Ransomware Roundup: March 2018

We bring you the latest in ransomware statistics and attacks from the wild.

Recent Ransomware Statistics and News:

• Our Security Advisor, Alan Levine, profiled the last few months of ransomware activity for ITProPortal, calling Q1 “the calm before the storm,” as cybercrime in 2018 has been “suspiciously quiet.” He warned of the Meltdown and Spectre security flaws, and looked to careless millennials as a big vulnerability, since they’re more likely to be trusting of technology than older generations.
• Security vendor Malwarebytes has examined honeypot data from 2016 and 2017 to compile its latest report on cybercrime, and revealed that worms and ransomware were among its top ten list of threats. The report stated that ransomware attacks increased more than 90% year over year, and ransomware targeting consumers rose 12% over the prior. More details and a link to the report can be found on Forbes.
• A recent report from the Online Trust Alliance (OTA) identifies ransomware as the primary reason for the rise in cyberattacks in 2017, with business-related activity nearly doubling from 2016. Tech Republic’s coverage of the report states that “93% of all breaches in 2017 could have been avoided with simple cyber hygiene practices,” like security awareness training. Read more about our analysis of this report on our blog.
• IT/hacking-related healthcare breaches reported to the US Office for Civil Rights (OCR) in 2017 were analyzed by cybersecurity company Cryptonite, who revealed an 89% rise in events attributed to ransomware in comparison to 2016. Coverage from Med City News notes, “The analysis also highlights 2017’s top 10 healthcare breaches based on the number of records compromised. Six of the events involved ransomware.” The article includes an interview with Cryptonite CEO Mike Simon, who shares his advice on what must change in order to curb this growing threat.
• Data from Datto’s State of the Channel Ransomware Report Europe paints a stark picture of ransomware’s wake. Findings from a survey of 150 European managed service providers (MSPs) that serve more than 1M SMBs across Europe indicate these business paid out nearly $100M in ransom from 2016 and 2017. Even more alarming is the fact that this figure is likely skewed due to the underreported nature of these attacks.
• IBM’s VP of Threat Intelligence, Caleb Barlow, believes Internet of Things (IoT) devices will be more highly targeted by ransomware in 2018 than in years past. Given that there are more IoT-connected devices than ever before, it seems logical. More of Barlow’s predictions can be found on Tech Republic.

Recent Ransomware Attacks:

• Two Ontario-based children’s aid agencies found themselves the victims of ransomware, which locked them out of files containing clients’ personally identifiable information (PII). Neither agency paid the ransoms, and the centralized database the two agencies share, CPIN, was not compromised. The attacks reportedly inspired a boost in security to prevent future attempts.
• The Colorado Department of Transportation (CDOT) experienced a ransomware attack that caused administrators to shut down approximately 2,000 employee computers in order to stop the virus from spreading. As of today, the situation has been monitored closely by state IT staff, who have no intention of paying the ransom.
• Voter records of more than 19M Californians and PII from 53,000 current and former subscribers to the Sacramento Bee were compromised after a third-party database was infected with ransomware. The breach occurred when a firewall failed to come back online after routine maintenance, which left the data exposed for about two weeks. Instead of paying the ransom, the paper deleted the infected databases and notified subscribers that their data had been exposed.
• A ransomware attack demanding $35,000 hit the public library system of Spartanburg County in Colorado. The virus was delivered via email and opened by an employee, halting all checkout activity. Their data has since been restored, but it took a few days of being offline to recover from the attack.
• EHR vendor Allscripts has found itself in the midst of a lawsuit, accused of taking a neglectful stance towards cybersecurity. SamSam ransomware hit two of its datacenters, which prevented many clients from accessing patient records and electronically prescribing medications. The plaintiff, Surfside Non-Surgical Orthopedics, alleges that Allscripts knew of “deficiencies in its products and services [that] could result in privacy and security vulnerability or compromises and failed to take adequate measures to protect against any such event.” More details on the case can be found on Healthcare IT News.
• A new ransomware attack dubbed “SpriteCoin” has surfaced, capitalizing on users’ impulses to make a quick buck. The socially engineered scam lures victims by promising profit in the form of cryptocurrency. Once victims execute the wallet download, ransomware is delivered to their systems, and they are asked for Monero, a newer form of cryptocurrency, in exchange for a decryption key. Coverage of the attack on ZDNet states, “To add insult to injury, if the infected user pays the 0.3 Monero (around $100 at the time of writing) ransom, they’re delivered additional malware with capabilities that [include] certificate harvesting, image parsing, and the ability to activate the victim’s webcam.” This strategy is thought to be a test for effectiveness, so expect to see more attacks like this in the future.
• Servers in Indiana’s Adams Health Network were targeted by a ransomware attack that reportedly impacted between 60 and 80 patients of a clinic and physicians in the network. Adams Health released a statement stating that there was no interruption to patient care and that there was no indication of data compromise. A day-long closure of Adams Health Medical Offices around the time of the incident was attributed bad weather, not ransomware.