Ransomware Bill Seeks to Curb the Extortion Malware Epidemic

ransomware-billLast week, a ransomware bill introduced and put forth by California State Senator Bob Hertzberg moved forward after being passed at a hearing by the state senate’s Public Safety Committee. The proposed legislation known as Senate Bill 1137 calls for specific penalties for anyone connected to the spread of ransomware—from prison time of as long as four years and a fine amounting to $10,000. However, this does not limit prosecutors from pressing additional charges under previous edicts.

The legislation defines ransomware as a “computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock.”

The bill aims to impose a more pronounced punishment to a cybercriminal who “directly places or introduces the contaminant or lock, directs another to do so, or induces another person do so, with the intent of demanding payment or other consideration to remove the contaminant.”

 [Read: All you need to know about Ransomware]

The Hollywood Presbyterian Medical Center (HPMC), one of the most recent reported ransomware victims that reached public consciousness, showed staunch support to the bill by testifying before the committee. Interestingly, Hertzberg was at the final stages of the bill when the ransomware infection that brought HPMC networks down made the news.

Last February, network and computer-related functions, including CT scans, lab work, pharmaceutical, and documentation needs of HPMC, remained offline for over a week, driving the hospital staff to revert to paper. The incident was declared an internal emergency, significantly affecting emergency room systems that then resulted to the transfer of affected patients to other hospitals.

In his testimony, Steve Giles, HPMC CIO, stated, “Every system within the medical center became inaccessible. This created panic to some degree within the nursing and physicians staff.” While initial reports indicated a ransom that totals at least $3.6 million in a 5-day-deadline, the hospital administrators later on released an official memo that admits to paying the ransom of $17,000 in bitcoin to obtain a decrypt key to regain access to the hostaged files.

Paying the ransom didn’t make things simple for the victim though. According to Giles, “We received the decryption codes—900 decryption codes. One decryption code, unique, per device. There was no magic wand of a single decryption code to alleviate the problem. We had to deal with 900 codes to go server by server by server, device by device.

Detailing how a ransomware attack crippled the networks of the hospital and significantly impacted its operations provided the needed push to pass the bill in its first reading. While there were extortion laws that encompass ransomware infections, Hertzberg saw the need to update the laws in a time of burgeoning digital extortion plots and attack tactics. In his testimony, Senator Hertzberg emphasizes, “It's responsible as we begin to continue to modernize the law to make sure we have an up-to-date law that works practically in the system of justice to deal with this new ransomware threat.”

The FBI statistics, according to Hertzberg, should be a cause for concern. In the United States alone, data kidnappers caused $209 million in damages within the first three months of 2016.  This is beyond the recorded $25 million extorted from ransomware victims in all of 2015.

Ransomware continues to be a notable security nightmare for end users and enterprises not only because of the surge of infections but with the surfacing of newer, more evolved variants. This signifies an ongoing pattern of development, mostly because the attack method has been proven to work. Ransomware infections have been so rampant that it is quickly becoming a common occurrence—far from when it was first sighted.

A continuous evolution

HPMC was not the last in the long line of ransomware victims that have hogged headlines of late. At the tail-end of March, a Kentucky-based hospital declared an “internal state of emergency” after being hit by a new crypto-ransomware family that was found to be using a rather uncommon distribution method.

Security analysts classified the malware that attacked the hospital as "Locky"—a new crypto-ransomware strain that banked on malicious macros found in Word documents to infiltrate a system. This method wasn't one commonly used to distribute ransomware, but it was a technique used by another notorious malware, the banking Trojan DRIDEX. Once it gets into a system, Locky encrypts files such as valuable documents and even images before deleting the original files.

[Read: New crypto-ransomware strain, Locky, discovered]

In the same month, online extortionists were also seen capitalizing on tax filing season with a ransomware variant called PowerWare, which added files generated by tax software to the list of file types it encrypts. Its use of Windows PowerShell and malicious macros in its infection routine was unconventional. Kimcilware emerged not long after this discovery. This ransomware variant was found using least two different scripts to target websites using the popular e-commerce platform Magento.

The healthcare industry continued to be pummeled by ransomware attacks, including one that went after files on servers within its target system's network, thus making it unique to other types of ransomware. Baltimore-based Union Memorial Hospital was found to be in the middle of a huge ransomware attack spread across the networks of healthcare giant, MedStar Health. Unlike traditional ransomware, SAMSAM did not rely on the usual malvertising and other social engineering techniques to spread. Instead, it snuck into target systems through unpatched servers. Interestingly, a bulk deal was then offered to the victims to obtain a decryption key that would recover files on all affected systems.

Researchers are quick to identify that SAMSAM and its evolved capabilities paint a vivid picture of a not-so-distant future of ransomware. In a statement, researcher Joe Marshall notes, “SAMSAM is the proof of ransomware’s evolution to its logical next step.” As such, the surfacing of the new crypto-ransomware strain is believed to be the gateway to an era of self-propagating ransomware, or "cryptoworms."

[Read: Healthcare industry hit by SAMSAM]

In much more recent news, another ransomware family, dubbed Maktublocker, was sighted at the onset of this month. It tricks users into downloading a malicious attachment via a phishing campaign that includes the target’s home address. This feigned legitimacy then coerces the user to click the link to view an “overdue invoice”. Once it penetrates the system, the ransomware demands an initial payment of 1.4 bitcoins, amounting to $580. But as time passes, the stakes for the kidnapped files get higher. For every three days the victim fails to pay the ransom, 0.5 bitcoin is added to the ransom amount.

Eliciting fear among users has become an age-old plot used by cybercriminals to make sure the target clicks a poisoned link. This has been the case in the first years of ransomware when police Trojans tapped into users' fears by mimicking law enforcement agencies and notifying would-be victims of illegal or malicious activity.

Last week, a newly-discovered ransomware aptly named Jigsaw, made the rounds online after it was released, based on the antagonist from the Saw movie franchise. Billy the puppet (a character used in the movie), flashes on the screen of its victim's system to announce that it has been infected. Much like the events that transpired in the movie, the message involves a timer counting down to a deadline of 24 hours to pay a ransom of $150 in bitcoins. Each hour of failure to settle the demanded ransom and a chunk of the victim’s files gets deleted. After 72 hours, the note warns of a complete deletion of the user’s files.

While several researchers have already uncovered and shared decryption tools for this particular ransomware run, Jigsaw illustrates a direction cybercriminals are headed—targeting its victim’s psyche. One particular sample flashes a ransom note that says, “YOU ARE A PORN ADDICT”. While Trend Micro researchers share that this may vary per target, in itself, this is a blatant attack on one’s character and a clear attempt to embarrass or threaten a victim by exposing or accusing them of bad habits.

In the 2016 Trend Micro Security Predictions, fear is considered to be a vital component in the success of any online extortion scheme. The more personal an attack is, the more successful it becomes as it makes the victims more likely to comply with the cybercriminal’s demands.

Waging a war against data kidnappers

The continuing surge of ransomware cases affecting individuals and now, even companies and institutions in various sectors, prompted authorities to issue an official ransomware alert. The U.S. Department of Homeland Security (DHS), in collaboration with the Canadian Cyber Incident Response Centre (CCIRC), directed a warning to the public to reinforce awareness and vigilance to prevent from becoming part of the growing statistic of victims.

The alert notes, “Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.” As such, the alert highly discouraged victims from resorting to paying the ransom in hopes of a quick-fix. “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”

Backed by Los Angeles prosecutors, Sen. Hertzberg is currently waiting on the next steps before Senate Bill 1137 becomes a law. Right now, the measure requires the approval of both houses of the California legislature before it gets signed by Governor Jerry Brown into law. Hertzberg stresses that the bill will significantly bolster a firmer stance on security, tailoring it to effectively prosecute ransomware attacks. This shows the steps taken by the authorities to keep up with the growing capabilities and more massive impact of ransomware infections in today’s threat landscape.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.