Once upon a time, North Korea only cared about cyber espionage. Most of the time, they wanted to spy on South Korea or disrupt South Korean operations. Then, a terrible thing happened. The world began to impose sanctions on them. Life became difficult. Not only could the Dear Leader not get the luxury goods he needed to maintain his lavish lifestyle, but the country could not get money to support its military development. They needed to find a way to get money one way or another. The ‘another’ way was through hacking.
North Korean hackers have been very successful in making money. According to a U.N. report, North Korea has made $670 million in its hacking pursuits. The following diagram from Forbes shows some of the most successful attacks.
The group behind these hacks is referred to in cybersecurity circles as the Lazarus Group. The ringleader of the group is the unassuming looking Park Jin Hyok, now under indictment.
Hyok has been charged with creating the sophisticated Wannacry Ransomware that has been estimated to have caused $4 billion in damages. North Korea claims Hyok doesn’t exist.
But what, you might rightly ask, has any of this to do with Russia hacking American cities? Well, that’s connected to North Korean malware development, and, more specifically, to North Korea’s dedication to developing better strains of ransomware. Among these was one that targeted the banking sector. It was called, Hermes, and it was successful in several attacks on banks.
Cyber security researchers have determined that the Hermes code forms the basis for a new strain of ransomware called, Ryuk, which has been found behind a flurry of attacks on American cities and counties. It is no wonder, then, that these attacks were initially attributed to North Korea. Now, however, the same researchers claim that the original Hermes code may have been manipulated elsewhere – and that elsewhere is Russia. The Hermes code has been offered for sale since 2017, and most of these points of sale have been traced to Russia and a crime group known as, Grim Spider.
Several cybersecurity firms agree on this point, however, others claim that the software may have been initially developed in Russia but bought by North Korea. The evidence for this is in the fact that, about the same time the code went on sale, North Korea successfully attacked the Far Eastern International Bank of Taiwan. In this attack, Hermes Ransomware was used to distract the bank from the attacker’s ultimate mission, stealing $60 million. So, either North Korea developed then dumped the ransomware or picked up a copy from the Russians for $300.
Attribution is always a nightmare, but attribution makes little difference to the victims. They just know that somehow they’ve managed to lose a lot of money or data. They just want to know how it happened so that it doesn’t happen again.
So, with this in mind, why are these attackers, wherever they may come from, attacking cities and counties across America? The answer comes from the leverage that ransomware uses to make money. Ransomware criminals will only attack businesses or institutions that hold vast quantities of important data; data so important, in fact, that the victims will be willing to pay a high price to get it back. And what is the only valuable commodity that cities and counties have? That’s right; data.
But all hacks have to start somewhere. To get into a city or county’s network, these criminals need to use conventional hacking techniques and that generally means phishing. Phishing succeeds in proportion to the number of potentially vulnerable endpoints. Few institutions have more endpoint than government institutions. Add to this frequently outdated or non-upgraded operating systems, and you have a perfect victim profile.
According to NetMarketShare Windows is the world’s preferred operating system and, within Windows, Windows 7 and older versions still hold onto almost 45% of the desktop/laptop market. Microsoft will stop supporting Windows 7 in 9 months, and my guess is that criminals are eagerly preparing for that day. I also suspect that many cities, towns, and counties use these older operating systems. The percentages may even be higher than those mentioned above. Why? Because changing over or upgrading to a new operating system within a large network is often too expensive and too time consuming. Besides, workers have worked within the confines of the older systems for a long time and have become accustomed to their peculiarities. Long time workers really don’t want to change. They see no real purpose in it and may, in fact, actually resist upgrades. Upgrading would push them into a retraining regimen which they will only grudgingly attend. It’s a management nightmare. So many municipalities put upgrading on the back burner, which is why their infrastructure is set up for a ransomware attack. Enter Ryuk.
Ryuk does not work directly. The foundation for it is prepared by spambots known as TrickBot and Emotet. Once installed, they will work their way through a network, mapping it as they go. Most of the time, these Trojans are used to gather information and propagate spam. In the process, they will harvest administrative credentials. They can then use these credentials to turn off security software and download Ryuk. (It should be noted that not all TrickBot/Emotet infections result in a Ryuk attack.) The criminals use information sent to them during the initial attack to determine whether a particular network is worth attacking or not. In short, does this network have a lot of data? These criminals are opportunists and will attack any target that looks like it will pay a large amount of money to get their data back. The very fact that Ryuk is attacking the networks of cities and counties simply shows that the malware has identified their vulnerabilities. It doesn’t necessarily mean they are targeting them.
Once on a network, Ryuk, being ransomware, will encrypt important data files. It also kills off any backups and enters a key in the registry so it will persist with each boot. The victim will then get a message telling them of the encrypted data and explaining how to pay the ransom in Bitcoins.
The following table shows the cities and towns that have been attacked across North America in the first four months of this year.
Notice the upsurge of attacks in the last month alone. This correlates with findings from Malwarebytes which found a 189% increase in ransomware attacks on businesses from the fourth quarter of last year. But look at what has happened with ransomware since the same time last year, and it’s no accident that its increase parallels the increase in Trojans like TrickBot and Emotet.
It is just a matter of time before the next city or county is hacked with ransomware. The hack will begin with a phishing email which tricks an unsuspecting employee. If the statistics above are any indication, we can expect this to happen any time now. Unfortunately, preemptive measures, such as educating staff on how to be careful, have never proved to be very successful.
The InZero Solution
A better solution is to implement endpoint architecture which doesn’t depend on the online behavior of employees. InZero Systems, for example, separates any endpoint at the hardware level, effectively making one device into two devices, one of which connects only to a protected network while the other is used for normal online activity. The architecture prevents ransomware from crossing over to the side of the device on which important data can be accessed by an employee. It’s a far better solution than hoping a curious employee doesn’t click on a bad link or download what seems like a legitimate file. Clicking on a bad link may, in fact, allow malware onto the normal side of the device, but, even if this happens, the hardware separation makes it impossible for the malware to cross over to the network-facing side of the device. In short, the network remains safe from irresponsible employee behavior. With ransomware attacks rising at an alarming rate, all networks with numerous endpoints need to take note. You may be next.