By Allan Lengel
ticklethewire.com
DETROIT — Someone hacked into the computer system at the city-run Lansing Board of Water & Light last April 25,, froze certain files and demanded that the utility pay a ransom to regain access.
Things are back to normal, but the city paid nearly $2 million to address the issue and upgrade its security system, according to the Lansing State Journal. A utility official indicated the hack came from Eastern Europe.
Stephen Serkaian, a spokesman for the utility, declined to comment to Deadline Detroit on Friday about rumors that the utility paid “thousands of dollars” in ransom to regain control of its corporate internal communication, emails and functions for billings. No utility services or customer-employee information was compromised, he said.
The utility was target of the growing problem called ransomware in which hackers encrypt files, freeze access to computers of private and public companies and individuals and then demand a ransom that can range from hundreds to thousands of dollars. Once paid, the hackers release the files, but not always. Sometimes they collect the money, but release just some, but not all. Sometimes they take the money and don’t release any.
It’s growing problem in Michigan and elsewhere around the country. So far this year, there have been more than 1,300 incidents reported in Michigan alone, according to the FBI, which pegs the costs of ransom payouts, fixes and computer security upgrades in the state at about $2.6 million to date. Many of the culprits come from Eastern Europe.
In the case of the Lansing utility, the Detroit FBI, which covers Michigan, declined to comment on the case, only to say that no one to date has been charged. The utility says that the FBI and Michigan State Police are investigating the matter.
The FBI advises against paying ransoms, and urges companies and individuals to back up systems and implement proper security. (Guidance is here).
Ticklethewire.com recently sat down with FBI Supervisory Special Agent Jason F. Bilnoski, head of the bureau’s Detroit Cyber Squad. This interview was also published in Deadline Detroit.
The following interview was trimmed for brevity. The questions has been edited for clarity.
DD: When did ransomware first come on the scene?
Bilnoski: Ransomware has been around for years now, since the early 90s, but ransomware has become prevalent in the last few years. As with in any criminal scheme, when actors realize that It works, they pick up with their activities.
DD: Basically, how does someone hack into a system?
Bilnoski: Ransomware traditionally used to be a spear phishing campaign or phishing campaign. It used to be wide open. You’d send a company a spam email or spoofed email of sorts to everyone in the company. But over the past few years they’ve become very targeted and very precise. It’s extremely hard for those on the victim end of the side to understand: Is this a legitimate email with a legitimate file from, say, my CEO, my supervisor? Or is it a spoofed or a malicious file or malicious link?
DD: Is that primarily how hackers get in the system?
Bilnoski: Absolutely. No matter how we educate our employees within the private sector, the studies have shown that somebody within the organization is unfortunately going to click on that link.
DD: How does that work after that?
Bilnoski: That malware takes over the system usually without the user knowing initially, and at some point to where they no longer have access to their file or network. In some cases they have a message that pops up on their computer screen, saying basically “your system has been hacked, you need to pay a certain amount of money by a certain time or you will no longer get access to your system.”
DD: The money payment. How does that work?
Bilnoski: Over the years it has gotten more sophisticated and harder for law enforcement because of use of anonymizers. Specifically, Bitcoin is one of these electronic currencies that is very hard for law enforcement to follow and track due to the use of it being anonymized through the system. Bitcoin is the primary means of paying ransoms. And Bitcoin can fluctuate in value.
Bilnoski: It changes daily. I believe at last check it was somewhere around $200 to $250 a Bitcoin.
DD: What have you seen in Michigan so far this year:
Bilnoski: I think we’ve had over 1,300 cases reported in Michigan to date this year. 1308 to be exact. So far, the adjusted loss is a little over 2 ½ million dollars for corporations and organizations.
DD: When you say adjusted loss, is that ransom payments?
Bilnoski: Adjusted loss is initial demands and also the financial losses of a company, certain mitigation efforts, whether or not the company is taken off line.
DD: What do you see in terms of actual payments?
Bilnoski: I don’t want to get into specific payments for simple reasons: I don’t want to put fictitious numbers in an actor’s mind, but it could be a very small number. What we do advocate is that companies and organizations do not pay the ransom, just like we would advocate on any other type of extortion or ransom scheme. The problem paying is that it encourages additional actors, it encourages additional victims and there’s no way of guaranteeing that a victim organization will have their files released if they pay that ransom.
DD: Have you seen it where someone pays the ransom and they don’t get files released?
Bilnoski: We’ve seen multiple occasions in the country and within Michigan where companies have paid a ransom and the actors have come back and said, “here’s one of your files,” or “we meant to say 50 Bitcoins (not five),” and they have kept that scheme going a little longer and a little longer. And for some companies, their payment demand is now astronomical compared to what the initial ransom was. So there’s no guarantee that if you pay a ransom that that you’ll recover your data. That’s why prevention and proper business continuity planning are the two biggest things that we can push out to the private and public sector partners to make sure that they’re prepared to recover from it without relying on the payment of the ransom.
DD: So there are people who get strung along?
Bilnoski: Absolutely.
DD: Now, some organization, they obviously can’t have their computer system down for very long. What then?
Bilnoski: That is problematic, for instance, for hospitals. I’m not saying there was a specific target of a hospital. But we have seen hospitals throughout the nation targeted.
Bilnoski: No, we have not. But specifically we have seen them targeted throughout the United States. These are organizations that have to have instant access to patient records. And if ransom actors were to target specific organizations like hospitals, utility companies, any of your critical infrastructure corporations, it’s very problematic.
The plus side to that is that these larger organizations, and these critical infrastructure organizations, do a really good job of planning and mitigation for events like this. So, it might take them off line for a few hours or even a day or two, but with the proper prevention and planning in business continuity planning, they can restore their systems rather quickly and get up and running. But even a few hours can be detrimental to a company that’s somewhat in critical infrastructure, whether it be a hospital, power or light or gas utility or school.
DD: Is it an underreported crime?
Bilnoski: In 2016, we’ve seen more cases being reported. The companies traditionally didn’t report this to law enforcement. So, we believe that number could be as low as 25 percent of companies that are reporting, so what we’re seeing might only be one out of every four cases.
DD: So the ones who aren’t reporting it, are they just paying?
Bilnoski: They could be paying the ransom or they could have sufficient mitigation steps already in place even though their files have been encrypted, they have sufficient backups, and the integrity of those backups are such that they don’t need to rely on the ransom payments, which is part of our prevention and our education to our workforce and to our organizations. But the number of those reporting is getting better. We ask the public to report this to the local FBI office and to IC3, the Internet Crime Complaint Center.
DD: Who are the culprits?
Bilnoski: It’s not an individual actor or a set organization. In other words, we can’t pinpoint that it’s a particular group, an xyz country. What we haven’t seen is nation state actors. We do know these are financially motivated crimes, for the most part. And these grups s do emanate out of eastern Europe, pick the country. It could be one or two actors, it could be a group.
DD: What countries?
Bilnoski: We’ve had multiple countries in eastern Europe, I don’t want to go on record peg holing a specific country, but it truly is all over the place. It’s not to say there haven’t been a ransomware attacks that have been launched from within the United States or other countries, but predominately these schemes are run out of Eastern Europe.
DD: Are they organized groups?
Bilnoski: There are some groups, they could be ones and twos. But for the most part it’s a handful of organizations or small groups. We don’t have any major crime syndicates.
DD: Are these folks who are just great at hacking?
Bilnoski: There’s always the misconception in the public it’s someone in their mom’s basement. These people are very sophisticated and very technical. And so their schemes have evolved over the years, the type of malware used has evolved over the years, which can be challenging to law enforcement. Just like with any criminal scheme, law enforcement is always trying to stay in step or one step ahead of the actors.
The bureau is blessed with talented cyber special agents, intelligence analysts, computer scientists, all that come together. They’re cyber experts.
DD: Any actors local or are they always overseas?
Bilnoski: I don’t want to say never or ever. I don’t want to say within Michigan. In some cases, they’re anonymizing their identity, so we could have somebody in the city next to you or across the ocean, so that wouldn’t be a good representation overseas?
DD: Are you able to make any cases?
Bilnoski: We have.
DD: How hard is that?
Bilnoski: Our agents are good at what they do but the cyber cases could be a little more difficult at times due to people having the ability to reach out from afar and anonymizing themselves. I’m not going to comment on specific cases or arrests in the area specific to ransomware.
DD: What’s your best advice to companies and individuals?
Bilnoski: I want to push the point that prevention and business continuity planning by these organizations is key. Without proper planning these events could have catastrophic consequences. With sufficient planning and backup and patching of systems they can make themselves pretty robust against these attacks.
DD: Is that costly for business?
Bilnoski: It can be. Depending on the size of the organization. Backup can get costly, maintaining proper security posture and patches can be costly.
DD: Is one of the keys to have a backup system?
Bilnoski: The backup systems not only have to be backed up, but the integrity of those backups have to be secure in the sense they cannot be connected to the networks you’re backing up. We’ve seen it where some malware specifically attacks the backups first. The cyber protection of a lot of organizations has gotten better over the years. It’s a balance of cost to risk that these companies have to weigh. Companies have now looked at it as, it’s a cost of doing business.
DD: Are there companies that are helping address the problem?
Bilnoski: There are several companies, major companies, that are out there now of days that do anything from prevention to network protection to mitigation after an incident and remediation. The FBI specifically is in the business of investigating and seeking attribution and prosecution in some cases of these actors. But we work together with all our government partners; so there’s the Department of Homeland Security that often assists with mitigation efforts throughout the private and public sector.
Infragard Member Alliance is a nationwide effort by the FBI. It’s an intelligence and information sharing network with a multitude of private sector partners from different sectors. There’s over 80 chapters, but in Michigan we have over a thousand members. They come from all walks of the private sector. The Infragard Partnership is a great way for the government to work together with our local public and private sector partners to share intelligence.