Last month, employees at the Colorado Department of Transportation were greeted by a message on their computer screens similar to this:
“All your files are encrypted with RSA-2048 encryption. … It’s not possible to recover your files without private key. … You must send us 0.7 BitCoin for each affected PC or 3 BitCoins to receive ALL Private Keys for ALL affected PC’s.”
Images provided by Webroot
Versions of CryptoLocker ransomware notify computer users that their files have been encrypted and locked. Users are instructed to pay Bitcoin to get the files back. But Webroot and other security companies warn that not all ransomware actually returns the files intact so check with security companies who will know the reputation of those hackers. (Images provided by Webroot)
CDOT isn’t paying, but others have. In fact, so-called ransomware has become one of the most lucrative criminal enterprises in the U.S. and internationally, with the FBI estimating total payments are nearing $1 billion. Hackers use ransomware to encrypt computer files, making them unreadable without a secret key, and then demand digital currency like Bitcoin if victims want the files back — and many victims are falling for that promise.
To better understand how ransomware works and how it has spread so effectively, The Denver Post talked with Broomfield anti-malware company Webroot, which got its start in the late 1990s cleansing computer viruses from personal computers.
“The end goal is just to put ransomware on the computer because right now the most successful way for cybercriminals to make money is with ransoming your files,” said Tyler Moffitt, a senior threat research analyst at Webroot.
Ransomware infects more than 100,000 computers around the world every day and payments are approaching $1 billion, said U.S. Deputy Attorney General Rod J. Rosenstein during the October 2017 Cambridge Cyber Summit, citing FBI statistics. A study by researchers at Google, Chainalysis, University of California San Diego and NYU Tandon School of Engineering estimated that from 2016 to mid 2017, victims paid $25 million in ransom to get files back.
And one out of five businesses that do pay the ransom don’t get their data back, according to 2016 report by Kaspersky Labs.
It’s a growing business for cybercriminals. And whether to pay or not is something each user or company must decide.
Last spring, the Erie County Medical Center in New York was attacked by SamSam due to a misconfigured web server, according to The Buffalo News. Because it had backed up its files, the hospital decided not to pay the estimated $44,000 ransom. It took six weeks to get back to normal at a recovery cost of nearly $10 million.
More recently in January, the new SamSam variant sneaked into Indiana hospital Hancock Health, which decided to pay 4 Bitcoin, or about $55,000, in ransom. Attackers gained entry by using a vendor’s username and password on a Thursday night. The hospital was back online by Monday morning.
Image provided by Cisco
A variant of the SamSam ransomware has attacked computer systems of hospitals, healthcare systems and government agencies, like Colorado Department of Transportation. Cisco System’s security unit Talos has been tracking SamSam and shared this screen image of the ransomware’s demands. In January, Talos researchers said that the SamSam variant had collected 30.4 Bitcoin, or about $325,217.07 in four weeks.
Colorado security officials are still investigating the CDOT ransomware attack that took 2,000 employee computers offline for more than a week. They don’t plan to pay the ransom but offered few details about the attack other than confirming it was a variant of the SamSam ransomware. Security researchers with Cisco’s Talos, which shared the SamSam message with The Denver Post, reported in January that the new SamSam variant had so far collected 30.4 Bitcoin, or about $325,217.
Ransomware typically gets on a computer when someone inadvertently downloads the nasty code. It’s not always as blatant as opening an email attachment, though those still exist. One such malware, called NemucodAES, disguised itself as an email from UPS about an undelivered package and instructed recipients to “Please check the attachment for details.” Security software, such as anti-malware from Emsisoft, stopped the ransomware spread because it detected suspicious behavior. Emsisoft also created a decryptor to help users recover files without paying the ransom.
Other times, malware isn’t so obvious. Some propagate when user visits infected websites. A trojan named Poweliks injected bad code into vulnerable programs, like an unpatched Internet Explorer. Poweliks crept into the Windows registry to force the computer to do all sorts of nasty things, from demanding a ransom to joining a click-fraud bot network to click ads without the user even realizing it.
There also are booby-trapped ads, known as malvertising. They get…