They are Real. They are Frightening: Ransomware Attacks 2016
In April 2016, the FBI released a startling warning. In just the first three months of the year, cyber-criminals had already used ransomware to collect $209 million. This put ransomware on pace to become a $1 billion-a-year crime. But despite these eye-popping figures, countless organizations remained unprotected, resulting in some of the worst ransomware attacks of 2016—and indeed some of the worst in history.
In this overview, we’ll look back at some of the most notable attacks to analyze what happened and what businesses should be doing to prevent such attacks in the future.
Ransomware is expected to remain the king of cyberattacks in 2017 and beyond. To better understand just how big of a threat this poses for businesses, let’s look at some of the statistics:
Ransomware Statistics 2016 – 2017
- Ransomware attacks in 2016 cost small- to mid-size businesses $75+ billion a year in expenses and lost productivity (It’s not just the ransom money you need to worry about.)
- A survey of 1,100 IT professionals found that almost 92 percent of their clients had been hit by ransomware attacks in the past year.
- Downtime from ransomware attacks can cost small businesses as much as $8,500 per hour.
- The average ransom demands from small businesses range from $500 to $2,000, while 10 percent of survey respondents reported being extorted for more than $5,000.
- Ransomware increasingly targets organizations, rather than individuals, because cyber-criminals want the biggest payouts possible. The FBI names state and local governments, school districts, law enforcement agencies and businesses as the top targets.
- Ransomware hospital attacks are especially projected to increase, because the industry is known for lax cybersecurity.
- Email is by far the most common delivery method of ransomware. Websites infected with malicious code are a more sophisticated attack that is also on the rise.
- Attacks are expected to double in 2017, according to some estimates.
Worst Ransomware Attacks 2016
The exact number of ransomware attacks in 2016 is unknown, because many go unreported. However, based on sample data that showed 56,000 infections in one month alone, totals for the year could have ranged anywhere from 400,000 to 650,000 infections.
Here are some of the more noteworthy attacks that made headlines in 2016.
1) Hollywood Presbyterian Medical Center
– Impact: Computer systems down for more than a week
– Ransom paid: $17,000
In February 2016, attackers used a well-known form of ransomware called Locky to infect computers at Hollywood Presbyterian Medical Center in Los Angeles, California. The attack affected computers used for lab work, pharmaceutical orders and the emergency room.
While hospital CEO Allen Stefanek reported that patient care was not affected, he said the attack caused “significant IT issues,” which resulted in the hospital declaring an “internal emergency.” He also told the local NBC television news outlet that “911 patients were transported by ambulance and are being sporadically diverted to other hospitals, and all registrations and medical records are being written on paper.”
Attackers demanded $3.4 million in bitcoin in exchange for the key codes to restore the system.
The hospital ultimately paid only $17,000 in bitcoin to restore access. But by then, the computers had already been infected for about a week.
It’s worth noting that the hospital paid the ransom before contacting law enforcement—a big no-no, according to the FBI—although the FBI was later alerted and conducted its own investigation.
2) Romantik Seehotel Jägerwirt Hotel (Austria)
– Result: Computer systems down for 24 hours, hotel guests locked out of their bedrooms
– Ransom paid: €1500 / $1,600 USD in bitcoin (Third offense)
This story actually surfaced in early 2017, but as the news unfolded, it became clear this was the latest in a series of attacks at Romantik Seehotel Jägerwirt, a luxury hotel in Austria. The hotel had been targeted two previous times in 2016, but the owner only recently reported it to the press, in hopes of increasing awareness of the problem to other businesses.
The attack is noteworthy because of the implications it poses for an increasingly IoT world: hotel guests were locked out of their bedrooms until the ransom was paid.
The attack infected the hotel’s computer system, initially locking the staff out of the reservation system. But the more significant problem quickly became clear as new guests arriving at the hotel were unable to access the rooms they’d booked, because the electronic locks were connected to the infected system. This lasted a full 24 hours.
The hotel’s owner contacted local authorities. But when they weren’t able to resolve the problem, he decided to pay out the €1500 in bitcoin. Within the previous 12 months, he’d paid out thousands in similar attacks.
The hotel has since replaced all the computers that were affected by the attack and it is working with a cybersecurity firm to prevent it from happening again. But even with those measures, the hotel plans to revert back to traditional locks and keys in the near future.
3) San Francisco Municipal Transportation Agency
– Impact: Massive computer system outage; transit system gives free rides to passengers for the weekend
– Ransom paid: Zero
In 2016, we got a glimpse of how a ransomware attack on public infrastructure would play out.
The San Francisco Municipal Transportation Agency was hit, affecting 900 computers, the agency’s payroll system, email system and ticketing terminals. At some MTA systems, commuters were greeted by a message that said, “You Hacked.”
“As a result,” NBC News reported, “commuters were treated to … free rides for part of the weekend after transit officials decided to turn off ticketing booths and open up the turnstiles as a precaution.”
Hackers demanded $73,000 in bitcoin and claimed to have 30 gigabytes of stolen SFMTA data. However, the MTA’s tech experts and agents from the Department of Homeland Security determined the claim was false, and they restored systems without paying any ransom.
While transit service was not affected, computers remained down until Sunday night, meaning they traveled for free for a good chunk of the weekend. The cost of those losses was not reported.
4) New York Times, BBC, NFL and Others
– Impact: Major websites displayed malicious ads that hijacked visitors’ computers
– Ransom paid: Unknown
Another well-known attack in 2016 infiltrated some of the biggest sites on the web, including The New York Times, BBC, AOL, MSN, NFL, Newsweek and others. But it wasn’t the companies’ computers that were infected. It was the end-users’—the devices of those who visited these sites.
Here’s how it happened.
It’s no secret that major online publishers, like the Times, rely on third-party ad networks to serve ads to its visitors. The ads themselves are, in turn, created and submitted by a myriad of additional third party advertisers.
In this case, some of the ads were infected with malicious software that hijacked visitors’ computers, encrypted their personal files and demanded ransom to restore them. Because of the labyrinthine way in which these malicious ads (known as malvertising) are delivered, the sites aren’t fully to blame.
Still, it took about 24 hours for all the ads to be removed, which means they likely infected thousands of users’ computers. The exact number of infected systems, and the total amount of ransoms paid out, are unknown.
5) Horry County Schools
– Impact: Locked files and infected systems across the district
– Ransom paid: $10,000 in bitcoin
In February 2016, a school district in South Carolina suddenly found itself locked out of files on its computer systems with hackers demanding a ransom to unlock them.
The attack affected all systems across Horry County Schools, a large district that includes 51 schools, a staff of over 5,500 and more than 42,000 students. The district’s lunch payment system and online PowerSchool application were just a few of the systems impacted during the event.
School officials shut down servers to prevent the attack from spreading. But in the end, the district decided that the cost of paying the ransom (while somewhat of a gamble) paled in comparison to the projected costs of building a team to restore the data manually.
The district paid the ransom, which totaled nearly $10,000 in bitcoin.
Ransomware Prevention & Disaster Recovery
It’s critical for businesses of all sizes to have a comprehensive business continuity plan (BCP) that helps to anticipate all disaster scenarios, risks and their impact on the business. And with the rise of ransomware, this type of attack needs to be specifically addressed within the BCP.
Here are some smart tips for ransomware prevention and response, compiled from IT experts and law enforcement agencies:
- Train employees on how to avoid ransomware (what to look for in emails, what types of sites to avoid, etc.) and the important roles they play in protecting the company’s data.
- Use trusted malware and anti-virus software, updated regularly, to look for the first signs of a possible infection.
- Implement data backup & recovery systems that allow you to restore backups if your data is being held hostage. Advanced solutions come with ransomware detection built-in, so that administrators are notified of the very first signs of an attack.
- Use access controls and account privilege to limit write-access to files and directories.
- In an attack, do not pay the ransom without guidance from an expert or law enforcement authorities. Paying a ransom does not guarantee that attackers will restore your system.
Get More Information
For more information on how your organization can protect its data from ransomware and other disaster scenarios, contact our business continuity experts at Invenio IT. Visit www.invenioIT.com, call (646) 395-1170 or email us at [email protected].