A History of Ransomware

Ransomware is a type of malware in which the perpetrator threatens to commit a malicious act unless the victim pays a ransom. The simplest type of ransomware appears to lock the target system, although a person with reasonable knowledge of computers can usually resolve the problem without paying the ransom.Read more


To Pay or Not to Pay: That is the Question That Ransomware Victims Must Answer

Colonial Pipeline Company recently paid $4.4 million dollars to get its data back after a ransomware attack, rekindling the debate of whether companies should give in to cybercriminals' demands. Find out why some companies decide to pay the ransom while others do not.

Most people never heard of the Colonial Pipeline Company before May 2021, even though it transports 45% of all fuel consumed on the US East Coast. This company works behind the scenes, moving 100 million gallons of refined gasoline and jet fuel through 5,500 miles of pipeline each day. However, that all changed in early May when the fuel stopped flowing for several days. Numerous reports about gas pumps running dry and people panic buying gas made Colonial Pipeline a household name.

A ransomware attack was to blame for the fuel stoppage. The DarkSide ransomware gang had infiltrated the IT systems in Colonial Pipeline's corporate network. Besides having its IT systems offline, the company shut down certain systems in its operational network as a precautionary measure. The operational network uses automated systems to monitor and control the fuel that flows through the pipeline. Taking those systems offline prevented the infection from spreading to the operational network. However, it also resulted in the shutdown of all pipeline operations.

The company paid $4.4 million to the DarkSide ransomware gang to get the key needed to decrypt its data. While paying the ransom enabled Colonial Pipeline to get its pipeline operations online sooner, security experts are concerned that it will encourage other cybercriminals to try similar attacks. And their concerns may be well founded. Just weeks after Colonial Pipeline paid the hefty ransom, one of the largest meat producers in the world, JBS, announced that it was the victim of a ransomware attack.

These events are rekindling the debate about whether companies should pay the ransom if their data is being held hostage. Answering this question, though, is not as simple as it seems, especially given the new tactics that cybergangs are using. Even the Ransomware Task Force — a group that recently developed a strategic framework for combating the growing ransomware threat — could not agree on an answer. "The Ransomware Task Force discussed this extensively," said one of its members. "There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus."

So, it is up to businesses to decide for themselves whether it is a good idea to pay ransomware gangs. Here are some of the reasons why companies do and do not pay up when they fall victim to a ransomware attack.

 

Why Companies Pay the Ransom

Paying the ransom to get data back is a fairly common occurrence among companies. "The State of Ransomware 2021" study by Sophos found that 32% of the companies whose data was encrypted by ransomware in 2020 paid the ransom.

Colonial Pipeline also decided to pay the ransom after it discovered some of its files were encrypted. "I know that's a highly controversial decision," said the company's CEO Joseph Blount. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country."

Blount said he authorized the payment because, at that time, no one knew how badly the company's systems were breached. Therefore, he did not know how long it would take to repair those systems and get the pipeline back online.

As the Colonial Pipeline example illustrates, some companies pay the ransom to minimize the disruption to their operations, especially when the disruption significantly affects the lives of other people. In other cases, businesses pay the cybergangs because doing so is easier or quicker than reconstructing their data from backups. Or organizations might find that their only option is to pay. Perhaps they did not create any backups or the ransomware encrypted both the original data and the backup files.

Additional pressure tactics used by ransomware gangs can also prompt a company to give in to their demands. Those tactics include:

  • Data exfiltration. Nowadays, most ransomware gangs steal data before encrypting it, threatening to publicly post the stolen data if a business refuses to pay up. In the first quarter of 2021, 77% of the ransomware attacks included a threat to release stolen data, according to Coveware's "Q1 2021 Ransomware Report".
  • Some ransomware gangs try to bully businesses into paying the ransom. For example, members of the DoppelPaymer gang often call their victims to intimidate them into paying. In one instance, they even threatened to send a gang member to the home of a certain employee and provided the employee's home address as proof they knew where that person lived. The gang also called several of the employee's relatives.

 

Why Companies Do Not Pay Up

About two-thirds of the companies whose data was encrypted by ransomware in 2020 did not paid the ransom, according to "The State of Ransomware 2021" study. They were able to recover their data from backups or through some other means (e.g., using a decryption tool provided by a third party), thereby eliminating the need to pay up.

Most security experts recommend that ransomware victims follow in these companies' footsteps. The experts believe that giving into ransomware gangs' demands encourages them to carry out even more attacks. It also lures other cybercriminals into carrying out this type of attack. The newcomers do not even need to know how to create a ransomware program. Some gangs let other cybercriminals use their ransomware programs for a share of the profit, a practice referred to as the Ransomware-as-a-Service business model. In 2020, two-thirds of the ransomware attacks were carried out by cybercriminals using this model, according to Group-IB's "Ransomware Uncovered 2020/2021" report.

Besides encouraging more ransomware attacks, there are other reasons why security experts do not recommend paying the ransom. Here are a few of them:

  • Giving into the cybercriminals' demands does not guarantee that companies will get all their data back. More often than not, companies get only some of it back. For example, only 8% of the ransomware victims participating in "The State of Ransomware 2021" study got all their files back after paying the ransom. On average, the victims recovered just 65% of the encrypted files, which means about a third of their data was still inaccessible despite paying the ransom.
  • Cybercriminals might demand more money once the initial ransom is paid. That's what happened to the Kansas Heart Hospital in Wichita. The hospital paid the ransom, but the cybercriminals did not provide the decryption key. Instead, they demanded more money, which the hospital refused to pay.
  • Paying the ransom might violate Office of Foreign Assets Control (OFAC) regulations. OFAC is a financial intelligence and enforcement agency in the US Treasury Department. It imposes economic sanctions on individuals and groups it designates as "malicious cyber actors", including perpetrators of ransomware attacks and those who assist, sponsor, or support these attacks. US citizens and organizations are generally prohibited from engaging in transactions, directly or indirectly, with designated malicious cyber actors. This type of engagement is banned because it enables the cyber actors to profit from and advance their illicit activities — and those activities might threaten US national security, according to the US Treasury Department.

 

Only the Start of the Long Road to Recovery

Deciding whether or not to pay the ransom is a difficult decision that companies need to make if they fall victim to a ransomware attack. No matter their decision, they will face many challenges while recovering from the infection. Besides having to restore their data and systems, they will need to find and fix the security hole that allowed the cybercriminals to access their networks so they do not get attacked again. And they will need to determine how to absorb the losses (e.g., lost revenue from downtime) and additional costs (e.g., cost of bringing in forensic experts) resulting from the attack.

For Colonial Pipeline, the recovery will take months and cost the company millions of dollars, according to Blount. However, there is one loss the company won't be able to recoup — the company's anonymity. "We were perfectly happy having no one know who Colonial Pipeline was," said Blount. "Unfortunately, that's not the case anymore. Everybody in the world knows [us now]."

 

Money flickr photo by 401(K) 2013 shared under a Creative Commons (BY-SA) license


Malvertising Is Likely Coming to a Browser Near You

Cybercriminals are increasingly posting malicious ads on legitimate websites to obtain data and spread malware. Discover how malvertising works and what you can do to protect your business from it. 

Cybercriminals do not take holidays off — in fact, they often use them to their advantage. That's how a group of hackers celebrated President's Day in the United States. They launched a massive malicious advertising (malvertising) campaign that involved more than 800 million ad impressions on legitimate websites between February 16-19, 2019, according to Confiant security researchers. The ads were designed to trick users into entering personal and financial information in order forms for fake products.

A Serious Problem

Malvertising is a serious problem. Avast notes that it is one of the top five endpoint threats affecting small businesses. That's because cybercriminals are increasingly posting malvertising on legitimate websites in order to:

  • Obtain sensitive data. Like in the President's Day campaign, hackers use malvertising to obtain sensitive data, such as payment card or bank account information.
  • Deliver exploit kits. These kits are designed to find known vulnerabilities in systems. If a vulnerability is found, it is used to install malware or carry out other types of malicious activities.
  • Deliver malicious payloads directly. Pop-up ads, for example, can deliver malware as soon as they appear or after people click the "X" button to close them.

The Devious Ways in Which Malvertising Works

To understand how malvertising works, you need to know how web browsers render web pages. When you visit a web page, your browser automatically receives the page's content so it can display the page. So, for example, when you visit your favorite business news website, all the articles, pictures, ads (malicious or not), and other elements on the page are automatically sent to your browser.

What the malvertising does next depends on whether it includes malicious code. For instance, suppose hackers want to deliver an exploit kit. One way they can do this is to create ads that try to lure you into clicking a link. The ad itself does not contain any malicious code. However, if you click the link, you will be sent to a server that delivers an exploit kit. If the kit finds a vulnerability, it is used to install malware on your device.

Even worse, some malicious ads deliver exploit kits without you doing anything other than going to your favorite website. In this case, the malvertising contains code that automatically redirects your browser to a server, which delivers the exploit kit. The redirection occurs behind the scenes, without you clicking a single link.

How Hackers Get Malicious Ads on Legitimate Websites

Hacking into legitimate websites and inserting malicious ads is a lot of work. That's why cybercriminals typically pose as businesspeople to get their malvertising online. This ruse is successful because there are many different ways to get ads on websites (e.g., through advertising agencies, using advertising networks) and there is no standard vetting process. The groups involved in getting ads often do not request much information from the people submitting them. Plus, while some groups check ads before accepting them, others do not.

Even if the ads are checked, hackers find ways around the screenings. For example, sometimes they submit their ads with the malicious code disabled and then enable it after the ad is accepted and put online. In addition, hackers often remove the malicious code from their ads shortly after they are posted to make it more difficult to detect and track their attacks.

How to Protect Your Business

While the digital ad industry knows about malvertising and is taking steps to mitigate the problem, it will be awhile before these ads are no longer a threat. Thus, you need to proactively protect your business. Here are some of the measures you can take:

  • Educate employees about malvertising. Be sure to discuss the dangers of clicking links in ads, as the ads might be malicious.
  • Tell employees about the dangers of allowing pop-ups and redirects. Most modern web browsers block pop-ups and redirects by default, but this functionality can be manually disabled. Let employees know this is dangerous since malvertising sometimes uses both pop-ups and redirects. Similarly, let them know they should not enable web content that has been disabled by their web browsers or security software, as it might contain malicious ads.
  • Uninstall browser plug-ins and extensions not being used. This will reduce the computers' attack surface. For the plug-ins and extensions being used, consider configuring web browsers so that plug-ins and extensions are automatically disabled but can be manually enabled on a case-by-case basis.
  • Update software regularly, including browser plugins and extensions. Exploit kits look for known vulnerabilities in software. Patching these vulnerabilities helps eliminate entry points into devices.
  • Install ad blockers. Ad blockers remove or modify all ad content on web pages. However, they might unintentionally block non-ad content, causing a web page to display improperly or not at all.

We can help you develop a customized strategy to protect your business's devices from malvertising and other types of cyberattacks.


How the Models in the Samsung Galaxy S10 Series Stack Up

Samsung is launching four models of its flagship smartphone, the Galaxy S10. Discover when these smartphones will be released and how they differ from each other.

The Galaxy S10 (standard model), Galaxy S10+ (deluxe model), and Galaxy S10e (entry-level model) are expected to arrive in stores on March 8. Samsung will also be releasing its first 5G-ready phone, the Galaxy S10 5G, but it won't be available until the second quarter of 2019.

So, if you are in the market for a new Galaxy S phone, you have several choices. Here are some considerations to keep in mind when deciding which model would work best for you.

What the Galaxy S10 Models Have in Common

All four of the Galaxy S10 models ship with the Google Android Pie (version 9.0) operating system. The hardware powering this software is either the Qualcomm Snapdragon 855 processor (United States and China) or Exynos 9820 (Europe and India). Other features that the S10, S10+, S10e, and S10 5G share include:

Edge-to-edge display.One of the first things people notice about the Galaxy S10 phones is their edge-to-edge displays. To maximize the size of the phones' screens, Samsung trimmed the bezels and eliminated the selfie camera notch at the top. All the phones have Dynamic AMOLED Infinity-O displays. Samsungtouts that this type of screen reduces harmful blue light without changing the onscreen colors when the phones are being used in the dark.

Dedicated neural processing unit (NPU).For the first time, the Galaxy S phones have a dedicated NPU for artificial intelligence (AI) tasks. As a result, AI tasks are expected to run seven times faster in the Galaxy S10 models compared to their predecessors. The NPU uses machine learning, which enables the devices to recognize patterns, learn from experience, and make predictions.

Bixby. While the Bixby virtual assistant is not new to the Galaxy S10 models, it does have a few more tricks up its sleeve. For starters, the virtual assistant now includes Bixby Routines, which learn your habits in order to predict your needs and provide personalized recommendations. In addition, Bixby can connect to Galaxy Buds, Samsung's new wireless earbuds. Because of this connection, you can make calls and send texts from your earbuds using voice commands. Bixby also connects with Samsung's new Galaxy Watch Active smartwatch.

Wireless PowerShare. The new Wireless PowerShare feature lets you use a Galaxy S10 phone to charge other devices, such as Galaxy Buds, Galaxy Watch Active, and smartphones that support WPC Qi wireless charging. All you need to do is plug in the S10 phone, lay the phone down backside up, and place the other device on top of the phone.

Headphone jack.Unlike Apple's iPhone XS series, all four models of the Galaxy S10 have a headphone jack in case you do not want to use Galaxy Buds or some other type of wireless headphone. This seemingly insignificant feature is a big deal to many smartphone users.

How the Galaxy S10 Models Differ

There are many ways in which the four Galaxy S10 models differ from each other. Perhaps the most obvious difference is that the S10 5G is 5G ready, while the S10, S10+, and S10e do not support this new wireless networking technology. Other notable differences include:

Display size and type. Not surprisingly, the higher-end Galaxy S10 phone models have larger screens and better resolutions than the lower-end models. For example, the S10e has a 5.8-inch Full HD+ display, whereas the S10+ has a 6.4-inch QHD+ display, as Table 1 shows. QHD+ displays are longer than typical phone screens, which gives the appearance of a widescreen.

Table 1: Comparison of Features in the Galaxy S10 Models


Table 1: Comparison of Features in the Galaxy S10 Models

S10e S10 S10+ S10 5G
Display size 5.8-inch flat display 6.1-inch curved edge display 6.4-inch curved edge display 6.7-inch curved edge display
Display resolution Full HD+ Quad HD+ Quad HD+ Quad HD+
Display pixels per inch (PPI) 438 550 522 505
Fingerprint scanner Capacitive scanner on the power button Ultrasonic scanner built into the display Ultrasonic scanner built into the display Ultrasonic scanner built into the display
RAM options 6 GB or 8 GB 8 GB 8 GB or 12 GB 8 GB
Storage options 128 GB or 256 GB 128 GB or 512 GB 128 GB, 512 GB, or 1 TB 256 GB
MicroSD card slot Yes Yes Yes No
Fingerprint scanner Capacitive scanner on the power button Ultrasonic scanner built into the display Ultrasonic scanner built into the display Ultrasonic scanner built into the display
Front cameras Selfie Selfie Selfie and RGB depth-sensing Selfie and 3D depth-sensing
Rear cameras Wide angle and ultra-wide Wide angle, ultra-wide, and telephoto Wide angle, ultra-wide, and telephoto Wide angle, ultra-wide, telephoto, and 3D depth-sensing
Dual SIM option Yes Yes Yes No
Battery size 3,100 mAh 3,400 mAh 4,100 mAh 4,500 mAh
Base price Starts at $750 Starts at $900 Starts at $1,000

 

Fingerprint scanner.Samsung has replaced Galaxy S9's iris scanner with a fingerprint scanner in Galaxy S10. While the S10e has a conventional capacitive fingerprint sensor on its power button, the other three S10 models feature an ultrasonic fingerprint scanner that is built into the display. The ultrasonic scanner captures 3D images of fingerprints, making it much harder for thieves to deceive this authentication system using a 2D picture.

Memory and storage.The memory and storage options for each of the S10 models vary, as Table 1 shows. The S10, S10+, and S10e have a MicroSD card slot, so they can support up to an additional 512 GB of storage.

Cameras. Samsung is known for its smartphone cameras, and the Galaxy S10 models do not disappoint. The number of cameras found in each model ranges from three in the S10e to six in the S10 5G. Table 1 lists each model's cameras.

The Bottom Line

The Galaxy S series has been around for nearly a decade, so the phones have many features and capabilities to offer. However, the phones are not cheap. The pricing starts at $750 for the S10e, $900 for the S10, and $1,000 for the S10+. (Samsung had not yet released the price for the S10 5G at the time of this writing.)

If you are interested in a 5G-ready phone, you will probably want to wait until the Galaxy S10 5G is released. The S10 5G will work with 4G LTE networks as well, according to experts. If the 5G feature does not interest you, you still have the Galaxy S10, Galaxy S10+, and Galaxy S10e from which to choose. If you have questions about any of these models, contact us.