[BreachExchange] Ransomware: Attacks Against Government Agencies Widespread

[Audrey McNeil]

http://www.databreachtoday.com/ransomware-attacks-against-government-agencies-widespread-a-9005

Although organizations in a number of business sectors, including
healthcare, have been targeted by ransomware attacks in recent months, a
new report reveals that government agencies also were targeted hundreds of
times during the second half of last year, but no ransoms were paid.

Meanwhile, the FBI has issued new guidance and an alert warning of the
growing risks posed by ransomware (see Ransomware Epidemic Prompts FBI
Guidance) .

Some 29 federal agencies reported they were targeted with ransomware 321
times between June and early December, according to a Department of
Homeland Security response to an inquiry by Sen. Tom Carper. The Delaware
Democrat, who serves as the ranking member of the Senate Homeland Security
and Governmental Affairs Committee, had requested information about the
government's ransomware defenses as part of the panel's oversight of
government IT security.

Not all of the incidents resulted in ransomware infections. Of those that
did, most affected end-user workstations. In all those cases, DHS reports,
"the system was removed from the network and replaced with a new, clean
system with minimal impact to the user and agency."

DHS told Carper that it "is not aware of any instances in which federal
agencies paid a malicious actor to remove ransomware from a government
computer."

Understanding the Problem

Carper said the response from DHS, as well as one from the Justice
Department, "are a first step toward understanding the problem so we can
make informed policy decisions about these unique threats."

In addition to federal agencies, state and local governments are also being
targeted. The Multistate Information and Analysis Center told DHS that
MS-ISAC's associated Computer Emergency Response Team identified and
addressed 40 incidents related to ransomware-associated activity on state,
local, tribal and territorial governments' systems. DHS did not
characterize the success or failure of those ransomware attack attempts,
but said MS-ISAC did not request special assistance to address this
incidents from NCCIC in 2015.

But the Boston Globe reported the town government of Medfield, Mass. -
population 12,000 - in December paid a ransom demand of about $300 to a
cybercrime gang after one of its servers was infected with ransomware,
which encrypted its contents (see Town Faces Ransomware Infection, Blinks)

Ransomware: A Global Threat

The attacks on government agencies comes at a time of an increase in
reported ransomware attacks across many U.S. business sectors and around
the world.

Healthcare has been particularly hard hit. Just this week, the Washington,
D.C.-area, 10-hospital system MedStar Health shuttered many of its systems
to avoid the spread of apparent ransomware (see MedStar Shuts Systems After
Cyberattack). Other recent ransomware attacks have targeted hospitals in
California, Kentucky and Ontario, Canada.

Assistant Attorney General Peter Kadzik, in the DOJ's response to Carper's
inquiry, said the FBI's Internet Crime Complaint Center received 7,694
ransomware complaints in 2015, with losses from these attacks costing
victims an estimated $57.6 million.

Carper, in his inquiry, noted testimony before the Senate that suggested
the government's anti-malware defenses need to evolve to keep pace with
increasingly sophisticated botnets used to disseminate viruses, including
ransomware. The senator asked DHS what techniques it uses to combat botnets.

"To protect federal agencies against ransomware-type botnets, NCCIC
leverages the Einstein 3 Accelerated system," DHS responded, referencing
the latest rendition of the intrusion detection and protection system
operated by NCCIC. DHS said some of the ransomware incidents at government
agencies last year were detected by Einstein, although it did not provide a
specific number. The agency, in its response to Carper, said Einstein 3A
could prevent malicious behaviors but did not furnish any examples of the
system preventing infections.

Einstein and Its Limitations

Einstein has limits on detecting malware. According to a Government
Accountability Office report issued earlier this year, Einstein comes up
short because it relies on known signatures - patterns of malicious data -
to identify intrusions rather than a more complex anomaly-based approach,
which compares network activity to predefined "normal behavior" to identify
deviations and identify previously unknown threats. If the ransomware
signature is unknown, Einstein won't detect it (see GAO: Feds' Einstein
Program Comes Up Short).

"It doesn't do a very good job in identifying deviations from normal
network traffic," said Gregory Wilshusen, the GAO director of information
security issues who co-authored the audit of the Department of Homeland
Security's National Computer Protection System, which includes Einstein.

DHS, in its response to Carper, confirms Wilshusen's analysis that Einstein
relies on known signatures. "The techniques that adversaries use to deliver
the malware, the techniques they use to communicate with and control
infected systems, the Internet infrastructure used in that command and
control activity, and the low-level behavior of the malware on a victim
system are all similar across most families of malware," DHS said.
"Therefore, Einstein capabilities are equally effective at detecting and
blocking ransomware attack as with any other type of known malware."

Capturing the Culprits

In his inquiry, Carper asked the Justice Department to describe the
challenges it faces in attempting to capture Evgeniy Mikhaylovich Bogachev,
architect of the CryptoLocker ransomware Trojan who's reportedly at large
in Russia (see FBI Hacker Hunt Goes 'Wild West'). "Many of the most
sophisticated cybercriminal actors are located in jurisdictions that do not
cooperate directly with the United States," Kadzik wrote Carper, with the
remainder of his answer about hunting down Bogachev redacted from the
report that Carper released.

Kadzik characterizes the actors behind ransomware as "very business
oriented [who] want to make it known that, if victims pay the ransom, they
will follow through and provide the private key needed to decrypt the
files." Most ransomware variants include the option for victims to decrypt
one file for free "to show that the actors do in fact have the ability to
restore victims' files." In most cases, he says, victims pay, and the
criminals provide the key to decrypt the locked files upon payment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160401/bd6fc47b/attachment.html>