Chimera changes the ransomware game

2

Ransomware is nothing new. The first known ransomware surfaced in 1989. However, it took the Internet revolution along with automated online payment systems before organized cyber gangs saw that ransomware could become a giant cash cow.

We’re talking big money and extortion on a global scale! The ROI ain’t bad either.

The third iteration of the CryptoWall variant alone is responsible for a staggering $325 million in damages since its discovery in January 2015.

The risks involved in this new era of digital hostage taking has even gotten the attention of the Federal Financial Institutions Examination Council. It just issued a statement to warn financial institutions about the frequency and severity of the ransomware threat.

Until recently, most IT folks were more concerned with the time and effort they’d spend dealing with a ransomware infection. Getting stung by ransomware is costly if you’re unprepared. However, organizations can restore the encrypted files when they have a back-up strategy in place. So the risk was, for some, acceptable.

Until now.

Chimera Is on the Prowl

This month, a new ransomware variant known as “Chimera” has emerged. In addition to encrypting files and demanding a ransom to release the decryption key, this new malware model involves publishing those files on the Internet, if the ransom remains unpaid.

This evil twist can turn what was already a large nuisance to a real threat to the organization, affecting both top and bottom lines.

To understand the power of Chimera, let’s first look at dollar amounts associated with two high-profile breaches:

  • The Target breach involved 40 million PCI records (credit and debit cards), plus 70 million customer PII records (addresses and phone numbers). A Target financial statement revealed the data breach cost Target $252 million.
  • In the Home Depot breach attackers stole 56 million PCI records (credit and debit cards), plus 53 million email addresses. Home Depot reported that the net expenses of the data breach cost the company roughly $33 million.

Both of these big-box retailers were on the hook for credit monitoring services, replacing millions of the credit cards, class action suits, as well as upgrading their own security infrastructure.

And Then Came Sony

While the Sony breach didn’t involve the exposure of millions of credit card numbers, it resulted in the public exposure of:

  • 47,000 social security numbers
  • Internal Financial records and payroll information
  • Personal data and addresses, visa and passport numbers, tax records
  • Over 30,000 confidential business documents
  • Embarrassing and incriminating C-level email correspondence
  • Private keysto Sony’s servers

I should add that the exposed IP — business contracts and practices, script ideas, salaries—will likely damage Sony for years to come.

In a future Chimera incident, a cyber gang could collect a king’s ransom and still dump an internal file system in Sony-like fashion onto the Web. No one says an extortionist has to honor his word.

So you can think of Chimera and its spawn as having the potential to deliver some of the financial wallop of a Target breach along with the brand destroying power of a Sony exposure.

Be very afraid!

Breach Detection Lags

How long did it take for Target, Home Depot, and Sony to realize there was a breach?

Unfortunately, the window in which the hackers were doing their work could be measured in weeks and months.

These companies are not alone. A 2015 Trustwave analysis of 574 incidents found that the average time between breach and discovery was 188 days. That’s a long time—too long–before the company even realizes they’ve been infiltrated.

Detecting and arresting ransomware requires an inside-out security approach. IT security must look to block phishing emails or at least educate employees about this threat, restrict access to social media, monitor network connections to known Command and Control (C2) URLs/IP addresses, and watch for malicious processes.

But the real key to fighting ransomware is to take a closer look at what the attackers are after: these are the files and emails that employees create and view every day. This unstructured data is the largest data set in most organizations, often the most valuable, and, unfortunately, the least controlled.

While you may not be able to stop the attacker from getting inside, it’s possible through good governance and monitoring practices to limit what’s available and notify IT when the attackers are viewing and copying sensitive data.

Implementing user behavior analytics can dramatically reduce the time between breach and discovery.

Share.

About Author

Kieran Laffan is a senior systems engineer at Varonis.