India Insights with Geetha Nandikotkur

Awareness & Training , Compliance , Cybersecurity

Cyber Extortionists Demand Bitcoins How Should CISOs Defend Against Ransomware Surge?
Cyber Extortionists Demand Bitcoins

Worldwide, organizations are coping with a new wave of threats from attackers who compromise critical systems and attempt to extort payment from the victims. And India is no exception to these attacks.

Indian enterprises now apparently face a series of attempted cyber extortions by hacktivists demanding bitcoin payments. What irks security leaders is enterprises yielding to these extortion attempts, when the currency exchange of bitcoins is not legal in India and is liable to prosecution.

My advice to CISOs: Be familiar with various sections of the IT Act before yielding to such ransom demand. And always involve law enforcement in your response. 

The latest media report says three banks in India and a pharmaceutical company were hacked, the attackers demanding ransom in bitcoins for the decryption keys to release the systems.

In these reported cases, the attackers seized control of the computers and accessed the system by compromising IT administrators' computers. They seem to have used the Lechiffre ransomware to gain entry.

J Prasanna, director and founder of Cybersecurity and Privacy Foundation Pte. Ltd., says Lechiffre is not particularly sophisticated - it has bugs, which could lead to decryption without paying ransom.

Still, these reports raise several questions: Is bitcoin payment now becoming the norm in such extortion schemes? What challenges must CISOs be aware of, then? What's the attackers' modus operandi? How does one secure their environment from the growing threat of malware?

Bitcoin Conundrum

The breached banks have not been identified, but are said to be southern-based, and the pharmaceutical company is said to be a large group based in Hyderabad. Having encrypted all files, the attackers demanded one bitcoin each per computer for a total running into millions of dollars. This may be the first instance of hackers seeking ransom from Indian victims in bitcoins, a digital currency gaining acceptance worldwide, but illegal in India.

The extorters are believed to reside in Mumbai and Delhi regions.

But why did hackers demand bitcoins when RBI has strictly passed regulation against bitcoin currency? Those performing any transaction can be legally prosecuted.

"Bitcoin is not recognized as a currency by RBI - buying or selling bitcoins by Indian Banks is not approved by it," says L S Subramanian, cybersecurity expert and founder, NISE.

Lucknow-based Dr. Triveni Singh, additional superintendent of Police-Cybercrime Cell, says, "Bitcoin, not a legal currency in India, is usually used as a token in hawala transactions - transferring money without any actual movement and promissory notes." Security critics advise enterprises not to deal with bitcoin transactions, immediately reporting extortion attempts to the police to handle the case confidentially.

To this effect, in, June 2013, the RBI issued a notice acknowledging that virtual currencies posed legal, regulatory and operational challenges, and in December 2014, the RBI issued an advisory to the Indian public to be cautious in buying and selling of virtual currencies, including bitcoin.

Attack Modus Operandi

While the number of computers targeted by extortionists is not known, the latest report says the infection began when an email disguised as a communication from senior management was opened. The malware penetrated through other computers as the IT administrator's computer was seized, and the ransomware was hard to detect.

Experts say Lechiffre encrypts data on computers and servers in the background, using 256-bit public-key cryptography where the private key for decryption is only known to the attacker. The hackers left a ransom notification and contact details on each computer in a text file.

Security experts say that CryptoWall/CryptoLocker is a more sophisticated form of this malware strain called ransomeware. Most often, ransomware uses public/private key encryption. The decryption of the machine is possible only if the ransom is paid.

Lechiffre is the new kid on the block. It must be manually run on a compromised system, requiring access to vulnerable devices like desktops to run. Once infected, Lechiffre encrypts the files and appends its signature to the file names as an extension "lechiffre", says Subramanian.

"As this is a form of APT attack, attackers are mostly in the network for as long as eight to nine months. And these attackers don't negotiate; they simply tarnish the reputation of the company, argues Prasanna.

Often after such an attack, the victim organizations don't approach law enforcement, fearing adverse impact on the brand image. But the trend is changing. I hear several cases of APT attacks from law enforcement groups resolving big cases and restoring the organisation's credibility.

Securing against Malware

There are over 100 banks and top enterprises in India - potential prospects for extortionists. Security experts lament that, indirectly, in a zeal to create a cybersecure environment, India is harnessing many black hat hackers.

To defend against ransomware, CISOs must:

  • Ensure competent professionals do the APT or Zero day assessment;
  • Realize that not reporting to the police, fearing reputational risk may lead to criminal prosecution against the company;
  • Make investment in secure practices, security education, security tools, solutions and loads of oversight;
  • Understand that APT assessment can find backdoors already planted by hackers into networks;
  • Carry out remediation of all zero day vulnerability /vulnerabilities (which could be exploited) on network devices/servers/computers;
  • Use competent internet security technology for desktops (which has heuristics, behaviour-blocking technologies),

Most ransomware can be blocked if organizations will use up-to-date operating systems, keeping them fully patched, running good security software, and not opening any suspicious email attachments. But as we all know, that's a lot to ask of many organizations, which operate on a volatile mixture of outdated and unpatched systems and devices.

Caution: What's in the Cards?

Globally, cyber extortion is expected to trend strongly in 2016, largely driven by Windows-based crypto-ransomware. According to Trend Micro, data breaches will be employed to mine data, and these operations may not necessarily be driven by financial gain, but rather to expose questionable corporate practices or get to other classified information.

In India, experts expect to see these same global trends take root. Look for additional news reports of organizations under siege by attackers demanding bitcoin ransom.

My advice to CISOs: Be familiar with various sections of the IT Act before yielding to such ransom demand. And always involve law enforcement in your response.

Singh recommends strict compliance with security standards such as ISO 27001 and PCI DSS, which may reduce eposure to such malware infections.

Based on your own experience and observations of these latest crime trends, what are your thoughts on how to deal with the new scourge called ransomware?



About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network