Stop calling all hacks with ransom demands “ransomware”

For the past year, I’ve been criticizing entities that describe their data leaks as “hacks” (cf, this article of mine on The Daily Dot or this post as examples). More recently, Zack Whittaker has also forcefully raised that issue on ZDNet. Whether other journalists will adapt their language and correctly report incidents as “leaks” instead of “hacks” – regardless of what the entity may claim – remains to be seen over time. But there’s a second language issue that this blogger would also like to see addressed: overuse or misuse of the word “ransomware.”

Anyone who reads reports on trends in data breaches is already aware that we have seen a significant increase in the number of ransomware attacks being disclosed over the past year. We have seen ransomware attacks evolving to include threats of releasing private information (“doxware“), and there’s even a strain of ransomware (Koolova) that doesn’t require any financial payment, but will only provide victims with a decryption key after they have read two articles on cybersecurity. You don’t even have to know how to code ransomware to use it, as Satan ransomware is available as a service for a percentage of the ransom you collect. And if you don’t like Satan, maybe Goldeneye will be more to your taste.

As I understood it, ransomware is a type of malware that either locks the screen or otherwise limits access to the user’s system or files until a ransom is paid; crypto-ransomware encrypts the victim’s files on the server and holds them hostage until payment is made, usually through cryptocurrency. But as the term “ransomware” was used, it always referred to a malware infection. Until now, it seems, when some people seem to call everything “ransomware” if there’s any ransom demand – regardless if there’s no malware involved. The following are some recent examples of what has been reported as “ransomware” when no real ransomware was involved.

“Ransom Scams”

Since the beginning of this month, we have seen an explosion of attacks on misconfigured databases. First it was MongoDB installations (more than 34,000 attacked as of yesterday), then ElasticSearch (more than 4,600), with attacks on CouchDB appearing in short order, too.

Despite attackers leaving messages claiming that the victims’ databases have been stolen and will be returned upon payment of ransom, there has been no evidence that the databases have either been encrypted on the server, or exfiltrated and saved. Volunteer researchers (of the GDI Foundation) including Victor Gevers, Niall Merrigan, Matt Bromiley, and Dylan Katz are finding that the databases are just being wiped out and ransom notes left in their place.

In light of the absence of “proof of life,” people who pay the demanded “ransom” are likely just giving the attackers a gift — free money for wiping out their database. Such payments only encourage more attacks of this kind, as it’s easy money for the attackers: wipe out an exposed database, claim to be holding it hostage, get paid, and go spend it on new toys.

If these attacks really boil down to hackers simply deleting databases and then lying about the victim’s ability to recover the data, wouldn’t it be more helpful for all of us to refer to these as “ransom scams” as opposed to “ransomware” attacks?

Real Ransom or Extortion Demands, but no “Ransomware”

It’s not just the recent wave of NoSql database attacks that are being mischaracterized as “ransomware,” though. This week, DataBreaches.net found itself questioning whether news outlets – and the victim itself – were accurately describing a hack on a charity as a “ransomware” attack.

When Muncie-based Cancer Services of East Central Indiana-Little Red Door (LRD), a small non-profit offering services and support to cancer patients, claimed to be the victim of a “ransomware” attack by TheDarkOverlord (TDO), this site was surprised, but reported it as such. It appeared, based on LRD’s executive director’s email to staff, as if TDO had changed their usual methods.

But according to TDO, they had not really changed their methods (although wiping the server is not something they have often done). In encrypted chats with DataBreaches.net, TDO denied that any ransomware was involved in the Little Red Door attack. TDO readily acknowledged the hack, the exfiltration of data, the wiping of a server and one backup, and an extortion demand, but at no time, TDO asserts, were any files encrypted or locked up and LRD was never offered a decryption key in exchange for payment. The extortion demand appeared to be the main threat: TDO would leak their clients’ personal and sensitive information if LRD didn’t pay up.

It was – and is – an ugly situation, to be sure, but from what TDO tells this site, this wasn’t a ransomware attack, and they are baffled as to why LRD would report it as such or claim that their data had been encrypted.

A Distinction Without a Difference?

People might argue that the difference between a hack with an extortion demand and an actual ransomware attack doesn’t make much difference. But what we call something or how we understand it does matter, and not just in our statistical analyses of external threats.

Ransomware attacks (not including RaaS) can be somewhat indiscriminate in terms of who gets attacked. TDO’s attacks are not random; they are targeted hacks. Think about that: a small non-profit organization that helps cancer patients was targeted by determined hackers. If LRD and other non-profit charities understand that instead of viewing LRD as an unfortunate but random victim of a ransomware attack, then perhaps LRD’s risk assessment and defenses going forward can more accurately reflect and address the risk they face. And perhaps other non-profit charities can think about whether they, too, are likely to be targeted by hackers who will try to extort them over the sensitive information they collect and store.

Yes, I know “ransomware” is the sexy headline these days, but this wasn’t ransomware, and the media’s misplaced focus on “ransomware” and calling blackhat hackers motivated for money “international cyberterrorists” distracted from the real story: even small non-profit organizations are in the sights of hackers who are out to get the personally identifiable information that you store about your clients or patients. Does your risk assessment include consideration of what would happen if hackers acquired your clients’ or patients’ data and threatened to leak it all unless you pay the thousands of dollars they may demand? If not, maybe it’s time to redo your risk assessment and to review your security program and any cyberinsurance policy to see what you might need to address.

* * *

Update: TDO has leaked client data from Little Red Door. Consistent with this site’s policy, I will not link to it. The leaked data include 6,047 deceased and living clients’ personal details such as name, address, telephone number, date of birth, and some caregiver details. The data also include the type of cancer, the type of treatment the patient was receiving, financial information on clients (but not account numbers), and health insurance information, including, in a number of cases, group numbers and policy numbers. It appears that no Social Security numbers or bank account information are involved.

Hopefully, surviving clients and caregivers will take steps to protect themselves from targeted phishing scams or medical identity theft. Because Little Red Door never replied to any communications from this site, I have no idea if they know what to do to get the data removed from public access. Hopefully, someone has told them.