Ransomware Roundup: November 2017

We bring you the latest in ransomware statistics and attacks from the wild.

Recent Ransomware Statistics and News:

• NPR reported on November 27 that a single Bitcoin is approaching a value of $10,000. According to the report, the cryptocurrency has risen 1,000% since November 2016.
• Europol has highlighted ransomware in its recently released its (IOCTA), which stated that, “Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen.” WannaCry and NotPetya were specifically called out for their representation of “self-propagating ‘ransomworms,’” as were the indiscriminate nature of ransomware attacks and the fact that “connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.”
• Released in late summer 2017, Malwarebytes’ Second Annual State of Ransomware Report said that business downtime, rather than ransoms, have the largest impact on SMBs hit by ransomware. Noteworthy statistics from the report include the following:
  • Of the 1,054 global SMBs surveyed, 35% were victims of ransomware.
  • 90% of ransomware infections resulted in more than 1 hour of downtime, and 1 in 6 infections caused more than 25 hours of downtime.
  • 22% of organizations that experienced a ransomware infection said they had to cease operations immediately, and 15% reported lost revenue.
• Marcus Hutchins, the individual responsible for stopping the infamous WannaCry ransomware attack in May 2017 was arrested this past summer for cybercrimes he allegedly committed between July 2014 and July 2015. His reputation as an ethical hacker had the public advocating for what an injustice the situation was, but an article from reputable blogger and cybersecurity researcher Brian Krebs in September revealed there’s more to the story than appeared to be the case at the time of Hutchins’ arrest. A recent article from ArtsTechnica says the case remains in limbo, with Hutchins currently awaiting trial.
• The 2017 SolarWinds® MSP Cybersecurity Readiness Survey revealed that overconfidence in an organization’s cybersecurity measures can lead to a breach, with 28% of respondents reporting they have been the victim of a ransomware attack.

Visit our Ransomware Resource Center for free, end-user-focused security awareness materials

Recent Ransomware Attacks:

• The Sacramento Regional Transit (SacRT) system was recently the target of a ransomware attack demanding one Bitcoin in payment. The hackers displayed a warning message on the organization’s website, which tricked employees into going into their system to see if any data had been lost, resulting in the deletion of 30 million operational files. No actual data was stolen, however, and the SacRT IT staff prevented the attack from spreading by shutting down and rebooting the system. The SacRT indicated it refused to pay the ransom, which was valued at approximately $8,000 at the time of the attack.
• The city of Spring Hill, Tennessee was hit by a ransomware scam demanding $250,000. The attack, which affected “several other local government agencies” according to coverage by Government Technology, locked the city’s servers, temporarily halting debit and credit payments. The city has since fully recovered and has launched an investigation into what led to the incident.
• At the end of October, TechRepublic published a recap of the 10 worst ransomware attacks of 2017 (so far). Variants covered include NotPetya, WannaCry, and Locky. For the full list, which is based on Webroot data, visit the TechRebublic website.
• KQED, one of the largest public media companies in the US, recently profiled the ongoing saga of what they have come to call the “Great KQED Ransomware Attack.” The attack led to wide-ranging computer crashes, loss of phone and internet access, and a myriad of other issues that had staff adopting a “whatever works” motto in order to keep news operations running. KQED’s own coverage of the incident indicated that the company briefly considered paying the $27,000 ransom but ended up following the FBI’s advice to refuse payment. Jon Brooks, the reporter covering the attack, said, “I asked John Reilly, who’s done a lot of consulting in his career, if he’d ever seen an organization experience the level of disruption KQED had. ‘No, not through an attack,’ he said.”
• A strain of ransomware known as DoubleLocker has been targeting the Android OS by changing a phone’s PIN and encrypting all of the device’s stored data. The malware exploits fake Adobe Flash Player apps, and it tricks the user into granting administrative permissions, thus enabling the ransomware to set itself as the default home application. The clever attack demands a ransom of approximately $54 to recover the victim’s stored data.
• The BadRabbit ransomware attacks, which reportedly spread via a fake Adobe Flash update on compromised websites, initially targeted Russia and Ukraine, and eventually spread to include Germany, the US, and Japan. Once infected, affected networks were scanned for shared folders, with the malware attempting to steal and exploit user credentials to access other devices. Kaspersky Labs has found evidence of an “elaborate network of hacked websites” linking the attacks to NotPetya. Authorities are still trying to determine who was behind the global attack.
• Up to 400,000TB of SSD storage was reportedly lost due to downtime after a ransomware attack hit Toshiba’s systems, forcing them to shut down the Japanese division of their NAND flash memory production for up to six weeks. There is speculation that the shutdown affected the “already tight global supply” for this type of memory and “could end up driving prices even higher than they already are.”
• Roughly 26,000 MongoDB databases were wiped over Labor Day weekend by three different hacking entities who demanded Bitcoin ransoms of varying amounts. Not much else is known about the attacks, which were reported by SC Magazine.