Ransomware

By: Sarah Johnson

Recently we have seen an uptick in legislation relating to ransomware at all levels of government. What has led to this? What can governments do to fight against these attacks? Let’s take a closer look this week at how this trend started, what is being done and the impact it could have on our society.

What is Ransomware?

Ransomware is a term that originated from malware (software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system). According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Essentially, it allows hackers to seize control of and access to computers and the data stored within them. 

Ransomware has been around even longer than the world wide web. The first major attack dates back to PC Cyborg (or the AIDS Trojan) in 1989, when a biologist sent floppy disks in the mail to other researchers, spreading the first ever ransomware. The disk would hide the directories and encrypt or lock the names of the files on the C drive thus rendering the system unusable. It would then prompt the user to “renew their license” by paying $189 to the PC Cyborg Corporation. The sneakiest part of this attack is it would only happen after the system was started for the 90th time, so victims could not directly link the issue to the floppy they had inserted into their computer some time back. 

As time went on, ransomware attacks became more advanced; ranging from encrypting files and demanding payment for the key, to completely locking users out of their system until they paid for an access code. In 2012, a virus called Reveton, known as the “police virus”, would lock users out of their systems, stating that victims had broken the law and needed to pay a fine to “local law enforcement” to regain access. Later, in the 2010s, ransomware hackers began demanding payment in cryptocurrency. This digital asset is an ideal payment method for hackers as it is specifically designed to be untraceable and anonymous. People are even specializing in Raas (Ransomware As A Service) which enables people who are not technical enough to create ransomware to buy the technology so they too can take a piece of that sweet ransomware pie.

Ransomware typically spreads through phishing emails or by humans unknowingly visiting infected websites. On the question of identifying possible victims of ransomware attacks, anyone, anywhere with data stored on a network or computer is a potential victim (credit card companies, government agencies, healthcare systems, law enforcement agencies, individuals and so on).

Once an entity or individual has discovered they have been the victim of an attack, it can be quite tricky to regain control of their system and recover or protect any compromised data – not to mention informing everyone impacted by the breach. Entities employ specialists to aide with the recovery, but mostly people pay the requested ransom to recover compromised access and data, which only encourages more ransomware attacks. But entities that choose to not pay a ransom run the risk of creating further problems such as hackers increasing their desired ransom or permanently deleting the data and locking the system down. 

When it comes to preventative measures to help curb these attacks, basic cybersecurity measures can work wonders. The CISA recommends that while connected to a network, all users abide by safe use practices. What are these practices you ask? These practices range from simple items like ensuring your software is always up to date (usually updates are improved versions that contain patches to protect from attacks), not clicking on links and attachments in unsolicited emails and backing up and storing your data offline on a regular basis.

What Attacks have Prompted a Legislative Movement?

There have been enough notable ransomware attacks concerning localities, cities, states, and the nation to put a spotlight on the problem and encourage attempts to address it. CNN recently wrote that over the last 10 months, 140 local governments, police stations, and hospitals have been “held hostage” by ransomware attacks.

In August, 22 distinct entities in Texas were hit by a coordinated ransomware attack which left officials clambering. The impacted entities were mostly local governments and authorities believe the attack was launched by a “single threat actor”. Other city governments which have also been hit include New Bedford, Massachusetts, Lake City and Riviera Beach, Florida, and several systems in Atlanta, Georgia.

Cities are not the only entities vulnerable to attack. One of the most notable attacks was Maryland’s MedStar Health System. They experienced a debilitating attack in 2016 when cybercriminals hacked into a server flaw and encrypted patient files. The hackers then demanded different ransoms from different hospitals on the system to unlock the files. In 2018, two Iranian computer hackers were charged with creating “SamSam” the ransomware used on MedStar. SamSam ended up being a multi-state, multi-million dollar ransomware attack impacting patient treatment and confidentiality. In 2017 WannaCry crippled the UK’s NHS ultimately costing £92m. In 2019, Louisiana public schools were hit with a ransomware attack, causing their governor to declare a statewide state of emergency.

Recorded Future released a report detailing the ransomware attacks state and local governments have been dealing with since at least 2013. The report states that “smaller towns are often more vulnerable because they lack the technology or resources to protect against ransomware attacks.” Their analysis uncovered 46 ransomware attacks against government entities in 2016, 38 attacks in 2017, and 53 in 2018. 

The major issues with these attacks is they can have potentially deadly consequences, they could conceivably knock 911 systems and emergency services offline, delete critical data for medical patients or cause mass hysteria and confusion relating to transportation. 

The Bills.

All states have some sort of security measure to protect data and systems. However, at least 29 states have enacted statues that require state government agencies have measures in place to secure the data they hold. Here is a map of all legislation proposed since 2011 relating to ransomware, at the time of writing this blog, there are only 38 bills total.

In 2016, California Gov. Jerry Brown signed CA SB1137 making the use of ransomware a crime in California and defining it a as form of extortion. The bill extended the definition of extortion (obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear) to include wrongfully obtaining and withholding electronic files and data. Under the bill, a person engaged in the activity (deploying or placing ransomware) could be convicted of a felony and imprisoned up to four years. The bill was co-sponsored by Los Angeles County District Attorney Jackie Lacey and TechNet, a bipartisan trade organization that advocates on issues affecting technology companies.

The bill’s sponsor, Senator Bob Hertzberg said of the bill, “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware. Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”

DA Jackie Lacey further spoke about the bill and crimes associated with it, “Extortion by ransomware is immensely costly and terrifying to victims whose data is held hostage. And when criminal hackers target hospitals, fire and rescue it threatens the public’s safety.  SB 1137 has clarified California law to make sure that a criminal who infects computers or networks with ransomware can be prosecuted for extortion.”

Maryland SB151, proposed in 2019, would have defined ransomware attacks that result in a loss greater than $1,000 as a felony, subject to a fine of up to $100,000 and a maximum sentence of 10 years in prison. SB151 further allowed courts to award damages and pay attorney costs for victims of ransomware attacks. The bill also attempted to introduce a new criminal offense prohibiting simple possession of ransomware with the intent to use it, containing an exception for research. The bill received a hearing, but died in March. Currently, Maryland laws stipulate that a ransomware attack that extorts a loss less than $10,000 is a misdemeanor. A breach that results in a loss greater than $10,000 is a felony.

The “DHS Cyber Hunt and Incident Response Teams Act,” or US HR1158, authorizes the Department of Homeland Security (DHS) to invest in and develop “incident response teams” to help organizations battle ransomware attacks. Part of that means that the DHS would create teams to protect state and local entities from cyber threats and restore infrastructure that has been affected by ransomware attacks. The legislation aimed to helping government agencies and private-sector companies combat ransomware attacks. The bill crossed over in June this year. 

The Cyber Deterrence and Response Act of 2019, or US S602, establishes a framework to deter and respond to state-sponsored malicious cyber activity against the United States. It would require “the President, acting through the Secretary of State, and in coordination with the heads of other relevant Federal agencies, shall designate as a critical cyber threat actor” or, designate countries that represent the nation’s top cyber threats and then sanction those that carry out attacks. A “critical cyber threat actor” is defined as each foreign person and each agency or instrumentality of a foreign state that the President determines to be knowingly responsible for or complicit in, or to have engaged in, directly or indirectly, state-sponsored cyber activities that are reasonably likely to result in, or have contributed to, a significant threat to the national security, foreign policy, economic health, or financial stability of the United States and that have the purpose or effect of:

1. Causing a significant disruption to the availability of a computer or network of computers
2. Harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector
3. Significantly compromising the provision of services by one or more entities in a critical infrastructure sector
4. Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
5. Destabilizing the financial sector of the United States by tampering with, altering, or causing a misappropriation of data
6. Interfering with or undermining election processes or institutions by tampering with, altering, or causing a misappropriation of data

The bipartisan bill, sponsored by Cory Gardner (R) and Chris Coons (D), also requires the administration to impose sanctions against all entities and persons responsible or complicit in malicious cyber activities aimed against the United States. S602 was read twice and referred to the Committee on Foreign Relations in February 2019. 

Conclusion.

As our society becomes more and more connected, the need to prevent and address this type of attack grows. The thought of ransomware attacks taking down a city’s emergency services and causing disarray is a common plot on television and in movies; why do most people still think of it as futuristic and not applicable to the world we live in right now? We are all connected in some way. We rely on our water, utilities, and banks remaining safe, protected, and functioning. Every single one of these entities could be a victim to a cyber attack, and by association, all of us. 

Other huge cyber attack incidents, like the Equifax hack which compromised data for nearly half of all Americans, the House found to have been “completely preventable”. It was caused by rapid growth coupled with the company not taking the time to address how that growth left either IT systems exposed. We need regulation. We need oversight. We need to ensure the companies that have so much control over our lives and information are held accountable to implement the security precautions necessary to fight attacks like ransomware and cyber terrorism and live up to the responsibility they have for the data they collect on us (whether we like them having it or not). 

As seen in the interference with the 2016 election, especially the hacking of state voter files, we did not think seriously enough about cybersecurity vulnerabilities until it was too late. This is just the beginning, the possibilities of attack and harm to us are endless. Technology threats are real, they are here, and they will get the best of us if we do not act. 

Cover Photo by Michael Geiger on Unsplash

 

About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.