Around Christmas 2012, there were reports of Ransomware attacks in Queensland. But it was Old News... "Police knew of 30 attacks" two months earlier. Nigel Phair, author of a book on Cybercrime, was quoted in multiple sources.
Potentially Medical Records are being especially targeted. This is Hacking-for-Cash, not healthcare related hacktivism as seen in the UK. AFR had a story in early December and mentioned AusCERT's posts on ransomware.
Regardless how a system is compromised, the only reason "ransomware" can succeed is simple:
People cannot restore from backups.As the AusCERT post says, just because you once scheduled backups to run, doesn't mean they are running.
Case 2: Medical centreAusCERT advises those affected to not engage with the attackers. There's a simple reason:
The attacker took control of the doctors’ database containing patient records. The attacker provided proof that recovery was possible by safely returning two sample files belonging to the medical centre. The ransom demand was $4,000.
In this case, the attacker had actually infiltrated the medical centre some weeks prior to the ransom demand. During this time the attacker had made numerous strategic changes within the system such as disabling the patient database in the tape backup scheduler. After several weeks of backup tape rotations, recent backups were not available even in the medical centre’s offsite storage location. Additionally the medical centre’s USB hard disk backup device was plugged in to the system, and had therefore already been seized by the attacker.
The cure was to erase and rebuild the server, and recover older data from backup tapes. In this case, the medical centre had good practices such as keeping two different types of backup, applying security patches and maintaining an up-to-date business continuity plan. However, repelling these targeted ransomware attacks requires stronger defenses.
They want to make the maximum amount of money from you, they aren't bound by any code of ethics or morality, as demonstrated by the metaphorical gun to the head of the hostage, they can't be tracked easily and dealing with International cyber-criminals is notoriously difficult.The initial payment you make will only be the first payment of many, not full and final as they'd like you to believe. Like any good parasite, they'll quickly figure out how much blood they can draw: how much this thing is worth to you and your capacity to pay.
What the "authorities" aren't saying is how far and how fast this particular monetisation of exploits will travel.
We know its not going to double its reach every few seconds like "slammer", because of the manual work involved in identifying targets and setting up the backups.Business Case for High-Speed symmetrical links
Even if it doubles just every month, that's a 1000-fold increase in a year. Because the Internet is "born global", what we see in Australia will happen everywhere.
Every small business that doesn't want to be shutdown by hackers needs guaranteed, verified off-site backups. Just like fire and theft insurance, you need good backups - and via the NBN is what you want. For this is to be useful in an age of Gigabyte and Terrabyte data storage is at least 100Mbps (gives you 3.6Gb/hour). But it needs to be symmetrical, the same upstream as downstream, to be useful for both backups and restores.
Remember: no user has ever asked for a backup, they only ever ask for restores.
Ideally, Retail Service Providers and ISP's will offer local access off the same PoI (Point of Interconnect, the NBN version of a Telephone Exchange for 100,000 subscribers). This means your data packets won't have to travel down and back the transit/backhaul link from the PoI to the ISP/RSP, uselessly consuming expensive bandwidth and clogging the ISP's network.
Which may need the co-operation of NBN Co for ISP/RSP's to install the appropriate network appliance at the PoI.
In a reasonable world, you'll be able to partner with someone you know in your area and each serve as the off-site backup site for the other. If the hardware fails or fills up, they are close by and you can buy a new disk and dash over there...
But that only works if:
- links are fast (daily backups under and hour, weekly under 10 hours), and
- access is cheap. (not $1,000's/month for 10Mbps, but ~$100/mth for 100Mbps symmetrical).