Would you pay?
Hollywood Presbyterian Medical Center just gave in. Last week, it decided that paying 40 bitcoins — about $17,000 USD — was worth it to get relief from the ransomware attack that had locked down its network since February.
Health care institutions and any business that stores sensitive client data are especially vulnerable to these sorts of attacks, according F-Secure Security Advisor Sean Sullivan.
It’s a model that criminals know works and the attacks keep coming.
This week Locky was first detected in just a few days it has already infected more than a half million PCs around the world.
“So far, Locky’s most common infection vector has been via e-mail,” F-Secure Labs Andy Patel wrote. “A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and if they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption.”
The nightmare of having your all your Microsoft Office files is so overwhelming that may businesses go the same route as Hollywood Presbyterian Medical Center.
“The deployment of Locky was a masterpiece of criminality — the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages,”Kevin Beaumont wrote. “In short, this was well planned.”
The trend of malware-as-a-service, with criminal developers behaving with the business acumen of pro-software companies, is not new
F-Secure Chief Research Officer Mikko Hyppönen explains:
“For quite a while, online criminals have been moving to service models. We’ve seen it with DDoS attacks as a service, banking trojans as a service, and ransom trojans as a service among others.”
Macro attacks — however — have been one of the biggest cyber security surprises of the last year. They’d mostly disappeared since the 1990 and their reemergence is leaving many businesses vulnerable.
Even networks fully patched software and updated security systems have found themselves victimized because their users are allowed to run macros and their application whitelisting isn’t properly configures.
F-Secure users, however, have benefited from our extra layer of protection.
Andy Patel explains:
“If you’re running our software, DeepGuard, our behavioral detection engine, has been preventing both the attack vectors used by Locky and the behavior of the malware itself. These detections have been around for quite some time already. Following our tried-and-tested prevention strategy, DeepGuard notices malicious behavior, such as Office documents downloading content, dropping files, or running code. DeepGuard stops the mechanisms that allow these sorts of threats to infect your machine right at the source.”