Ransomware
Legal Requirements & Best Practices Ransomware negotiation example
2016 Test Study (real example) 1. Was able to negotiate a 29% discount on 3 of 4 infections 2. The best interface didn't result in the best customer service 3. Deadlines can be extended Some tactics used...."busy weekend, not that valuable, too much, etc..." https://business.f-secure.com/3-surprising-things-you-didnt-know-about-ransomware
Reasons Ransom not Paid?
42% had a backup 16% policy not to pay 15% didn't trust hacker 14% data wasn't important 10% law enforcement said no
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
What types of privacy data does the GDPR protect?
Basic identity information such as name, address and ID numbers Web data such as location, IP address, cookie data and RFID tags Health and genetic data Biometric data Racial or ethnic data Political opinions Sexual orientation
GDPR Regulation
Companies will need the same level of protection for things like an individual's IP address or cookie data as they do for name, address and Social Security number.
Why should you isolate infected computer systems
Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives
Nomoreransom.org
Site backed by security firms and cybersecurity organizations Launched in July 2016 Estimated to have saved 6,000 victims and more than 2M in first 6 months
Legal Requirements & Best Practices What do insurance policies say?
1) every reasonable effort to determine extortion demand has actually occurred and is not a hoax 2) every reasonable effort to notify FBO or law enforcement, and comply with recommendations 1) actually paid after consent is given
History of Ransomware Describe some variants
Some variants encrypt just the files on the infected devise Other variants also encrypt the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers.
Topics covered under Legal Requirements & Best Practices
1. Does ransomware trigger a legal obligation to notify? 2. Should you pay the ransom? If so how do you do it? What if there is a dramatic change in the value of Bitcoin? Are ransoms negotiable? 3. When should you notify your carrier? Can you pay a ransom w/o consent? 4. Should you notify law enforcement? 5. Does GDPR have any impact on response to ransomware events?
Legal Requirements & Best Practices How do you pay the ransom? Customer Services?
1. Messaging platforms to talk directly with an agent 2. FAQ, Support, Decrypt 1 file for free
Legal Requirements & Best Practices Stats on paying the Ransom - USA is an Easy Mark for Ransomware Scammers
64 percent of Americans cave in to digital extortion Ransomware escalated across the globe as a profit center for criminals. Symantec identified 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide. The United States was the biggest - and softest - target. Symantec found 64 percent of Americans are willing to pay a ransom, compared to 34 percent globally. And the average ransom spiked 266 percent, with criminals demanding an average of $1,077 per victim. 2017 Internet Security Threat Report
CTB-Locker
CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for its C2 infrastructure. CTB-Locker uses Tor exclusively for its C2 servers and only connects to the C2 after encrypting victims' files. Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTB- Locker malware, making it more efficient and harder to detect. CTB-Locker is spread through drive-by downloads and spam emails.
What does GDPR stand for?
General Data Protection Regulation The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens' personal data
History of Ransomware What are the basic attack types? What are some common ones?
Locker Crypto Denial of Service (DDos) CryptoWall CTB Locker TelsaCrypt MSIL/SAMAS Locky
MSIL or Samas (SAMSAM)
MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application. SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim's active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.
Legal Requirements & Best Practices How do you pay the ransom? Outside help?
Read an article recently that some firms are preparing digital wallets and holding crypto currency and buying dips to prepare to pay in the event of a ransom. If you're inclined to pay this a good step to be prepared However paying is not really the recommended option although that's a decision that each company needs to make Follow advice of breach coach and forensics firm (maybe more info here needed)
Information on Slides 12-14 (Legal Requirements & Best Practices)
Slide 12 1. Carrier Notification 2. Investigation - is it a data breach? - when are forensics needed? - Outside counsel? 3. Restore from backup - preserve data for analysis before restoring 4. Paying the ransom - should you do it? - use of a third party vendor? Slide 13 Reasons Ransom not Paid? 42% had a backup 16% policy not to pay 15% didn't trust hacker 14% data wasn't important 10% law enforcement said no Slide 14 Reasons not reported to law enforcement? 51% didn't want to publicize 17% didn't think extortion was large enough 10% afraid of retaliation 21% other
Isolate or power-off affected devices that have not yet been completely corrupted
This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
Contact law enforcement immediately
We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.
Legal Requirements & Best Practices When should you notify the carrier? Can you pay without consent?
You should notify as soon as possible, and prior to making payment. I can't say definitively that you can pay and then seek reimbursement as you need to think about the policy language. However often times claims handlers will take circumstances into consideration and evaluate on a case by case basis
History of Ransomware How is Ransomware Delivered?
e-mail phishing campaigns, which typically require the user to take an action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user's computer. In addition, ransomware is delivered through "malvertising" campaigns, where malicious code is hidden in an online ad that infects the user's computer. These attacks can occur even on trusted websites through third-party ad networks that redirect the user to an infected server. Attackers also have exploited server-side vulnerabilities to deliver ransomware payloads by searching for networks that had failed to patch known vulnerabilities.
History of Ransomware Walk through the timeline
- AIDS Trojan The modern-day ransomware has evolved considerably since its origins 26 years ago with the appearance of the AIDS Trojan - Trojan.Gpcoder Even at this early stage, the first wave of modern crypto ransomware threats appeared. The Trojan.Gpcoder family emerged in May 2005, initially using custom-encryption techniques which were weak and easily overcome. They also used symmetric encryption algorithms, which meant the same key was used for both encryption and decryption. - Trojan. Cryzip By early 2006, the concept of crypto ransomware started to gain traction as attackers started to experiment with the idea. This renaissance in crypto ransomware led to the appearance of threats like Trojan.Cryzip in March 2006. Cryzip copied data files into individual password-protected archive files and then deleted the originals. However, the password was actually embedded inside the code of the Trojan itself, making it easy to recover the password. - Fake anti-virus The next pivot point happened between 2008 and 2009, when cybercriminals switched to using fake antivirus programs, a more aggressive subcategory of misleading applications. The tools mimicked the appearance and functionality of legitimate security software and performed mock scans, claiming to find large numbers of threats and security issues on the computer. The user was then asked to pay a fee of between US$40 and US$100 to fix the fake problems. They may also have been asked to pay for bogus multi-year support services. However, some fake AV victims chose to ignore the alerts or removed the software, resulting in a lower return on investments for the cybercriminals. - Locker From 2011 to 2012, attackers transitioned from fake antivirus tools to a more disruptive form of extortion. This time, the cybercriminals disabled access and control of the computer, effectively locking up the computer from use. - Crypto Ransomware Deficiencies in all the other extortion schemes ultimately led the cybercriminals back to the original type of ransomware. From 2013 to the present day, there has been a pivot back to crypto ransomware. Crypto ransomware tends not to use social engineering; instead it is upfront about its intentions and demands. The threats typically display an extortion message, offering to return data upon payment of hefty ransoms. Crypto ransomware has raised the ransom amounts bar to a new level. A typical crypto ransomware threat requests payment of around US$300 for a single computer. Today's crypto ransomware threats are much more capable than its predecessors, with stronger operational and encryption procedures.
What do you report to IC3?
1. Date of Infection 2. Ransomware Variant (identified on the ransom page or by the encrypted file extension) 3. Victim Company Information (industry type, business size, etc.) 4. How the Infection Occurred (link in email, browsing the Internet, etc.) 5. Requested Ransom Amount 6. Actor's Bitcoin Wallet Address (may be listed on the ransom page) 7. Ransom Amount Paid (if any) 8. Overall Losses Associated with a Ransomware Infection (including the ransom amount) 9. Victim Impact Statement
What are secondary things you can do to prevent ransomware?
1. Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques. 2. Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system. 3. Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times. 4. Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares. 5. Use virtualized environments to execute operating system environments or specific programs. 6. Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization's e-mail environment. 7. Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site. Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
What do you do if infected by ransomware?
1. Isolate the infected computer immediately 2. Isolate or power off affected devices that have not yet been completely corrupted 3. Immediately secure backup data or systems by taking them offline ensure they are free of malware 4. Contact law enforcement immediately 5. If available, collect and secure partial portions of the ransomed data that might exist 6. Change ll online account passwords and network passwords after removing system data 7. Delete registry values and fiels to stop the program from loading 8. Implement security incident response plan
How can law enforcement help?
1. Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations 2. enlist the assistance of international law enforcement partners to locate the stolen or encrypted data or identify the perpetrator 3. Law enforcement agencies and the Department of Homeland Security's National Cybersecurity and Communications Integration Center can assist organizations in implementing countermeasures and provide information and best practices for avoiding similar incidents in the future
Legal Requirements & Best Practices Should you pay the ransom?
1. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom. 2. Some victims who paid the demand were targeted again 3. After paying the original ransom, more was demanded 4. Paying encourages the criminal business model 5. Shareholders, customers, employees 6. Technical feasibility timeliness and cost of restarting systems
Topics covered under History of ransomware and basic attack types
1. Provide history on how ransomware has evolved over time (walk through timeline) 2. Basic types of attacks - Locker - Crypto - Denial of Service
What primary measures can you take to prevent ransomware
1. Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data. 2. Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization. 3. Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails. 4. Only download software - especially free software - from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution. 5. Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc. Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted. 6. Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications. 7. Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.
Reasons not reported to law enforcement?
51% didn't want to publicize 17% didn't think extortion was large enough 10% afraid of retaliation 21% other
Legal Requirements & Best Practices Ransomware & HIPAA?
A breach under the HIPAA Rules is defined as, "... the acquisition, access, use, or disclosure of [protected health information] PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.402.6. When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a "... low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
History of Ransomware What is Denial of Service (DDos)
Attackers traditionally blackmail businesses by unleashing an unexpected distributed denial-of-service (DDoS) attack against an organization's servers and then following up with an extortion demand. As a result of this, many organizations who are susceptible to DDoS attacks have enlisted the help of DDoS mitigation services to reduce the impact of these attacks. This in turn has encouraged cybercriminals to look for alternative ways to hold organizations to ransom by targeting one of their most critical infrastructural assets-the servers and the data held in them.
Legal Requirements & Best Practices Ransomware & the FTC?
Comments from the FTC in 2016... Have brought 60 enforcement actions against companies that have failed to reasonable secure data on networks One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including malicious software. A company's unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act. For example, in a recent case against device manufacturer ASUS, we alleged that the company's pervasive security bugs left the company's routers vulnerable to malware, and that attackers exploited these vulnerabilities to reconfigure consumers' security settings and take control of consumers' Web activity. We also alleged that the company did not address these security vulnerabilities in a timely manner and did not notify consumers about the risks posed by their vulnerable routers. In another case against Wyndham Worldwide, we alleged that hackers infiltrated the network of a Wyndham franchisee, navigated to the company's network and the networks of other franchisees, and placed memory-scraping malware on the franchisees' servers. We alleged that these hackers exploited Wyndham's lax security to steal sensitive consumer data from dozens of Wyndham franchisees. As these cases illustrate, businesses play a critical role in ensuring that they adequately protect consumers' information, particularly as security threats like ransomware escalate.
CryptoWall
CryptoWall and its variants have been actively used to target U.S. victims since April 2014. CryptoWall was the first ransomware variant that only accepted ransom payments in Bitcoin. The ransom amounts associated with CryptoWall are typically between $200 and $10,000. Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world. Between April 2014 and June 2015, IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.4 CryptoWall is primarily spread via spam email but also infects victims through drive-by downloads5 and malvertising6.
DDoS Mitigation
Detection - abnormal traffic flows identified Diversion - Traffic is redirected Filtering - Bad traffic is weeded out while clean traffic passed on Analysis - Security logs are used to improve resilience Network Capacity main way of measuring mitigation services measured in Gbps (gigabits per second) or Tbps (terabits per second) Recovery can take minutes to hours
Information on Slides 3-4 (History of Ransomware)
Evolution of Ransomware timeline - AIDS Trojan - Trojan.Gpcoder - Trojan. Cryzip - Fake anti-virus - Locker - Crypto Ransomware Types of Attacks - Locker - Crypto - Denial of Services (DDos)
Legal Requirements & Best Practices Example Negotiating
However, on or about February 5, a hospital in California fell victim to ransomware which effectively shut down the hospital's IT systems. The Hollywood Presbyterian Medical Center was reported to have had their systems compromised by the malware attack, and some media sources have set the purported ransom demands to be as high as US $3.6 million. After repeated attempts to restore their systems and data, it was reported on February 18 that the hospital paid a ransom to the perpetrator(s) of 40 bitcoins, the untraceable cryptocurrency, that was worth approximately US $17,000 at the time. While that is of course much less than $3 million, it is still a very significant cost which, when coupled with the public knowledge of the attack, places the hospital's reputation in question.
Legal Requirements & Best Practices Does GDPR impact how you should respond to ransomware? Any new requirements or the same?
If You will find that a ransomware infection (or any malware infection) in a considerable number of your workstations and servers that are centric to processing personal data would likely constitute a breach under the GDPR, and could trigger the notification obligation in articles 33 and 34 Articles 33 and 34 provide the GDPR's guidance on contacting authorities and affected individuals. However, the catch here is that this is only necessary when, to paraphrase, the personal data breach is a risk to the "rights and freedoms of natural persons". "Practically speaking, incident response plans need to be updated and include checks to determine whether the GDPR notification obligation is triggered by different incidents," says Hannes.
Locky
In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to businesses globally, including those in the United States, New Zealand, Australia, Germany and the United Kingdom. Locky propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip) that were previously associated with banking Trojans such as Dridex and Pony. The malicious attachments contain macros or JavaScript files to download the Locky files. Recently, this ransomware has also been distributed using the Nuclear Exploit Kit.
History of Ransomware What is Locker Ransomware
Locker ransomware is designed to deny access to computing resources. This typically takes the form of locking the computer's or device's user interface and then asking the user to pay a fee in order to restore access to it. Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom. This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys, allowing the victim to only type numbers to indicate the payment code Locker ransomware is typically only designed to prevent access to the computer interface, largely leaving the underlying system and files untouched. This means that the malware could potentially be removed to restore a computer to something close to its original state. This makes locker ransomware less effective at extracting ransom payments compared with its more destructive relative crypto ransomware. Tech- savvy victims are often able to restore access using various tools and techniques offered by security vendors such as Symantec. Because locker ransomware can usually be removed cleanly, it tends to be the type of ransomware that goes to great lengths to incorporate social-engineering techniques to pressure victims into paying. This type of ransomware often masquerades as law enforcement authorities and claims to issue fines to users for alleged online indiscretions or criminal activities. Locker ransomware can particularly be effective on devices that have limited options for users to interact with. This is a potential problem area considering the recent boom in wearable devices and the Internet of Things (IoT), where millions of connected devices could potentially be at risk from this type of ransomware. Reveton ransomware started appearing at the end of 2012, locking users' computers by preventing them from logging in and displaying an official-looking message purporting to come from the FBI or a national police force (depending on the location of the infected computer). The message said that the user had been involved in illegal activity such as child pornography or software piracy, and that they could avoid further action and regain access to their computers by paying a "fine." Later versions also included password-stealing software that remained active even if the user paid the ransom.
Legal Requirements & Best Practices Are they are there any unintended consequences of GDPR?
Malicious actors will try to use GDPR to their advantage come May 25 by attacking an organization, figuring out what its GDPR penalty would amount to and demanding a ransom slightly lower than the penalty in the hopes that the C-suite will opt to brush the incident under the rug, according to a Trend Micro announcement. Ransomware families cost the world an estimated $5 billion in 2017, and three of the top families in 2016 carried over into the next year: Locky, Cerber and Cryptesla. But as the number of ransomware families increased 32% year-over-year from 247 to 327, the number of players decreased, according to Trend Micro's 2017 cyberthreats report. Business email compromise scams more than doubled between the first and second half of 2017, with almost 40% of attacks spoofing the CEO. CFOs were the most targeted individuals overall.
AlphaBay
Site of prolific drug suppliers 250,000 listings for illegal drugs Seized in July 2017 Traced from BitCoin 200,000 members 40,000 vendors 100,00 listings for stolen documents Ran out of Thailand1
History of Ransomware What is Crypto Ransomware
Taking files hostage by encryption and demanding money for their decryption This type of ransomware is designed to find and encrypt valuable data stored on the computer, making the data useless unless the user obtains the decryption key. As people's lives become increasingly digital, they are storing more important data on their personal computers and devices. Many users are not aware of the need to create backups to guard against hard disk failures or the loss or theft of the computer, let alone a possible crypto ransomware attack. This could be because users don't have the know- how or don't realize the value of the data until it is lost. Setting up an effective backup process requires some work and discipline, so it's not an attractive proposition for the average user. Crypto ransomware targets these weaknesses in the typical user's security posture for extortion purposes. The creators of crypto ransomware know that data stored on personal computers is likely to be important to users. For example, the data could include things like memories of loved ones, a college project due for submission, or perhaps a financial report for work. The ransomware victims may be desperate to get their data back, preferring to pay the ransom to restore access rather than simply lose it forever and suffer the consequences. After installation, a typical crypto ransomware threat quietly searches for and encrypts files. Its goal is to stay below the radar until it can find and encrypt all of the files that could be of value to the user. By the time the victim is presented with the malware's message that informs them that their data is encrypted, the damage is already done. With most crypto ransomware infections, the affected computer continues to work normally, as the malware does not target critical system files or deny access to the computer's functionality. This means that users can still use the computer to perform a range of activities apart from accessing the data that has been encrypted.
TeslaCrypt
TeslaCrypt emerged in February 2015, initially targeting the video game community by encrypting gaming files. These files were targeted in addition to the files typically targeted by ransomware (documents, images, and database files). Once the data was encrypted, TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points to prevent file recovery. TeslaCrypt was distributed through the Angler, Sweet Orange, and Nuclear exploit kits.
How should you report ransomware to law enforcement?
The FBI is requesting that victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with the following ransomware infection details (as applicable). IC3.gov Internet Crime Complaint Center
Legal Requirements & Best Practices Does ransomware trigger a legal obligation to notify individuals? what about regulatory agencies?
The answer is not straightforward Has data been accessed or acquired by unauthorized party as those terms are defined by the relevant breach notification statutes? Are there risks that the attacker will use the data to harm individuals whose data is affected? HHS issued informal guidance in 2016....did not require exilftration as a prerequisite for being a breach that should be disclosed....key "taken possession or control of data"......low risk of being compromised wouldn't need to be disclosed, however as it relates to ransomware not clearly defined concern is risk of unavailability of the data, or integrity of the data State attorney generals haven't issued guidance on ransomware attacks & disclosure
Why wouldn't you report?
Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment. Further, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement. But victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims. In summary, should you report the attack to the FBI, even though they can't necessarily help solve the problem? Definitely. Reporting incidents of ransomware will help bring out such nefarious activities out in the public domain where security researchers can study their incidence further. Further, it can also help authorities crack down on the hackers.
Legal Requirements & Best Practices What impact does bitcoin volatility have on ransoms? Can you negotiate?
Volatility disrupts the Ransomware business model. Ransoms become too expensive, and they take longer to pay. 75% drop off in bitcoin denominated ransomware demands in Q4 2017 Look for ransoms to be set in dollar amounts of Bitcoin rather than fixed amount of bitcoin Ditching Bitcoin in favor of alt coins like Monero. As with any business the preference is for a more stable currency. Bitcoin popularity has also increased transfer fees ($54) that's almost 1/6th of the $300 demand from Wannacry. Bitcoin may also be more traceable that originally thought (Several high profile take downs - AlphaBay) Wannacry stats (about 340 payments made 140K - would be worth more than 1M today) Scarab has developed a name your own price model
The Cloud is a Dangerous Placeterm-46
Vulnerabilities in cloud infrastructure provide the next frontier for cyber crime A growing reliance on cloud services creates vulnerabilities for organizations. Tens of thousands of MongoDB (cloud) databases were hijacked and held for ransom in 2016 after users left outdated versions exposed, without authentication turned on. CIOs have lost track of how many cloud apps at use in their organizations: their guess was 40, when in reality the number nears 1,000. Ungoverned access and shadow IT present significant risk. Symantec predicts that unless CIOs get a firmer grip on the cloud app usage and access, attackers will exploit these cracks in the cloud.