Government Ransomware Is Everyone’s Problem

The word “ransomware” has become synonymous with the healthcare industry, but government ransomware attacks are a growing threat.

Over the past year, the healthcare industry has been battered by an epidemic of ransomware attacks. The problem has become so ubiquitous that it is making their way into works of fiction: A ransomware attack on a hospital in a major city is the focus of an upcoming episode of the NBC drama Chicago Med. However, a new study by security ratings firm BitSight reveals that the number-one target for ransomware is the education industry, followed by the government sector. In fact, BitSight reports, government ransomware attacks have tripled over the past 12 months.

The word “ransomware” has become synonymous with the healthcare industry, but government ransomware attacks are a growing threat.

Among the recent high-profile government ransomware attacks that have grabbed headlines:

Why the Public Sector is Being Targeted

Government agencies are attractive ransomware targets for many of the same reasons medical facilities and schools are. Their networks store and process reams of highly sensitive data; public sector employees suffer from the same lack of security training and awareness that plague the private sector; and an inability to access a government network could put people’s lives at stake, as in the case of the 911 center in Ohio.

Government bureaucracy exacerbates the problems. While it may not be easy for IT personnel at a private-sector corporation to convince the C-suite they must invest in cyber security improvements – just ask anyone who worked at Yahoo! – nailing down an appropriate security budget can be even more difficult at a government agency. Not only must public-sector IT employees argue their case to their bosses, but also, the general public, the taxpayers whose money will be used to fund these improvements, have to be convinced. As the Pew Research Center recently found, very few Americans have even a fundamental grasp of cyber security risks and best practices, creating a situation where elected figures are asking their constituents to fund services they do not fully understand and may not see a need for. The government machine also tends to move very slowly; public sector agencies have always been notorious for being years behind the private sector in adopting new technologies.

Not surprisingly, BitSight ranks the government sector second-to-last in its security ratings.

Cyber Security is Not a Partisan Issue

There are some bright spots in the fight against government ransomware and other cyber attacks against the private sector. Virginia Governor Terry McAuliffe (D) has made cyber security the focal point of his chairmanship of the National Governors Association. The association’s winter meeting in February put a heavy emphasis on the need for state and federal governments to work together to improve their cyber security postures.

Government ransomware attacks are not a partisan issue, and there is no such thing as an agency that is “too small” to be victimized. A series of small cyber attacks could be employed by terrorists to create confusion and distraction as part of a much larger real-world terrorist attack. Attacks against the public sector, whether a federal government agency or a local police department, are a matter of public safety. They are everyone’s problem. Waiting until an attack happens and attempting to clean up the mess doesn’t work in the private sector, and it certainly doesn’t work when critical infrastructure such as a 911 system is hampered or disabled. Government agencies of all sizes must take the ransomware threat seriously and employ proactive cyber security measures to prevent their systems from being victimized.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Doxware Takes Ransomware to the Next Level

Doxware Leaks Your Private Data if You Don’t Pay the Ransom

Ransomware began grabbing headlines about a year ago, after Hollywood Presbyterian Medical Center paid hackers thousands of dollars in ransom after it got locked out of its systems. This large payday apparently encouraged hackers to keep going; a recent survey showed that about half of all businesses reported being victimized by ransomware at least once in the previous 12 months, and a stunning 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back by restoring their systems from backup drives, thus avoiding having to pay a ransom. Unfortunately, hackers are fighting back, too, using a combination of ransomware and extortionware called doxware.

A doxware attack unfolds similarly to ransomware: Victims attempt to log on to their computers and are greeted by a screen notifying them that their system has been locked down and demanding that a ransom be paid, usually in Bitcoin, for the code to get back in. However, doxware goes a step further, not only locking the system down but also threatening to expose the user’s private or sensitive data. This renders restoring the system from a backup ineffective because it will solve only half the problem.

One known doxware strain notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of the user’s contacts unless the ransom is paid. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” In a unique twist aimed at self-propagation, a variant called Popcorn Time gives victims an alternate to paying the ransom: Infecting two of their friends with the malware.

As both Sony Pictures and the Democratic National Committee learned the hard way after their corporate emails were hacked and published on WikiLeaks, having embarrassing information go public can ruin reputations and derail careers. Additionally, the release of scandalous material isn’t the only thing organizations need to worry about; doxware could be set up to target trade secrets, intellectual property, and other confidential information that could be ruinous to a business if it were released. For hackers, this represents the “value proposition” of doxware over ransomware: The fear of financial ruin makes it far more likely that doxware victims will cave in to hackers’ ransom demands or even agree to infect their friends in order to get off the hook. Of course, there is no guarantee that the criminals demanding the ransom will keep their word and not release the information, anyway.

How serious is the doxware threat?

Right now, doxware is a new threat, and attacks have been confined to Windows computers and laptops, but this particular attack vector is so potentially lucrative, there’s no reason to think that cyber criminals will stop there. Doxware would lend very well to mobile devices, where it could be set up to send photos, videos, and text messages to all of the user’s contacts.

The bright side is that since doxware isn’t yet at epidemic levels, organizations have a chance to get ahead of the game and take proactive cyber security measures before it becomes as common as ransomware. Methods to prevent a doxware attack are essentially the same as those used to fend off ransomware: training employees on how to spot phishing emails and other cyber security best practices, deploying antivirus packages that protect against ransomware strains, and maintaining regular system backups. Organizations should also air-gap intellectual property, employee tax data, and other highly sensitive information to make it more difficult for hackers to access, and encrypt the data so that it is useless even if they do manage to get at it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Yahoo Hack Was the Result of Years of Poor Cyber Security Practices

For Years, Yahoo Put Usability Ahead of Cyber Security

The massive Yahoo data breach, which compromised 500 million user accounts and has put its planned acquisition by Verizon at risk, happened because the company repeatedly put product user experience ahead of security, the New York Times reports:

Six years ago, Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.

The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.

Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.

For Years, Yahoo Put Usability Ahead of Cyber Security

The Times goes on to describe how CEO Marissa Mayer, after having taken over the troubled search engine in 2012, decided to focus Yahoo’s efforts on developing new products and creating better user experiences for existing products such as Yahoo Mail. Even though Mayer was aware of multiple information security issues, those took a back seat. Yahoo’s internal security staff, including former CISO Alex Stamos, warned Mayer about security vulnerabilities but found their efforts stymied due to “concerns that the inconvenience of added protection would make people stop using the company’s products.” Mayer cut the team’s budget and refused to approve the proactive cyber security initiatives Stamos pushed for, including end-to-end encryption, intrusion-detection mechanisms, and automatic resets of passwords on accounts that had been compromised. Even now, Mayer is still declining automatic password resets for the accounts compromised during this most recent breach – again, all in the name of not inconveniencing users.

Cyber Security vs. the User Experience

It’s common for tech companies to worry about how information security measures will affect the user experience. Often, developers must sacrifice speed and ease of use for a more secure product, and, while the majority of Americans claim to be highly concerned about data breaches, fickle customers may resist or become frustrated over security measures. A recent study found that one-third of Americans engage in risky behaviors to remember online passwords, and an ethnographic study of healthcare workers found widespread, flagrant disregard of cyber security practices in hospital settings.

While these are valid concerns, the answer is not to simply release unsecured products and hope for the best, as Yahoo apparently did. The burden of protecting customer data does not lie solely on software developers and data storage companies, and it cannot. The overwhelming majority of data breaches occur not as the result of external hacking but because hackers obtain legitimate login credentials, usually through social engineering schemes such as phishing. Manufacturers must build proactive security measures, such as multi-factor authentication, into their products, and get their customers accustomed to using them, even if the features are inconvenient or frustrating. The cost of a data breach is much higher than the cost of customer frustration, to both the breached company and the compromised customers.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.