Ransomware has become a growing scourge for US companies. It started out as an innocent-looking email that a hapless employee would click. Then, the boom lowered: to open your desktop pay $300 first. In Bitcoins please.
The techniques have evolved numerous times — all with the goal of social engineering a way around a person’s normal defenses.
Today’s version is a new strain called Locky and while it has some amateurish touches — the name for starters — it also has some new innovations that could possibly disarm even a suspicious person.
A Word Document, A Corporate Domain, A Helpful Message
For starters it is embedded in a Word document, which according to the Clearwater, Fla.-based security company KnowBe4's CEO Stu Sjouwerman, is a first.
It also uses a fairly sophisticated degree of spoofing, Sjouwerman told CMSWire. "It looks like it is coming from a corporate domain."
It is arrives as an invoice, a document that an employee is more likely to click on without thinking. For example, the email subject line would be something along the lines of: ATTN: Invoice J-98223146. A message in the email reads: "Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice."
It is standard, everyday language and for many companies, receiving an invoice this way is a routine matter.
When the Word document is opened, the content is scrambled and a message is displayed that guides the user to enable the macros.
And finally, it also is able to infiltrate Windows' unmapped drives — that is, the drives connected to that computer that are not named. This means that "network attached drives are also being encrypted with Locky," Sjouwerman said.
"You have whole departments sitting on their hands because they cannot get into their emails."
Make It Go Away
But here the hackers were not quite as sophisticated — or perhaps better put, entrepreneurial. The ransom demanded — a fraction of a Bitcoin — is the same to decrypt one computer or an entire network. "It doesn’t matter if it is five or 5,000 files," Sjouwerman said. "They are asking the same price."
Or perhaps the hackers are more sophisticated than I am giving them credit. A company could and does easily tally up the cost-benefit analysis of trying to break the ransomware versus the opportunity cost of having a file or many files unusable for an extended period of time. For a couple of hundred dollars, why not just pay the guy and make it all go away, is how many companies think.
It is a common tactic, in fact.
But then, even this price model is changing.
Right now in Los Angeles, Calif., Hollywood Presbyterian Medical Center is still struggling to resolve a cyber-attack in which its systems are still being held hostage. The hackers are demanding a ransom of 9,000 Bitcoins or about $3.6 million.
The hospital is effectively on lock down with staff unable to turn on their computers and radiation and oncology departments unable to use their equipment.
The staff is reportedly reverting to using fax machines and writing down patient data on paper.