National Association of Attorneys General
Ransomware: The Cutting-Edge Cybercrime Taking Over the Country and What You Can Do to Stop It
Cybercrime and cyberterrorism are the new crimes of the century, and are currently the fastest growing threats to individuals in the United States.1 Cybercrime has now surpassed illegal drug trafficking as the top criminal funding scheme.2 Ransomware is a version of malware that prevents or limits users from accessing their systems.3 This type of extortion forces its victims to pay the ransom through a digital currency such as bitcoins, currency that is not tied to any bank or government and allows users to spend money anonymously.4 Once ransomware has entered an operating system, it can lock the computer screen or encrypt a predetermined number of files with a password.5 Most ransomware attacks originate in Eastern European countries that do not have active extradition treaties with the United States, making it difficult to prosecute the perpetrators.6
There are a variety of different versions of ransomware, but there are two primary forms that consistently attack computer networks. The first version is locker ransomware, which denies access to the computer or device by locking the screen.7 It typically leaves the underlying computer system and files untouched.8 Locker ransomware was the malware of choice for hackers in the early 2000s and, according to the technology company Symantec, accounts for 36 percent of the ransomware attacks deployed by hackers in 2014-2015.9 The other version is crypto ransomware, which is currently the method of choice for the majority of hackers.10 It prevents an individual from accessing files or data on a computer network.11 The malware is designed to find and encrypt valuable data stored on the computer, making the data useless unless the user obtains the decryption key in exchange for payment of the ransom.12 After installation, a typical crypto ransomware threat quietly searches for and encrypts files. The malware’s goal is to avoid detection and stay until it can find and encrypt all files that could be of any value to the user.13 In 2014-2015, crypto ransomware accounted for 64 percent of all ransomware attacks.14
Ransomware is rampant because it works.15 Attacks can not only lock out employees who need access to information, but also enables shared files to be used as a mechanism to infect other computers as a means of rapidly spreading the malware.16 In the first three months of 2016, the FBI reported over $209 million has been extorted from U.S. citizens by cybercriminals.17 This is a drastic increase from the $25 million that was reportedly ransomed from citizens in all of 2015.18 These figures represent only those losses reported to the FBI; the number of victims and the societal cost is certainly much higher.
Ransomware first appeared in 1989 through the use of floppy disks.19 Before the latest bout of ransomware, the malware was spread through spam emails until email technology improved to filter out the spam.20 This resulted in cyber criminals using more sophisticated technology to target specific individuals and businesses. Ransomware is often discovered as a zero-day threat, which means that no patches or anti-virus software has been developed to protect the computer from the attack.21
Ransomware can be spread through three different infections. The first type of infection is phishing which typically entails an email that lures the victim to click on a seemingly legitimate link which then downloads malware onto the computer system.22 Phishing campaigns conducted by hackers are typically tailored to specific victims in order to enhance the likelihood that the victim will click on the link.23 The second method is malvertising.24 This entails placing an apparently legitimate advertisement on a bona fide website which installs malware once the advertisement is clicked on.25 The final method is spread through the use of downloaders.26 Malware is delivered onto systems through stages of downloaders to minimize the likelihood of signature-based detection.27
The cyber community has seen extensive growth over the last few years in hackers relying on ransomware to commit cybercrimes. Malware has become easier for criminals to procure through providers selling toolkits to hacker rings to use to start their own business of disseminating ransomware and laundering money.28 Criminals can now procure kits which have the capability to attack multiple computers without any human intervention with a low start-up cost. The cybersecurity firm Trustwave reports that a ransomware campaign has only $5,900 in monthly start-up costs compared to the $90,000 profit that criminals make in a month.29 Another reason the threat of ransomware continues to thrive is that cyber threats are “scalable and asymmetric.”30 Disseminating large quantities of malware through various schemes has a low cost and high reward for the criminals.31 Finally, the economics favor the criminals. Since the personal and business data of most Americans are stored online, the need to access that data is paramount.32 For many citizens, paying a small ransom of $300 to $400 is worthwhile to avoid losing precious photos and important personal documents. Ransomware hackers have discovered the right price for the threat landscape and the target economy.33 The cyber criminals utilize first-degree price discrimination to locate the highest amount that victims will pay without resorting to alternative solutions. The statistics show that criminals prefer to make a small profit from a large number of victims.34
Threats to State and Local Government
According to the cybersecurity threat management firm Sentinel IPS, state and local government networks are increasingly susceptible to ransomware attacks, as they are nearly twice as likely to be infected with malware compared to private businesses.35 In 2014, the Multi-State Information Sharing and Analysis Center reported that 35 state and local governments reported problems with ransomware.36 The fact that ransomware attacks are becoming more sophisticated, coupled with the difficulty in identifying and prosecuting ransomware hackers, has resulted in unprecedented attacks perpetrated against U.S.-based companies and its citizens.37
While state and local government agencies are increasingly susceptible to ransomware attacks, there is a government agency created under the Homeland Security Act of 2002 that is tasked with enhancing state, local, tribal, and territorial governments’ cyber security.38 The Multi-State Information Sharing & Analysis Center (MS-ISAC) is “the focal point for cyber threat prevention, protection, response, and recovery, for the nation’s state and local governments through real-time monitoring, early warning threats, and vulnerability identification.”39 MS-ISAC also employs ALBERT, a cybersecurity program already in 40 states that inspects network traffic for any indicators of malicious activity that could compromise computers and the networks they run on.40 While MS-ISAC is a key resource, the U.S. Department of Homeland Security (DHS) warns that cyberattacks against the Emergency Services Sector (ES) will continue to increase as more departments become more dependent on information technology for daily operations.41
Ransomware has the ability to hijack a computer network and turn into a nightmare scenario for vulnerable businesses. In February 2016, the Hollywood Presbyterian Medical Center in California was a victim of a massively successful ransomware attack. The medical center’s network was shut down when hackers breached the system and locked the doctors and nurses out of their patients’ computer-based charts.42 The medical center then had to resort to pen and paper records until the hospital paid the ransom of 40 bitcoins (roughly $17,000) in order to regain access to its system.43 This episode represented an increase in the prominence of the victims who were attacked.44 While cyber criminals are still ransoming every day individuals, this attack represented the next level of victims the criminals are targeting.
Ransomware has had a large impact on local police and government agencies. Since 2013, cyber criminals have ransomed police departments in at least seven different states resulting in many of the departments paying the ransom price, around $300.45 Police department systems are especially vulnerable since many of the smaller departments are using outdated computer systems which enable cyber criminals to hack into the computers with relative ease.46 Federal agencies are also not immune to reported ransomware attacks. On April 1, 2016, the DHS reported that there had been two dozen unsuccessful ransomware attacks attempted on federal agencies’ systems since July 2015.47
One of the many aspects that make ransomware unique is the moral quandary presented to its victims. Thus far, the malware’s encryption has proven largely bulletproof. This means that, once infected, the victim only has two options: pay the ransomware which thereby funds a criminal enterprise that will recycle those funds to infect another victim’s computer or risk losing the files held on that computer network forever.48
With ransomware attacks on the rise, there has been a myriad of legislative efforts proposed through federal and state legislators. By a 38-0 vote, a California Senate Committee recently recommended the passage of ransomware legislation both outlawing the act and enacting punishment schemes similar to the crime of extortion.49 The legislation was proposed in response to the Hollywood Presbyterian Medical Center ransomware attack and the attack on two other Southern California hospitals in March 2016.50
In Congress, an amendment offered to close a loophole in the Computer Fraud and Abuse Act (CFAA) by Rhode Island’s Sen. Sheldon Whitehouse was withdrawn last fall. The CFAA predates the Internet; it makes it a crime to hack into other computers to create a botnet51 and criminalizes those who use botnets to commit other crimes.52 The law makes it a federal crime to access a “protected computer”; felony charges can only be brought if the “value of use” is $5,000 or if the person accessing the protected computer causes more than $5,000 in damage.53 The CFAA language is vague as to how it pertains to selling or renting these “computer zombies,” an issue pertinent to prosecuting ransomware hackers.54
In May, Sen. Whitehouse joined with South Carolina’s Sen. Lindsey Graham to propose the Botnet Prevention Act.55 The bill would expand the U.S. Department of Justice’s (DOJ) ability to issue injunctions against botnets engaged in a broad range of illegal activity and equip judges with discretion to impose harsher penalties on those who intentionally damage critical infrastructure systems.56 The bill would also prohibit the sale of access rights to a compromised computer if the seller has reason to believe the buyer intends to use the computer for criminal purposes.57
Steps for AG Offices to Take
There are various steps an attorney general’s office can take to lessen the chances of becoming a victim of a ransomware attack. First, it is important to ensure the use of current and constantly updated anti-virus software and a firewall.58 Out-of-date applications and operating systems are the target of most attacks; thus, keeping these applications current greatly reduces the number of exploitable entry points available to an attacker. DHS recommends updating software and operating systems with the latest patch, an update comprised of a code that is inserted or “patched” into an executable program. Installed into an existing software program, patches are usually temporary fixes before the release of a new software package.59
Second, popup blockers should be enabled to avoid accidental clicks on or within popups.60 Third, each computer must be properly backed up. Backing up and maintaining offline copies of personal and application data means that ransomware scams will have limited impact because, instead of paying a ransom to get data back, a system can be wiped clean and then backup files reloaded.61 The most important step, however, is to ensure that all employees are thoroughly trained to understand the dangers of ransomware attacks, how to avoid them, and the importance of recognizing and reporting threats to the organization.62 Although humans may be the weakest link in organizational cybersecurity, they can also be the strongest weapon in ensuring the security of an organization’s computer network.63 Offices can also help inform citizens by posting information on the dangers of ransomware and how to protect against a successful attack.
Various attorney general offices have been proactive in addressing constituents’ concerns regarding ransomware. Connecticut Attorney General and current NAAG President George Jepsen established a privacy task force in 2011 to combat threats to data security and privacy.64 “[Ransomware attacks] seem to be working pretty effectively around the country so we expect them to increase,” he said in an interview for an August 2014 Connecticut Magazine article. He noted that “we’ve only had a limited number of complaints in Connecticut; however, we suspect that people are under reporting its frequency because—and this has come through in the complaints that we have had—they’re a little embarrassed.”65 In that same article, Connecticut Assistant Attorney General Matthew Fitzsimmons, head of the state Privacy Task Force, commented that ransomware viruses are not very complex from a hacking standpoint. “At its core, the functionality of the virus itself is pretty simple. . . . Once you click on a link, whether in an email or whether you open an attachment, you are allowing a program to run on your computer and included in the script that’s running can be some malicious code.”66 Fitzsimmons likened the malicious code gaining access to your computer to “giving somebody the keys” to your house.67 Attorney General Jepsen and AAG Fitzsimmons say the key to avoiding this type of virus is proper preventative measures and, if these fail, to immediately disconnect from any network. This will prevent the criminal from being able to continue to infect other computers with the virus. They also urge reporting a ransomware infection or any virus infection to the Internet Crime Complaint Center (IC3).
Developing strategies to prevent a successful attack of ransomware malware should be a priority of each attorney general’s office. As hackers become even more sophisticated in avoiding detection, ransomware attacks will proliferate. As former CIA Director Leon Panetta testified in his confirmation hearing, “the next Pearl Harbor that we confront could very well be a cyber-attack” crippling security systems, government computers, and power system grids and paralyzing infrastructure and normal governmental operations.68
1 Michael F. Nozzolio, Taking Action on Cyber-Security (July 28, 2015), https://www.nysenate.gov/newsroom/press-releases/michael-f-nozzolio/what-can-be-done-prevent-cyber-attacks-future .
2 Norton, What is Cybercrime?, http://us.norton.com/cybercrime-definition (last visited July 12, 2016).
3 Trend-Micro, Ransomware, http://www.trendmicro.com/vinfo/us/security/definition/Ransomware (last visited July 13, 2016).
4 AP, What is Bitcoin? A Few Things to Know About How the Digital Currency Works, Denv. Post, (May 2, 2016), http://www.denverpost.com/2016/05/02/what-is-bitcoin-a-few-things-to-know-about-how-the-digital-currency-works/ .
5 Ransomware, supra note 3.
6 Ransomware Malware: Everything You Need to Know About It, http://beebom.com/ransomware/ .
7 Kevin Savage, Peter Coogan, and Hon Lau, The Evolution of Ransomware (Aug. 6, 2015), http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf .
9 James Scott and Drew Spaniel, The ICIT Ransomware: 2016 will be the Year Ransomware Holds America Hostage, http://icitech.org/wp-content/uploads/2016/03/ICIT-Brief-The-Ransomware-Report2.pdf .
10 Evolution of Ransomware, supra note 7.
14 ICIT Ransomware, supra note 9.
15 Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired, (March 30, 2016), https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/ .
17 Bradley Barth, California ransomware Bill Supported by Hollywood Hospital Passes Committee, SC Mag., (April 13, 2016), http://www.scmagazine.com/california-ransomware-bill-supported-by-hollywood-hospital-passes-committee/article/489632/ .
19 Evolution of Ransomware, supra note 7.
20 FBI, Incidents of Ransomware on the Rise, Protect Yourself and Your Organization, https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise .
21 Thomas Gresham, Mitigating Ransomware: Ransomware is a Complex Threat, but Its Impact can be Lessened, SC Mag, Feb. 2016, http://www.scmagazine.com/mitigating-ransomware/article/465380/
22 Steve Weisman, Ransomware? Bad News, It’s Getting Worse, USA Today, May 7, 2016, http://www.usatoday.com/story/money/columnist/2016/05/07/ransomware-bad-news-s-getting-worse/83876342/ .
26 ICIT Ransomware, supra note 9.
28 Chloe Green, The Evolution of Ransomware: What Lies Ahead?, Info Age, (June 1, 2016), http://www.information-age.com/technology/security/123461537/evolution-ransomware-what-lies-ahead .
29 LA Hospital Ransomware Attack Worries Cybersecurity Experts, Associated Press, (Feb. 19, 2016), http://www.voanews.com/content/la-hospital-ransomware-attack-worries-cybersecurity-experts/3198112.html .
30 Ransomware: Understanding the Threat and Exploring Solutions Before Comm. On the Judiciary, 114th Cong. (2016) (statment of Richard Downing Acting Deputy Assistant Attorney General, Department of Justice).
33 The ICIT Ransomware, supra note 9.
35 Multi-State Information Sharing and Analysis Center, https://www.cfda.gov/x?s=program&mode=form&tab=core&id=ce9283315900d0bb7accce0341116d8e (last visited July 13, 2016).
39 Ms-ISAC: Multi-State Information & Sharing Center, https://msisac.cisecurity.org/ (last visited July 13, 2016).
40 Jeremy Snow, Einstein’s Little Bro: Used by Most States, Albert Guards Against Malware, State Scoop, (April 4, 2016), http://statescoop.com/einsteins-little-bro-used-by-most-states-albert-guards-against-malware/
41 J.J. Green, Hackers Increasingly Targeting Emergency Systems, (Feb. 26, 2016), http://wtop.com/j-j-green-national/2016/02/dhs-hackers-increasingly-targeting-emergency-systems/
44 Nafeesa Syeed, Hackers Target Think Tanks to Get a Peek at U.S. Government Strategy, Bloomberg Tech., (May 12, 2016), http://www.bloomberg.com/news/articles/2016-05-12/it-s-hackers-versus-wonks-as-cybercriminals-seek-leg-up-on-u-s
45 Chris Francescani, Ransomware Hackers Blackmail U.S. Police Departments, NBC News, (April 26, 2016), http://www.nbcnews.com/news/us-news/ransomware-hackers-blackmail-u-s-police-departments-n561746/
47 Many US Agencies Hit by Ransomware Cyberattacks, DHS Says, (April 1, 2016), http://www.smartbrief.com/s/2016/04/many-us-agencies-hit-ransomware-cyberattacks-dhs-says/.
48 Brian Heater, How Ransomware Conquered the World, PC Mag., May 2016.
49 Elizabeth Snell, Calif. Senate Committee Passes Ransomware Legislation, (May 25, 2016), (http://healthitsecurity.com/news/calif.-senate-committee-passess-ransomware-legislation.
50 Bill Outlawing Ransomware Passes Senate Committee, http://sd18.senate.ca.gov/news/4122016-bill-outlawing-ransomware-passes-senate-committee ; Dan Whitcomb, California Lawmakers Take Step toward Outlawing Ransomware, (April 12, 2016), http://www.reuters.com/article/us-california-ransomware-idUSKCN0X92PA ; California Ransomware Bill Passed by State Senate Committee, (April 15, 2016), http://www.hipaajournal.com/california-ransomware-bill-passed-state-senate-committee-3395/.
51 A botnet is a network of computers infected with malware without the user’s knowledge, controlled by cyber criminals, and used to send spam emails, transmit viruses, and engage in other acts of cybercrime.
52 Graham says US Should ID ‘Bad’ Nations on Ransomware, Wash. Internet Daily, (May 19, 2016); Grant Burningham, The Most hated Law on the Internet and its Many Problems, Newsweek, April 16. 2016, http://www.newsweek.com/most-hated-law-internet-and-its-many-problems-cfaa-448567.
54 Sean Lyngaas, With Ransomware on the Rise, Senate Botnet Bill Gets Another Shot, FCW, (May 19, 2016), https://fcw.com/articles/2016/05/19/botnet-whitehouse-bill.aspx /
55 S. 2931, available at https://www.congress.gov/bill/114th-congress/senate-bill/2931/text . See also ABA Encourages Congressional Action on Botnet Legislation, A.B.A. Banking J., (May 18, 2016), http://bankingjournal.aba.com/2016/05/aba-encourages-congressional-action-on-botnet-legislation/ .
57 FBI, Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes, (June 23, 2015), http://www.ic3.gov/media/2015/150623.aspx .
58 Id. DHS recommends various computer protection methods for office IT staff to use to protect and prevent office-wide computer networks from experiencing any successful malware attacks. See Andy Ozment, DHS, Protecting Your Data Against Ransomware (April 6, 2016), https://www.dhs.gov/blog/2016/04/06/protect-your-data-against-ransomware .
59 DHS also recommends restricting users’ ability (permissions) to install and run software applications and applying the principle of “least privilege” to all systems and services. DHS strongly recommends that the FBI be the first point of contact when a computer network has been affected by ransomware, as the federal agency has jurisdiction over these cybercrimes.
62 James Scott and Drew Spaniel, The ICIT Ransomware: 2016 will be the Year Ransomware Holds America Hostage, http://icitech.org/wp-content/uploads/2016/03/ICIT-Brief-The-Ransomware-Report2.pdf
64 Press Release, Office of the Connecticut Attorney General, AG Jepsen Warns Consumers, Businesses About the Threat of Ransomware (Aug. 11, 2014) , http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=551060.
65 Erik Ofgang, Ransomware Hackers Will Kidnap Your Computer Files, Hold for Ransom, Connecticut AG Warns, Connecticut Mag, Aug. 2014, http://www.connecticutmag.com/Blog/Connecticut-Today/August-2014/Hackers-Will-Kidnap-Your-Computer-Files-Hold-Them-for-Ransom-Connecticut-AG-Warns/index.php?tagID=363.
68 CIA Chief Leon Panetta, the next Pearl Harbor could be a cyberattack, (June 9, 2011), http://www.csmonitor.com/USA/Military/2011/0609/CIA-chief-Leon-Panetta-The-next-Pearl-Harbor-could-be-a-cyberattack.