You are here

CYBERSAFETY

Singapore sees spike in number of cyberattack-for-ransom cases

BT_20161010_SWRANSOM_2537536.jpg
Security companies say ransomware attacks, where data is stolen or locked by hackers and released only when money is given, are fast becoming the most popular form of digital crime.

Singapore

IT STARTED innocently enough, with a click on a third-party ad on an India news website by a staff member, back in 2014.

Soon, the data stored on that computer in a multinational logistics company in Singapore became inaccessible. The hard drive had been encrypted by a malware, triggered by the click on the ad.

A pop-up window offered to decrypt the data within the computer for the price of a bitcoin, a form of cryptocurrency then valued at about US$500 per bitcoin.

Last year, the company saw 10 such attacks when rogue software infected the company's computers, and encrypted each hard drive. The offer from the hackers was simple - pay the ransom to unlock the data, or lose it forever.

The total number of ransomware attacks so far this year has already matched the total number from last year, says the company's head of security, who declined to disclose his name or the name of the company. The ransom amount varies, from a single bitcoin to two.

"The sophistication of the attacks has also increased. We have had malware that infects the computer, and tries to spread to our servers, and hold data stored on our servers to ransom as well."

As the company had established a policy of not paying up, it has had to lose the data, wipe all the infected machines, and train its staff on how to recognise these new forms of malware and attacks.

While the first instance was due to a rogue online ad, subsequent attacks were caused by a variety of methods, including attachments sent to staff members, some marked simply as "Invoice".

This use of social engineering, where hackers try to trick their prey, makes it a little harder to ensure that such files are never opened, explained the head of security.

While the company has not paid up any amount to the hackers, it estimates that it has wasted close to $100,000 in the last two years in dealing with the issue, with time spent on wiping all the infected computers, and on training staff in recognising the changing methods of hackers.

According to security companies, such ransomware attacks, where data is stolen or locked by hackers and released only when money is given, are fast becoming the most popular and lucrative form of digital crime.

In 2015, the US Federal Bureau of Investigation's Internet Crime Complaint Center saw 2,453 complaints about ransomware incidents, which cost users more than US$1.6 million.

Locally, the number of such attacks has increased as well, says the newly minted Cyber Security Agency of Singapore (CSA), which is responsible for Singapore's cybersecurity efforts.

"There has been a spike in the number of ransomware cases reported this year," said Dan Yock Hau, director, operations, CSA. "In the whole of 2015, there were only two reported cases. In comparison, in the first eight months of this year, 17 cases of ransomware have been reported to SingCERT."

The Singapore Computer Emergency Response Team, or SingCERT, which falls under the purview of the CSA, was set up to facilitate the detection, resolution and prevention of cybersecurity-related incidents here. And that figure could actually be higher, as companies big and small are often unwilling to talk about being hit, as it means admitting that their systems have been compromised.

Those who disclose the nature of such attacks might actually send a signal to hackers that they are vulnerable.

"We believe that the number of victims is much higher as most cases tend to go unreported," said Mr Dan.

The CSA says it has also received recent reports indicating that ransomware has started to spread to mobile devices as well.

"Hence, judging by global trends, the numbers are likely to escalate rapidly, given that ransomware has proven to be a lucrative monetisation tool," said Mr Dan.

Some companies might choose to pay the ransom, as the amount can be quite small, but security experts say that the first instance of a ransomware attack is normally a drive-by attack, and not a full-blown one.

This is where hackers release the malware into the wild, and only demand a small fee in exchange for the decryption key.

Once hackers determine that an individual or company is willing to pay up, the attacks can escalate, with the ransom amount increasing each time.

According to Symantec, the financial sector, comprising finance, insurance and real estate, accounts for 47.5 per cent of ransomware attacks here, making it the most vulnerable industry in Singapore.

The company's Internet Security Threat Report Vol 21 ranks Singapore as being eighth in the region, and 42nd globally, for ransomware by destination, with 16 total attacks per day in 2015.

But no industry should count itself safe from being targeted, warned Evan Dumas, head of emerging technologies, APAC, Middle East and Africa, at Check Point Software Technologies.

Because ransomware is usually targeted at a geography using a common service, all industries and companies of all sizes, as well as individuals, are targeted.

"A common tactic is to find a service like POPStation, and then use a phishing email claiming you have a package delivered and to click on the link to see the status. Another common tactic is to impersonate a government entity and trick the user into clicking on an attachment that is disguised as an official document," he said.

These methods allow an attacker to target a geography broadly without the need for specific customisation, as would be required with, say, a banking Trojan software.

Still, some industries can be more vulnerable. In the United States, there are reports that the utilities and healthcare industries are being targeted because they provide a critical service to the community.

"It just so happens that healthcare facilities commonly have outdated security. They are also an emotional target because of the critical nature of the services provided," noted Mr Dumas.

"What makes a good target is outdated security or a poor security posture, resulting in that company or industry being a good target."

In April, the Board of Water and Light in Lansing, Michigan, was hit by ransomware.

In February, the Hollywood Presbyterian Medical Center paid 40 bitcoins 10 days after hackers locked access to the hospital's medical records and computer systems.

But there is no guarantee that paying the ransom solves the problem.

The Kansas Heart Hospital in Witchita paid the ransom amount in May, but did not regain full access to its files. The hackers quickly demanded another sum, which the hospital subsequently decided against paying.

"From a cybercriminal's perspective, healthcare is a popular target because of the non-perishable information available. While a quick call to the bank can easily terminate a credit card, medical records have no expiry date attached to them," noted Nick Savvides, security evangelist at Symantec.

"Furthermore, patients' lives are at stake in hospitals and often enough, a time delay could result in a life or death situation. Cybercriminals are aware of the urgency associated with healthcare and may use this to their advantage."

Still, it is better not to pay the ransom, for the obvious reasons, said David Siah, country manager at Trend Micro Singapore.

"Firstly, paying does not always warrant the release of kidnapped files or data. In several cases, companies do not get their files back after making payment. Secondly, paying only serves to perpetuate the crime. It is an expedient and short-term solution, and often ends up fuelling the cybercriminal's confidence in carrying out more attacks at other organisations."

When dealing with cyberattacks, having proper back-ups has always been the advice and while it is good to have back-ups safely stored away, in case companies need to replace the ones encrypted by hackers, cyberattacks have also moved beyond merely locking up data.

These days, the threat can be to release stolen information, whether it's private and personal photos, or publishing a company's sensitive sales or research information to competitors.

"We now see that attacks have moved to mobile devices, encrypting files, and anything else that an owner is willing to pay to recover," said Mr Savvides.

"Some ransomware now also threatens to publish the victim's files online unless they pay, which is an interesting and sinister twist, since the traditional advice of keeping effective back-ups does not help in this scenario."

Another form of ransomware attack used by hackers is to prevent proper business functions.

A dedicated DDoS, or Distributed Denial-of-Service, attack on a company's e-commerce website can overload the site and prevent customers from making online transactions. At least until the business owner pays the hackers to stop the DDoS attack.

This has prompted local Internet service provider ViewQwest to launch a DDoS Protection Service for its subscribers. Powered by enterprise security specialist NSFOCUS, the $699 per month service was launched in April and offers premium Internet security services to businesses, to beef up their IT infrastructure.

The service works by monitoring traffic for unusual activity and diverting suspicious traffic to its scrubbing centre, to filter real users from bots.

After identifying, in real-time, the bots used in a DDoS attack, a trigger is sent to drop the malicious traffic so business operations can continue smoothly.

The company said that in 2014 and 2015, DDoS attacks mainly targeted gaming companies but in 2016, the scope widened to threaten public institutions and financial companies as well. Some are politically motivated and often evolve into orchestrated ransom attacks.

"Corporations are increasingly going beyond plain-vanilla Internet lines to premium 'clean-pipes' which monitor and prevent malicious DDoS traffic in real time. Attacks of over 10 gigabits per second of traffic account for over 20 per cent of total DDoS attacks, signalling a growing trend in the amount of DDoS attack traffic," pointed out Vignesa Moorthy, chief executive of ViewQwest.

"If your Internet security solution is to deal with DDoS attacks only after you have detected the attacks, you are already too late. Prevention is not only better than cure, it is now the only cure for huge DDoS attacks."