For the past year, I’ve been criticizing entities that describe their data leaks as “hacks” (cf, this article of mine on The Daily Dot or this post as examples). More recently, Zack Whittaker has also forcefully raised that issue on ZDNet. Whether other journalists will adapt their language and correctly report incidents as “leaks” instead of “hacks” – regardless of what the entity may claim – remains to be seen over time. But there’s a second language issue that this blogger would also like to see addressed: overuse or misuse of the word “ransomware.”
Anyone who reads reports on trends in data breaches is already aware that we have seen a significant increase in the number of ransomware attacks being disclosed over the past year. We have seen ransomware attacks evolving to include threats of releasing private information (“doxware“), and there’s even a strain of ransomware (Koolova) that doesn’t require any financial payment, but will only provide victims with a decryption key after they have read two articles on cybersecurity. You don’t even have to know how to code ransomware to use it, as Satan ransomware is available as a service for a percentage of the ransom you collect. And if you don’t like Satan, maybe Goldeneye will be more to your taste.
As I understood it, ransomware is a type of malware that either locks the screen or otherwise limits access to the user’s system or files until a ransom is paid; crypto-ransomware encrypts the victim’s files on the server and holds them hostage until payment is made, usually through cryptocurrency. But as the term “ransomware” was used, it always referred to a malware infection. Until now, it seems, when some people seem to call everything “ransomware” if there’s any ransom demand – regardless if there’s no malware involved. The following are some recent examples of what has been reported as “ransomware” when no real ransomware was involved.
“Ransom Scams”
Since the beginning of this month, we have seen an explosion of attacks on misconfigured databases. First it was MongoDB installations (more than 34,000 attacked as of yesterday), then ElasticSearch (more than 4,600), with attacks on CouchDB appearing in short order, too.
Despite attackers leaving messages claiming that the victims’ databases have been stolen and will be returned upon payment of ransom, there has been no evidence that the databases have either been encrypted on the server, or exfiltrated and saved. Volunteer researchers (of the GDI Foundation) including Victor Gevers, Niall Merrigan, Matt Bromiley, and Dylan Katz are finding that the databases are just being wiped out and ransom notes left in their place.
In light of the absence of “proof of life,” people who pay the demanded “ransom” are likely just giving the attackers a gift — free money for wiping out their database. Such payments only encourage more attacks of this kind, as it’s easy money for the attackers: wipe out an exposed database, claim to be holding it hostage, get paid, and go spend it on new toys.
If these attacks really boil down to hackers simply deleting databases and then lying about the victim’s ability to recover the data, wouldn’t it be more helpful for all of us to refer to these as “ransom scams” as opposed to “ransomware” attacks?
Real Ransom or Extortion Demands, but no “Ransomware”
It’s not just the recent wave of NoSql database attacks that are being mischaracterized as “ransomware,” though. This week, DataBreaches.net found itself questioning whether news outlets – and the victim itself – were accurately describing a hack on a charity as a “ransomware” attack.
When Muncie-based Cancer Services of East Central Indiana-Little Red Door (LRD), a small non-profit offering services and support to cancer patients, claimed to be the victim of a “ransomware” attack by TheDarkOverlord (TDO), this site was surprised, but reported it as such. It appeared, based on LRD’s executive director’s email to staff, as if TDO had changed their usual methods.
But according to TDO, they had not really changed their methods (although wiping the server is not something they have often done). In encrypted chats with DataBreaches.net, TDO denied that any ransomware was involved in the Little Red Door attack. TDO readily acknowledged the hack, the exfiltration of data, the wiping of a server and one backup, and an extortion demand, but at no time, TDO asserts, were any files encrypted or locked up and LRD was never offered a decryption key in exchange for payment. The extortion demand appeared to be the main threat: TDO would leak their clients’ personal and sensitive information if LRD didn’t pay up.
It was – and is – an ugly situation, to be sure, but from what TDO tells this site, this wasn’t a ransomware attack, and they are baffled as to why LRD would report it as such or claim that their data had been encrypted.
A Distinction Without a Difference?
People might argue that the difference between a hack with an extortion demand and an actual ransomware attack doesn’t make much difference. But what we call something or how we understand it does matter, and not just in our statistical analyses of external threats.
Ransomware attacks (not including RaaS) can be somewhat indiscriminate in terms of who gets attacked. TDO’s attacks are not random; they are targeted hacks. Think about that: a small non-profit organization that helps cancer patients was targeted by determined hackers. If LRD and other non-profit charities understand that instead of viewing LRD as an unfortunate but random victim of a ransomware attack, then perhaps LRD’s risk assessment and defenses going forward can more accurately reflect and address the risk they face. And perhaps other non-profit charities can think about whether they, too, are likely to be targeted by hackers who will try to extort them over the sensitive information they collect and store.
Yes, I know “ransomware” is the sexy headline these days, but this wasn’t ransomware, and the media’s misplaced focus on “ransomware” and calling blackhat hackers motivated for money “international cyberterrorists” distracted from the real story: even small non-profit organizations are in the sights of hackers who are out to get the personally identifiable information that you store about your clients or patients. Does your risk assessment include consideration of what would happen if hackers acquired your clients’ or patients’ data and threatened to leak it all unless you pay the thousands of dollars they may demand? If not, maybe it’s time to redo your risk assessment and to review your security program and any cyberinsurance policy to see what you might need to address.
* * *
Update: TDO has leaked client data from Little Red Door. Consistent with this site’s policy, I will not link to it. The leaked data include 6,047 deceased and living clients’ personal details such as name, address, telephone number, date of birth, and some caregiver details. The data also include the type of cancer, the type of treatment the patient was receiving, financial information on clients (but not account numbers), and health insurance information, including, in a number of cases, group numbers and policy numbers. It appears that no Social Security numbers or bank account information are involved.
Hopefully, surviving clients and caregivers will take steps to protect themselves from targeted phishing scams or medical identity theft. Because Little Red Door never replied to any communications from this site, I have no idea if they know what to do to get the data removed from public access. Hopefully, someone has told them.
Are you the mouth peace for these hacker’s? For what reason would you be cosey and have Access to these hacker’s and what’s so special about you that you can have access. You the set up man? You sound as if your richousnesss for your call for destinction between what these loosers do to hurt and steal with their knowledge, willing to hurt because what, their kids, they know that if they get caught the penalty for the harm they cause is nothing. Maybe your destinction should be to associate bloggers as reporters. Both of you lie and misslead your readers, but for hackers the difference is clear, good or bad. I hear there is a hunter surfacing from the Tor network offering money for leads to hackers. Have you heard about him? He says from a notice I read, “$4info:lead me to any hacker and payment will be yours from the rewards offered for their capture. But my intents are restitution before they are unwillingly found, but they’ll beg for the cell than the Manner playroom. An eye for an eye. *I’m coming for ub and using the keyboard will be something you’ll NEVER have to worry about, ever again! TheBloodhound”
Really? I thought when a friend showed me this and so I wonder if it’s true? Your uncontactable with these people, is it true? I realize that
I don’t know if this stuff but do you these hacker’s who call themselves such evil hooks, what do you think if true evil found them? It seems somewhat of an irony that there’s a masterofbloodhoundmanner on Google and I wonder if people are leaving that guy all kinds of leads. Ha. Anyway, you keep speaking up for hacker’s it’s a free country and your right.
I have no idea what you’re talking about with “The Bloodhound.” This is the first I’ve heard of any notice/bounty like that. Can you tell me where that notice is? What forum or chat room was it in?
And no, I’m not the “mouthpiece” for hackers. Some talk to me because FreeAnons have told them that I’ll give them a fair interview – like my series on some Australian hackers or my interview with Derp and others. Others talk to me because I’ve been able to contact them and they’ve seen some reporting I did on them or others. A number of hackers have told me I’m easy to talk to, which may have something to do with why I get so much from some of them.
I was more persistent in pursuing interviews with TheDarkOverlord because of my special concern with hacks involving health data. But you’d have to ask him/them why they’re willing to talk to me. Would you rather not have anyone reporting on them??
And do you accuse other journos of being “cozy” with hackers or their “mouthpieces” when they report on other hackers that some of us don’t have access to or can’t get interviews with?
BTW, you may have missed part of the point of my post – it was not to excuse what TDO has done. Not at all. It was simply to frame their attacks properly so people can consider their own risk of becoming victims of targeted hacks and so that people frame this as two crimes: the criminal hacking (under CFAA) and then extortion. To me, extortion – threatening to reveal sensitive medical info or personal info – is actually more abhorrent than holding data hostage for ransom to get it back.