unrealistic, because sometimes a system’s downtime can be enormously costly or even threaten lives, even if the owner is confident that it can be restored after days or weeks. But the awful truth may be that ransomware is here to stay: “The number of ransomware attack variations is limited only by the imagination and motivation of the attackers,” he said As in so many other aspects of cybercrime, the best defense is hygiene; keeping a system firewalled and its users educated may not guarantee safety, but it’s the only option. And the FBI needs to acknowledge that “back doors” often become front doors, no one needs another front door.
Keep up to date with Michael Hiltzik. Follow @hiltzikm on Twitter, see our Facebook page, or email firstname.lastname@example.org