Although the TV industry dialog about cybercrimes relates mostly to video piracy, other methods of attack must also be considered.
One of the most lethal and on the rise is ransomware, which locks and encrypts a victim’s computer data; the criminals then send a ransom demand to restore access. Ransomware attacks have shown an increase of 195 percent in business detections from Q4 2018 to Q1 2019.
These are the main types of ransomware:
- Crypto malwareCrypto malware: Encrypts the user’s files and demands ransom, often removing backups. Sophisticated cryptomalware uses advanced encryption methods so files cannot be decrypted without a unique key.
- Lockers: infects the operating system, especially on mobiles, and completely locks the user out, denying access to any files or applications until the ransom is paid.
- Doxware (leakware): derived from ‘docx’ hijacks the computer and threatens to publish the user’s stolen information online if they don’t pay the ransom.
- Scareware: fake software that acts like an antivirus or a cleaning tool but locks the computer or sends numerous irritating alerts and pop ups. It claims to have found issues on the user’s computer and sends deceptive pop-ups to purchase scareware and repair alleged errors, or demands money to resolve the issues.
- RaaS (Ransomware as a Service): the new kid on the block is malware that is hosted anonymously by a hacker. These criminals for hire distribute the ransomware and collect payments to manage the decryptors (the software that restores data access) in exchange for their share of the ransom. This means that whereas previously those demanding ransom were skilled hackers, now even non-expert coders can exploit this field.
Let’s take a look at some of the most prominent attacks.
One of the most famous is Wanacry – which, within hours, encrypted hundreds of thousands of computers in more than 150 countries. Hackers had taken advantage of some leaked highly classified hacking tools developed by the National Security Agency, which had been recently stolen and published online. In addition to attacking private businesses, this coordinated cyberattack hit Government systems and railway networks. Between $4-8 billion are estimated to have been lost.
A month later, NotPetya, which Wired magazine labelled “the Most Devastating Cyberattack in History” was first detected at Maersk’s offices in Denmark. It resulted in more than $10 billion in total damages, affecting additional companies such as TNT Express (FedEx), Cadbury, Merck, Saint-Gobain and Reckitt Benckiser. Russian military hackers have been indicated as the source of this attack, originally sent to Ukrainian targets.
Targeted attacks - MegaCortex
As early as January 2019, MegaCortex ransomware was spotted, but the attacks rose sharply in May. With this attack, cyber-criminal groups use targeted attacks, rather than spam or other mass deployment techniques. According to a Sophos report, this global attack was highly automated in addition to some manual components, and used a convoluted infection methodology that only triggered the malware on specified machines.
These attacks appear to be initiated remotely, on a compromised domain controller with stolen admin credentials. The malware also utilizes long batch files to terminate running programs and kill a large number of services, especially those related to security or protection. This is becoming a trend among current-generation ransomware families.
Ryuk targets “logistics companies, technology companies and small municipalities” with high data value, and issues demands of at least $5 million according to the Federal Bureau of Investigation (FBI). Ryuk is believed to be behind the attacks on Tribune Publishing and some Florida municipalities. Although it spreads through the usual botnet and spam methods, it then deletes all files related to the intrusion, and kills antivirus processes. The virus also drops a “RyukReadMe” file that demands the ransom to be paid in Bitcoin. Recent sighting of this nefarious virus have appeared in China.
Given the amount of damage that can result from being locked out, businesses that are locked out can lose devastating amounts. The costs are not just to replace and update computer hardware and software either, as additional expenses after such an incident include staff overtime pay, and lower revenues from the loss of business during the outage.
It’s not surprising that both individuals and businesses panic and pay the ransom, given the threat of personal and/or embarrassing information published online which can totally ruin a reputation. Even scarier, the information published can be completely fake, but once it’s sent ‘by you’ to people you know, or posted ‘by you’ the damage is already done. Denials and certified corrections can help but it can take years to regain credibility.
Yet according to many experts, the worst thing to do is to pay, since there is no guarantee that the cybercriminals will decrypt your data and return the access. If you have been compromised, first search for the decryptor; in some cases, you may be able to decrypt your data without making the payment to the criminals. Almost all ransoms are demanded in Bitcoin, providing untraceability of the payment.
As pointed out by Quentin Chieze, VO’s Interim CSO, “With ransomware (the most famous example being the Wanacry ransomware) it became obvious and indisputable that Cybersecurity doesn’t earn you any money, but it can prevent you from losing a lot of it.”
The Weather Channel – ransomware in the TV industry
TV services are not immune to ransomware; last April the Weather Channel was down for more than an hour until the backup mechanisms enabled restoration of the service. The FBI has been involved in the investigation.
K!NG - a success story
Although sums paid for ransom increased substantially ― up 89% in Q1 2019 to $12,762, as compared to $6,733 over Q4 of 2018, here is one of the few successful prosecutions . This is the story of K!NG, the online moniker of Zain Qaiser, who in conjunction with a Russian-speaking organized crime group ran an elaborate blackmail operation. Currently he is in jail in the UK for a six-plus year sentence, after installing malware on millions of computers worldwide via ads paced on porn sites.
The ads redirected to another website that hosted highly-sophisticated malware strains, including the infamous Angler Exploit Kit (AEK). A pop-up ad would lock the computer display, masquerading as the FBI and other law enforcement agencies, and demand payments of up to $1,000 in virtual currency. When porn-site operators attempted to remove his ads he retaliated by threatening their servers and operations, sometimes using distributed denial of service (DDoS) attacks. Building the case against Qaiser required international law enforcement community from the UK, US, Canada and Europe.
If under attack
Here are two recommendations from a cybersecurity expert :
- Alert law enforcement; they may not be able to help, but they should be made aware of the crime.
- Turn off your infected computer and disconnect it from the network, to avoid having the infected computer taking down other computers on that network.
How to prevent being held hostage
- Backup, backup, backup! If your information is backed up ransomware is ineffective, and you cannot be held hostage. Ensure that they are stored offline, and that you can easily and safely reinstall your backups. In addition, consider an additional backup in the cloud
- Adopt two-factor authentication (2FA) or multi-factor authentication wherever technically possible.
- Institute Dynamic Control Access which segregates your network into distinct zones, each requiring different credentials. This ensures that your entire network cannot be compromised in a single attack.
- Conduct regular employee security awareness training.
- Install Anti Malware Ransomware Software and run frequently scheduled security scans.
- Purchase cyber insurance.
While all these measures may not completely prevent a ransomware attack, they can significantly reduce risk and mitigate the damage should an attack occur.