Ransomware The New Business of Hostage-Taking 1 February 2020, the University of Maastricht ‘organized a symposium about the fateful episode in December 2019 when the entire I system ofthe univers vt to ape of E ransomware called Clop. The source was traced Umar ia toa lptop—or at east that's what the comput cecuny company FoxITconchided2t the end of is investigation, vas on ts lapto that someone had ockadon@ nko aphistinge-naallning cybercriminals to gain access to the uiversiy’s ye Phishing e-mas appear as hey originate trom respectable ogarization bul ae ina ent by cybercriminals to oblsin ensive information fora computer system orto gain to access tothe system, Bu the University of Masten try isa bit mare complicates than a mre phishing teck. Arguably the fa by elsewhere in cys some cf to niesys sorers had ot been update or some te, ich trace hem patculryminerabl to cybeatacs. And the rel cults wer, feos the obertninal to hora the use of phistinge-ais fois ansomwvareana system an haldithctag hos cara bse ode Ransaroware hes receriy beccine one ofthe bigest dangers TT ystems, enc val dat, and block access to the systems, Needles to say ermine usualy aera ety sum forte acces key tre estore acces tthe dts The Univesiy of Maas wes ol he sit n academia several ont before is ystems were inteceg, the Uniesty of Antwerp was taco by Cop 28 wel. Ard in Ocebe 2020, he German conloerte Software AG as alacked by criminals who Used the same ransomwae. Te Sofware AG hack shows how potable such an attack can be successful ate extactnigempoyeinfrmaton and company documents and enenyting the at, the hackers aed for $23 millon tose the syst es, th Ie itetood of being caught and potential rutimition-dolarpaots hacker re geting increasingly bold and oporuniste.Corparies tend to nt be very ansprent abut ransonware attacks, and atthe tie of wing hs case ttl unler how Software AG eat wih stitutions, we attack © Rall Olehowsku 1238 289290 CHAPTERS E-commerce Security and Payment Systems ‘The University of Maastricht hack shows how sophisticated cybercriminals have become. The first “penetration” of the system—thraugh the ahishing e-mail—took place in October 2018, two months before the system was taken hostage. During October and November, the cybercriminals slowly but surely increased their hold of the system, aided by the fact that some servers had not been updated. By December 23, they nad disabled the antivirus software and encrypted 267 university servers, paralyzing the entire system, At the February symposium, a security expert made an interesting observation about why the University of Maastricht had been chosen as a target. He compared the attack to shooting a gun loaded with hail. The hail goes in all directions, and itis only later that the shooter can determine who or what has been hit. Many universities ane other institutions ‘and companies were shot al, so to speak, but it was the University of Maastricht that was hit. The cybercriminals probably concluded thal the university was a lucrative target; as many researchers and students rely on its network, the criminals expected that the University would be willing to pay large sums for a return to normalcy. In addition, the University network contains a wealth of confidentfal éata which, should it be made public, \woule harm individuals or companies linked to the university, For instance, the university has a medical faculty where research is conducted and sensitive patient data is collected. The university made a rational calculation: not paying would result in higher financial damages than paying. At the end of the day, the cybercriminals were paid 30 Bitcoins, which at the time was around €197,000. The decision to pay was severely criticized in and outside the Netherlands. One argument against paying was thal Dutch universities are funded by the state through the state budget, and many balked atthe fact that money generated by Dutch taxpayers was being transferred to criminals. Moreover, while giving in to the ransom demand solved the issue in the short term, it was deemed entirely ccounterproductive in the long run. If every company or institution refuses ta give in when {heir systems are held hostage, the whole business model of these cybergangs collapses. However, most companies and institutions choose to act in their immediate interests, paying to set the system free, which only encourages cybercriminals to shoot more hail One of the problems of ransomware is that itis sometimes difficult to recognize, After several suct hacking incidents, @ security analyst linked to MacAfee analyzed the Clop software and concluded that the verification certificate (which establishes that the website is legitimate) used by the software looks so genuine that itis hardly distinguishable from the real thing. Itoften takes just one “hostage situation” before software is updated la account for the new threat; the problem, of caurse, is that cybercriminals are too often a step ahead of those trying to protect their systems. Experts point to a cybergang called TASOS as the culprit behind Clop attacks such a that on the University of Maastricht. TASOS has been active since 2014 and is quite the professional outfit. Clop was first spotted in 2019, but it was not as efficient in the beginning. Some cyber-experts have concluded that TASOS developed Clop precisely because af its massive money-making potential. Once i takes @ system hostage, TASO5 ‘comes up with financial demands to be paid in Bitcoins or ather digital currencies. The key that unlocks the data is kept in a safe server to which only TASOS has access. If the ‘company seems unwilling to pay, TASOS posts 2 trove of sensitive data on the dark nel,Ransomware: The New Business of Hastage-taking | 291 This was the fate of a company called ExecuPharm, which offers research services to ‘major players in the pharmaceutical sector. In the Software AG incident, details of people employed by the company were ousted online According to experts, TASOS has also been responsible for Dridex, a form of malware that has been attacking individuals and banking institutions since 2015. After being downloaded through a Word or Excel e-mail attachment, Dridex infects the comouter system and allows TA505 to steal passwords and other sensitive financial data. As TAS05 becomes increasingly sophisticated and professional, so does its malware. So how can companies protect themselves? Outdated systems are particularly vulnerable to malware attacks. The University of Maastricht case is evidence that employee awareness about phishing atlacks—including cautiousness in opening e-mail attachments and handling unsolicited e-mails—is crucial. Another piace of advice that experts offer is to keep a copy of the system offline. For many organizations, however, this is easier said than done. Systems change constantly, and keeping massive mounts of data offline may be very expensive, Nevertheless, it may be less expensive in the long run than falling victim to malware lke Clop, But this still is only a partial solution; if cybercriminals penetrate the system, they wil still have access to sensitive data that they can publish on the dark net. A final piece of advice given by experts is to never pay the ransom money. More often than not, cybercriminals don't give the key even after having been paid (though the University of Maastricht was a notable exception) ‘The threat from ransomware is getting more dangerous by the day. In 2020, a hospital in Dasseldorf, Germany fell victim to a ransormware attack. The attack may have been a mistake; @ university rather than the hospital seems to have been the target, and as soon as the cybergang responsible for the attack became aware of the mistake, they provided the police with a key to set the systems free, Nonetheless, the hospital was forced to go into lockcown for a certain period, during which a woman had to be taken to another hospital to receive care. The woman sadly died, quite possibly because of the delay in receiving medical aid Clop is hardly the only ransomware around. Another dangerous variety is Sodinokibi Travelex, the British foreign exchange company, fell victim to 3 Sodinokibi attack in December 2019, Many of ils services were affected, and it became impossible to order Travelex Money Cards online. According to the Wall Street Journal, Travelex paid $2.3 rllin to set the system free, Like Software AG, Travelex was not very transparent about what had happened, but this is not surprising, In the case of Travelex, as in so many others, the vulnerability in the system may have resulted from a failure to update systems adequately. Several security agencies, including the FBI, have warned that ransomware attacks are definitely on the rise, but for banks anc other companies handling sensitive data, a ransomware attack is a huge blow to their reputation as well, a they are not very forthcoming in disclosing all information. Its thus difficult to gauge exactly how many companies fall victim to ransomware attacks each year. Case contributed by Berard Bouwman souRCES: "Yass aera Cansei even nh of 6400 ancien, Freeensgatezom any 1, 2a}; alvans anerwe Steyn jk one co, Oe 28,202; stare ‘aa eh te Chip. by ty Bas Tao co, oe 13,2078 “pe ra Speed in Gees man ahs Fy ick eh nes, ox, Sepa 18,2020 "pte et vat Youteedo Be Cerlaboa” Tieserdacoy up, 20, Yona ‘ulin bramble ite ew Och era sac Cr aro sts ape eam, Ai 20; avon 191,000 es'9 ad" by 5.207 "ch fasennae yaoi lr, oes co, ag 1, 201, "The ‘orale aS, a Oden To Gebers com Sept 2,201