Personalized Ransomware: Price Set by Your Ability to Pay

Smart entrepreneurs have long employed differential pricing strategies to get more money from customers they think will pay a higher price. Cyber criminals have been doing the same thing on a small scale with ransomware: demanding a larger ransom from individuals or companies flush with cash, or organizations especially sensitive to downtime and service disruptions. But now it appears cyber criminals have figured out how to improve their ROI by attaching basic price discrimination to large-scale, phishing-driven ransomware campaigns. So choosing to pay a ransom could come with an even heftier price tag in the near future.

Personalization made easy: no code required
Typically, a ransom payment amount is provided by a command and control server or is hardcoded into the executable. But Malware Hunter Team recently discovered a new ransomware variant called Fantom that uses the filename to set the size of the ransom demand. A post on the BleepingComputer blog explains that this allows the developer to create various distribution campaigns using the same exact sample, but request different ransom amounts depending on how the distributed file is named—no code changes required. When executed, the ransomware will examine the filename and check if it contains certain substrings. Depending on the matched substrings, it will set the ransom to a particular amount.

Businesses beware
The news is salt in the wound for businesses, which have already been targeted by ransomware at a growing pace with higher price demands. A 2016 Symantec survey found that while consumers account for a slight majority of ransomware attacks today, the long-term trend shows a steady increase in attacks on organizations.

Those most vulnerable? Healthcare and financial organizations, according to a 2016 global ransomware survey by Malwarebytes. Both industries were targeted well above the average 39 percent ransomware penetration rate. Over a one-year period, healthcare organizations were targeted the most at 53 percent penetration, with financial organizations a close second at 51 percent.

And while one-third of ransomware victims face demands of $500 or less, large organizations are being extorted for larger sums. Nearly 60 percent of all enterprise ransomware attacks demanded more than $1,000, and more than 20 percent asked for more than $10,000, according to the Malwarebytes survey.

A highly publicized five-figure ransom was demanded of the Los Angeles-based Hollywood Presbyterian Medical Center in February. A ransomware attack disabled access to the hospital’s network, email and patient data. After 10 days of major disruption, hospital officials paid the $17,000 (40-bitcoin) ransom to get their systems back up. Four months later, the University of Calgary paid $20,000 CDN in bitcoins to get its crippled systems restored.

Now with a new price-discrimination Fantom on the loose, organizations can expect to be held hostage for even higher ransoms in the future.

Susan Richardson

[Cloud Security Alliance Blog]

Risks, Benefits of Geolocation Technology

Geolocation technology has become a mainstay in society, utilized for everything from navigation tools to social media platforms and even online gaming.

The recent Pokémon Go craze has shown just how pervasive location-based apps can be. But despite using the technology on a daily basis, many consumers—and even practitioners—do not have a solid understanding of how geolocation technology works. Just how does Yelp offer you a nearby dinner recommendation or RunKeeper track your daily miles?

ISACA set out to demystify geolocation technology with our new infographic, What Is Geolocation and How Does It Work? The infographic describes the types of data that are collected and how they are used to create accurate results. It also discusses the 3 main uses of geolocation technology, which include:

  • Geo-referencing:  finding the physical location of an object relative to a map
  • Geo-coding:  searching available types of objects or services by location
  • Geo-tagging:  embedding geographic data into an object’s metadata for future reference

For many businesses, use of geolocation and mobile technologies is critical to success. The benefits of using geolocation technology can be realized in many industries, such as manufacturing, retail and financial services. Asset management, content customization and fraud detection are just a few areas where businesses are successfully using location-based technologies.

As with any technology, geolocation does come with its own set of risk. Concerns around privacy, safety and security of data abound. Mitigating the risk associated with geolocation requires a two-pronged approach of technology safeguards on the business end as well as increased awareness from users.
For individuals wanting a deeper dive into geolocation technology, including governance and assurance considerations and strategies for addressing risk, see the ISACA Journal Online-Exclusive article Geolocation: Risk and Benefits.

Betsie Estes, Research Resource Manager, ISACA

[ISACA Now Blog]

Cyber Security Tip for CISOs: Beware of Security Fatigue

What’s the most effective thing you can do for cyber security awareness? Stop talking about it, according to a new study that uncovered serious security fatigue among consumers. The National Institute of Standards and Technology study, published recently, found many users have reached their saturation point and become desensitized to cyber security. They’ve been so bombarded with security messages, advice and demands for compliance that they can’t take any more—at which point they become less likely to comply.

Security fatigue wasn’t even on the radar
Study participants weren’t even asked about security fatigue. It wasn’t until researchers analyzed their notes that they found eight pages (single-spaced!) of comments about being annoyed, frustrated, turned off and tired of being told to “watch out for this and watch out for that” or being “locked out of my own account because I forgot or I accidentally typed in my password incorrectly.” In fact, security fatigue was one of the most consistent topics that surfaced in the research, cited by 63 percent of the participants.

The biases tied to security fatigue
When people are fatigued, they’re prone to fall back on cognitive biases when making decisions. The study uncovered three cognitive biases underlying security fatigue:

  • Users are personally not at risk because they have nothing of value—i.e., who would “want to steal that message about how I made blueberry muffins over the weekend.”
  • Someone else, such as an employer, a bank or a store is responsible for security, and if targeted, they will be protected—i.e., it’s not my responsibility
  • No security measures will really make a difference—i.e., if Target and the government and all these large organizations can’t protect their data from cyber attacks, how can I?

The repercussions of security fatigue
The result of security fatigue is the kind of online behavior that keeps a CISO up at night. Fatigued users:

  • Avoid unnecessary decisions
  • Choose the easiest available option
  • Make decisions driven by immediate motivations
  • Behave impulsively
  • Feel a loss of control

What can you do to overcome employee security fatigue?
To help users maintain secure online habits, the study suggests organizations limit the number of security decisions users need to make because, as one participant said, “My [XXX] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. If you give me too many more blocks, I am going to be turned off.”

The study also recommends making it simple for users to choose the right security action. For example, if users can log in two ways—either via traditional username and password or via a more secure and more convenient personal identity verification card—the card should show up as the default option.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

English
Exit mobile version