Tag Archives: cyber crime

Ransomware– Pay-Up or Else– Billion Dollar Nightmare: Everyone is Vulnerable to Cyber– Extortion, Ransom…

Ransomware is one of the fastest-growing trends in cyber-crime: A clicked URL here, an opened file there, and suddenly your computer is infected with malware that either prevents you from accessing your machine or, worse, encrypts your work documents so you can’t access them… By the time you recognize something is wrong, it’s too late. Cyber-criminals have kidnapped your data and want you to pay up to get it back…  Estimates from the FBI put ransomware on pace to be a $1 billion dollar source of income for cyber-criminals…

The average ransom demand is now about $679. That’s more than double the average demand of $294 observed during attacks in 2015… And more troubling is that less than 50% of victims fully recover data... Ransomware propagates itself as a Trojan, e.g.; fake emails are the most often used distribution method, ahead of– websites, social media, attached infected Word documents… Ransomware is different from other malware and viruses because it’s nearly impossible to break it… In many cases, even the most accomplished coders can’t break the complicated algorithms to get access to the files without paying ransom…

In the article Ransomware a Top Threat by Lucian Constantin writes: Ransomware increasingly hits– businesses, hospitals, public utilities, public transit systems, and even police departments… According to Ed Cabrera; over the past two years there has been a dramatic shift in the type of ransomware being used by attackers… In 2014, 80% of ransomware attacks used traditional techniques, e.g.; locking desktop screen and telling users that they needed to pay fines… However, in 2015, the statistics flipped and 80% of attacks involved malicious malware programs that encrypt files…

Still another evolution is the transition from targeting individuals to organization and enterprises… This change in target is not entirely unexpected; after all business records are much more valuable than personal documents… and organizations can afford to pay higher ransoms than individuals… According to Liviu Arsene; ransomware are now focused on small and medium businesses, since they are more likely to pay larger ransom than the average individual, e.g.; a hospital paid $17,000 when hit by a single ransomware infection… which makes organizations and enterprises much more valuable targets for cyber-crime… 

Ransomware attacks can be devastating; they can cripple day-to-day activities… common entry points in many organizations are; human resource and financial departments, because it’s easy to disguise malware as, e.g.; resume, invoice… And when target are critical infrastructure provider, such as; hospitals, transportation services, communications… impact on these organizations can be catastrophic; unfortunately in these situations there are few realistic options aside from paying the ransom… In these devastating attacks, victims are usually redirected to ‘exploit kits’ via compromised websites or through malicious ads…

Unlike phishing emails these are drive-by-download attacks and it’s difficult to avoid them, since they are launched from trusted websites and are usually completely silent… These are hard decisions; security experts and law enforcement typically recommend that victims do not pay ransoms because it rewards criminals, and there are no guarantee that the attackers will fully recovery the data or provide an decryption key… According to Kaspersky Lab; one in every five organizations that pay ransom never get full-data back… However, for most organizations the decision is simply financial; it’s cost-based, e.g.; comparing– ‘costs lost’ (i.e., lost revenue, reputation, customer support, intellectual property…), versus ‘pay ransom’ (i.e., accepting unintended consequences)…

Incidents of Ransomware on the Rise: Hospitals, schools, government, law enforcement, small business, large corporations, individuals… are all targets for ransomware… It’s  an insidious type of malware that encrypts and/or locks valuable files and demands ransom to release them… According to James Trainor; paying ransom does not guarantee anything– it’s no win situation– even when victims pay they may not get full recovery… plus it emboldens criminals to target even more organizations… In addition, criminal/terrorists use the funds obtained from ransom to engage in other illegal, immoral activities.

Ransoms are profitable enterprises, and it’s very easy for cyber-criminals to organize and manage attacks when they represent themselves as legitimate enterprises… According to McAfee; cyber-criminals have figured out that they can hide/disguise themselves as legitimate enterprises… hence they make much more money, more easily, more safely with cyber ransomware, than with, e.g.; dealing drugs or other illegal activities… But key question; Should victims pay ransom?

Ransom amount vary (it’s market based system): It can be few hundred dollars, or $5,000 or more... And unfortunately victims are in no win situation– it extremely unlikely that the victim can break the malware or encryption… Hence, the decision to pay, or not often comes down to just a few limited options, e.g.:

  • No backup? Pay the ransom: If victims lack any form of file backup, they have no choice but to pay the ransom and hope they get files back. (According to survey of 300 experts; 19% of victims that paid the ransom still didn’t get their files back.)
  • Try restoring from backup: If victims have backup, they should try restoring a clean version, though in many situations customers will be down during the hours and days it takes to restore files.

Third option: Business continuity– it’s the ability for an organization to continue operations even in a disaster situation… Many organizations have plans in place for, e.g.; natural disasters, power outages, other disruptions… But few organizations have– ‘e-crisis’ response plans for cyber threats… Organizations (and individuals) must take cyber-attacks serious and develop effective contingency ‘continuity plan’ to protect themselves…

CyberRevenge– Hacking the Hacker, Attacking the Attacker: CyberWarfare– Hire Mercenary to– Hack-Back, Retaliate… Or, Not!

Hacking the hacker: In effect means being a thief to catch a thief… There is a hot debate over companies’ rights to defend themselves in cyberspace by taking offensive action… The hacker-on-hacker retaliation is a tantalizing option for some victims, however, many experts warn that the strategy, commonly known as ‘hacking-back’, could go very wrong…

According to Jeffrey Carr; hacking-back is the worst option for companies because they don’t know who is on the other end of the keyboard nor what capabilities that person(s) has. What may start as simple [intellectual property] theft could, after a ‘hacking-back’ attempt, can result in unforeseen consequences… People with any life experience usually understand and respect the adage– ‘never pick a fight with a stranger’; the same adage applies in cyberspace…

hack untitled

According to Rick Howard; just because you are able to jab back against a cyber adversary does not mean that you should… More likely than not, you would have succeeded in poking the beehive and you may have unleashed a world of hurt on your organization that it did not need… However, other experts say companies should be allowed to hack-back after they’re hit… If companies cannot get timely help and protection from law enforcement, then they should be allowed to take responsible action to mitigate the impact of theft of their data; companies should be allowed to hack back…

According to Matthew Green; hacking-back sounds like a great idea until you think about how easy it’s to subvert. Today’s attackers go to great lengths to hide the source of their attacks. How can any company know they’re really hacking their attacker, and not some innocent bystander?

According to Mark Weatherford; it depends: there are so many possible unintended consequences in hacking back that unless you truly understand what you are doing, it isn’t worth the risk. Remember, when you hack-back, you are escalating an event with someone who may have far greater skills, resources and evil intent than you…

According to Melanie Teplinsky; hack-back, retaliation, vigilantism. These words not only make for great headlines; they spark heated debate over the appropriate roles of the private sector and government in cyber-security. However, defensive measures alone may delay, but are unlikely to prevent penetration of target networks by concerted adversaries. Focusing exclusively on defense will not solve cyber-security… We need to raise the costs and risks to concerted adversaries in order to deter their activities.

In the article Hack the Hackers? Companies Itching To Go On Cyber Offense by Matt Egan writes: Fatigued by a relentless onslaught from hackers, some companies are mulling a more aggressive and proactive approach to powerful cyber evil-doers. Offensive counter strikes are likely illegal in today’s murky legal structure, but some security professionals are calling for at least a more proactive stance that utilizes measures like disinformation campaigns, honey pots, intelligence gathering…

All of this is aimed at squashing cyber attacks that can generate millions of dollars in damages and lost revenue, loss of intellectual property, and even cause reputation harm… According to Dmitri Alperovitch; these adversaries are like a dog with a bone… they will not go away… it doesn’t matter how many times you stop them, the one time they get through they cause very, very serious damage…

Whether it’s from vindictive terrorists, anti-capitalistic hacktivists or stealthy hackers, it’s clear that companies are under attack from nefarious online forces… According to a report, 65% of organizations polled suffered an average of three denial of service attacks in the past 12 months, costing financial-services companies a hefty $32,560 a minute… This helps explain a rising frustration about the limited options companies have to fight back… Some security firms are advocating a more proactive defense, though companies need to be careful to navigate laws…

According to Dmitri Alperovitch; we are not advocating hacking-back, since in most cases it’s illegal… we are talking about doing legal things on the network… that are more aggressive as opposed to just sitting there and trying to swat away these intrusions… its active defense, which can be a very effective deterrent…

In the article Hacking the Hackers: Legal Risks of Taking Matters Into Private Hands by Becca Lipman writes: Private groups are beginning to fight back against foreign sources of malware and credit fraud, but methodologies put these digital crusaders and their employers at serious legal risk… Breaking into somebody’s computer, even if it belongs to a hacker in– Russia, China… who just hacked you, is illegal… It’s the same as if you broke into a robber’s house to take back your stolen jewels. Intention does not justify the crime of breaking and entering…

As with any other battle, there’s also a risk of hurting innocent bystanders. The goal is to shut down hackers at the source, but that often involves going through botnets, networks of millions of infected PCs that report to a central server… Perhaps it’s only a matter of time before something truly shocking occurs from the actions of digital justice crusaders, but the fact is that institutions do illegal things all the time to stay on top of security protocols, and it proves effective in many cases… Many of the people involved in these activities are taking actions in legal grey areas in a form of vigilantism…

hack3

In the article Hacking the Hackers by Arthur Piper writes: Hackers use sophisticated techniques to block their server’s IP address-the unique digital code that identifies each device on the internet. But it is not impossible… That passive attitude to managing the risk of cyber-attack is changing; some organizations are setting traps for hackers within their own networks, or designing fake networks to catch the perpetrators. Data on the fake part of the site can often be traced to the criminals when they sell or attempt to use it… You are seeing a bit of a trend of not relying so much just on the government and businesses taking a more aggressive approach…

Other businesses are setting up databases in more sophisticated ways to both prevent serious loss and to help create evidence that can be used in court at a later date… But, not all cyber-criminals have yachts and most are effectively subcontractors working for other criminals. When they do have money, it may be difficult to obtain, and they may be impossible to sue if they live in a jurisdiction with no legal extradition rights…

In the article New Brand of Cyber Security: Hacking the Hackers by Ken Dilanian writes: The traditional way of trying to defend your network is just not going to cut it; you have to do something different… one way is to engage the adversary… According to Irving Lachow; attackers often breach company networks using a tactic known as spear phishing, a practice that gets an employee to download a malware file by disguising it, for example; in an email purporting to be from someone the worker knows. Firewalls and anti-virus software are almost useless against such techniques…

To counter these tactics some experts suggest the uses of decoys to lure hackers into a controlled environment, where investigators can observe and trace the attack… then hopefully identify the hackers by using clues in their malware, and by gathering information from a variety of other sources, they then might be able to develop a profile of the attacker… Profiles enable a more targeted defense by know– when an attacker is likely to strike, how they communicate, what malware they use, how they steal data…These methods are not without critics, who worry about how far companies might go down the road of cyber vigilantism…

The Justice Department said hacking-back may be illegal under the Computer Fraud and Abuse Act, a 1996 law that prohibits accessing a computer without authorization. Many lawyers liken it to the principle that a person can’t legally break into his neighbor’s house, even if he sees his stolen television in the neighbor’s living room…

Organizations need to start thinking like the adversaries, and look at different approaches and techniques to confuse an attacker… According to Sara K. Gates; in the light of unprecedented attacks by cyber-criminals against businesses that span every industry, this question has come to the fore: Is it time to fight back? According to Jeff Bardin; hacker groups and disruption of business has reached an all-time high and no longer can be ignored. We want to get the ‘adversary’ to understand that if they launch an attack against a company, there will be costs to pay…

But many experts are not in favor of going on the offense, because it just won’t work: it’s too difficult to pinpoint the location and source of many cyber-attacks… whereas, many security experts say there are some ‘offense-like’ tactics that can drive up the cost of hacking into a corporate network and, if deployed properly, could discourage hackers enough to have a major impact on the threat landscape…

hack imagesSG3YXMAZ

There are interesting questions being raised about how far businesses can go and what types of attacks can actually be effective… According to Martin Zinaich; it doesn’t necessarily have to go from nothing to launching a full-out assault against cyber-crime infrastructure. It could be much more subtle things like feeding the bad guys misinformation or doing your own reconnaissance… there are offensive security measures the good guys can leverage. Misdirection tactics, for example, can be deployed by heavily targeted companies, such as those in the– financial, defense sectors…

According to Tim McCreight; you need to start thinking like the  adversaries, and look at your defenses as if you are trying to break into your systems. You need to adopt a much more aggressive mindset… Unfortunately, these security tactics may have their drawbacks as well; some companies are very apprehensive about specifically targeting hackivist groups since it raises ethical questions and the legality of the practice. In addition, building phony systems and fake credentials may be too costly to deploy… it’s hard to agree whether ‘hacking-back’ is an acceptable enterprise defense practice, when no one can agree what the term means. Offensive security is huge but relatively undefined, and it’s compounded by the fact that the laws governing it are vague…