The recent news of a successfully perpetrated extortion attack against Hollywood Presbyterian Medical Center, which forced its management to pay a $17,000 ransom to restore access to the institution’s computer systems, has been widely discussed by security researchers and the cybercriminal community alike. Soon after the news of the payment, two German hospitals were hit by ransomware, leaving them without patient data, critical systems, and email.
While ransomware campaigns are not new, most attacks have been large-scale and opportunistic—in the game of numbers where a small fraction of victims pay the ransom, quantity trumped quality. Not surprisingly, the preferred attack vector has been drive-by downloads, designed to infect unsuspecting visitors indiscriminately as they access compromised websites. In these campaigns, the victim is demanded to pay a ransom of anywhere between $250 and $500 to decrypt the files.
The ransom amount is typically hardcoded at the beginning of the extortion campaign, with little to no option to change the “asking price” post infection. Furthermore, while the crooks may see the processes running on the victim’s computer, they have no visibility into the nature of the encrypted files. The ransom demanded from Hollywood Presbyterian Medical Center in return for the decryption key strongly suggests a purposeful and targeted attack.
This is particularly concerning, as medical facilities are actively targeted for compromise by cybercriminals. “Fresh” and detailed patient data is sold on underground marketplaces in alarming quantities, suggesting intrusions and persistent presence in many medical facilities and insurers. As news of successful high-value targeted ransomware attacks propagate through the underground cybercriminal communities, those who profit from compromising medical facilities by selling patient data may reconsider their business model. While a single patient record containing personally identifiable information (PII) may bring the criminal $10, it is becoming apparent that institutions may be willing to pay whatever it takes to regain control over the functionality of critical systems and data.
To elevate the chances of a successful targeted ransomware attack, the attackers must use APT-like tactics to learn about their targets’ networks and endpoints, evaluate the criticality of the stored data, and manually insert the malware. Indeed, recent reporting suggests that Chinese APT actors are employing ransomware for supplemental income.
While the average cybercriminal may not have the tools, expertise, or patience to conduct reconnaissance and lateral movement to the same extent as APT actors, a few trusted tricks under their sleeves may be as effective.
What the criminals lack in technical expertise, they make up for in social engineering skills. The playbook used in Business Email Compromise (BEC) scams, where fraudsters email finance officers with instructions to send bank wire transfers overseas, nets criminals over a billion USD. Such scams are entirely non-technical, relying rather on thorough research of the targets in open sources such as the corporate website and social networking websites. A targeted email is then sent to several addresses matching the possible corporate email formats (i.e.: JDoe, John.Doe, J.Doe, DoeJ).
In the first few months of 2016, Flashpoint has observed an increase in interest expressed by cybercriminals on the Deep & Dark Web forums in engaging in such activities. The following post on a cybercriminal forum was written by the proprietor of a ransomware-as-a-service affiliate program:
Dear affiliates! We can now collaborate on an individual basis (primarily in regards to targeted ransomware attacks on companies and corporate networks). Here we can help you find all the tools necessary for this type of work (JS loader, DOCX with macros, etc)
In another post on a different underground forum, an actor was spotted by Flashpoint seeking assistance infecting pre-selected targets:
Offering $5,000 in Btc for ransomware team per job and ongoing partnership. I’m looking for a ransomware team that will help me infect my contacts. These are businessmen in the oil sector, real estate etc. We will be doing about 3 of these jobs a week. My contacts are very wealthy and they also have bad internet security so I am looking at a high success rate.
The cybercriminal ecosystem is traditionally driven by the value of data on the cyber black markets. The posts above illustrate a nascent understanding in the cybercriminal community that there is another way to assign value to data, namely by assessing the value it presents to its owner.