/ 6 October 2016

Datajacking computer files is big business

It is estimated that there are 30 000 Bitcoins in India
It is estimated that there are 30 000 Bitcoins in India

“If you really value your data then we suggest you do not waste valuable time searching for other solutions because they do not exist,” the hackers told Baden Moir as he desperately but unsuccessfully tried to access his encrypted computer files.

The ransom was one bitcoin (about R8 450). The deadline was 72 hours. When the clock ran out, the price would be double that. If the ransom was not paid when the next deadline lapsed, those files would be destroyed.

The affliction Moir and his personal computer suffered is aptly named ransomware. And it is the most lucrative malware in history.

Once in, the virus courses through your system, taking your data hostage by encrypting all your files so that you cannot access them. In most cases, your only hope of retrieving your information is to pay for it.

The first case of ransomware dates back to 1989 when 20 000 infected floppy disks were distributed to the World Health Organisation’s international Aids conference attendees, distributing malware that would encrypt files. But the emergence of CryptoLocker in 2013 was a game-changer – the malware could be distributed through downloads, weblinks and email attachments.

The malware has even affected United States police departments, which have sometimes paid the ransom to retrieve important files.

The FBI has also offered a $3-million reward for information leading to the arrest of the suspected mastermind behind CryptoLocker, Evgeniy Bogachev, who is known to enjoy sailing on the Black Sea coastline of his home country, Russia. It’s the highest reward ever offered for an alleged cybercriminal.

He is also suspected to be behind other cyberattacks that have taken $100-million out of US bank accounts.

Copycat versions of CryptoLocker have proliferated.

Moir is not sure how the ransomware gained access to his computer, but he was confronted with it whenever restarting his system or trying to open any of the encrypted files. He was presented with a format of frequently asked questions to help guide him through the process of recovering his files.

“What happened to my files?” was the first question posed.

Moir was told all his files were protected by a strong encryption using CryptoWall 3.0. (A handy link to a Wikipedia page for further reading was included.) Next, he was told that a decryption of his files was possible with the help of a private key and decryption program, which was kept only on the hijackers’ secret server.

Personalised links and codes were provided to begin the payment process. He was advised to install a Tor Browser, which is necessary to access the dark web.

Ransomware typically requires payment to be made in bitcoins because they can be difficult to trace.

“I never paid the ransom because bitcoins aren’t cheap,” Moir said.

Research by the technology giant Cisco estimates that 9 515 users in the US are paying ransoms every month, amounting to an annual revenue of $34-million for some cybercrime gangs.

Terry Greer-King, the head of security for Cisco, said there has been a huge surge in ransomware attacks of businesses. “This, however, is not unique to South Africa. Organisations worldwide are experiencing an uptick in attacks over the past several months.”

For years, viruses, trojans and other malware have been sent over the internet to contaminate an end user’s computer, with demands for a ransom in exchange for the data, he said. “Currently, at Cisco, we have found that JavaScript and Facebook scams are the most common attack methods. In addition, the number of WordPress domains used by criminals globally has risen by 221% between February and October 2015 alone.”

A printing company in Johannesburg, which did not want to be named, is one of many South African businesses that have fallen victim to ransomware.

An assistant manager of the company said the attack came in an email attachment and, once opened, it spread through the company’s entire information technology system. It also affected the emailing system and sent out infected attachments to all recipients. More than 200 000 files were affected, he said.

A ransom equivalent to $5 000 was demanded to retrieve them. “It just wasn’t worth it for us.”

Instead the business has invested in hard drives to back up all data twice a week. “We learnt our lesson the hard way,” he said.

Although bitcoinzar.co.za suggests that paying the ransom is the quickest and easiest way to retrieve your files (See What to do if your data is held hostage), there is no guarantee that the files will be decrypted once the ransom is paid.

The original CryptoLocker is known to unlock the files once payment is received, said Moir, “but from what I have heard most of the emulated versions don’t at all. They just corrupt your files and hope you pay them.”

The assistant manager was also doubtful about getting the data back. “We decided to lose everything,” he said.

The prevalence of these attacks in South Africa are hard to measure as it is thought that many victims do not report them. Neither Moir nor the printing company did.

Victims are being urged not only to report it to the police but also to the National Cybersecurity Hub.

An Internet Service Providers Association advisory on reporting cybercrimes said: “Over the past few years, there have been an increasing number of convictions in South African courts for cybercrimes and that there are some extremely competent SAPS [South African Police Service] personnel involved in detecting and prosecuting cybercrimes. There is also a process under way to increase the penalties which may be imposed.”

Two years have passed since the attack on Moir’s computer but the ransomware still lingers there. “I can stop it from corrupting new files but I can’t get my old ones back or get rid of it.

“It looked like one guy was working on a code to reverse it, or had been making a few for the emulated viruses but then he stopped posting on the message board I was following and I never got an update,” he said.

“I still keep some of the files I want restored on my computer … now and then I go look to see if there has been any progress, but it seems forgotten in the wave of new viruses.”

Cybercrooks are upping their game – and their threats

Hackers will not only try to extort money for your data but say they may make it public

Charl Ueckermann, managing director of AVeS Cyber Security, says ransomware attackers have upped the ante when it comes to extortion.

“Instead of just planting malicious code on victims’ computers that locks them out of their systems, these cybercriminals threaten to release sensitive company or customer data publicly if their demands are not met,” he warns.

Cisco’s midyear cybersecurity report has predicted a new generation of more sophisticated ransomware that can spread by itself and hold entire networks hostage.

“The truth is, [information technology] can’t control all connectivity and use of technology any longer. Regardless of the strength of their technology defences, businesses must assume they will still be attacked,” Terry Greer-King, head of security at Cisco, said. Recent research has found that 92% of devices run software with known vulnerabilities.

Some industries are particularly vulnerable, with financial services and retail businesses running software that is at least six years old. Elsewhere, the government, electronic, healthcare and professional sectors are at the highest risk of malware attack.

As cited by Ueckermann, research company Gartner predicts that by 2020 there will be 25‑billion connected devices, up from 6.8‑billion in 2016. “This represents a vast number of entry points for hackers to gain access to personal information and corporate systems,” he said.

Ueckermann said the first “headless worms” – malicious code that targets connected devices like smartphones and wearable technologies – are expected to emerge by the end of 2016 and will be capable of spreading through billions of computers.

Industry experts implore businesses to pinpoint vulnerabilities, strengthen their defences and have a plan in place to respond to any possible cyberattack.