in March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attackAttack.Ransombeing labeled as `` WannaCryAttack.Ransom`` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attackAttack.Ransomis not a zero-day flaw , but rather is based on an exploit that Microsoft patchedVulnerability-related.PatchVulnerabilitywith its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlightVulnerability-related.DiscoverVulnerabilitythe SMB flaw until April 14 , when a hacker group known as the Shadow Brokers releasedVulnerability-related.DiscoverVulnerabilitya set of exploits , allegedly stolenAttack.Databreachfrom the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attackAttack.Ransomis exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attackedAttack.Ransomby the Wan na Decryptor. `` This attackAttack.Ransomwas not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessedAttack.Databreach. '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacksAttack.Ransomin 74 countries . While the ransomware attackAttack.Ransomis making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attackAttack.Ransomthat seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransomAttack.Ransom. Initially , the ransom requestedAttack.Ransomwas reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacksAttack.Ransomis at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been availableVulnerability-related.PatchVulnerabilitysince March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patchVulnerability-related.PatchVulnerability.
Cyber criminals took a second swing at Mecklenburg County government on Thursday after officials rejected a demand for moneyAttack.Ransomfollowing a ransomware attackAttack.Ransom. The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio announced she ’ d decided against payingAttack.Ransoma hacker ransomAttack.Ransom. Instead of agreeing to payAttack.Ransomcriminals , she said Wednesday , the county will rebuild its system applications and restore files and data from backups . But by Thursday afternoon , hackers tried to strike again . Diorio sent staff members an email saying , “ I have a new warning for employees. ” As the county ’ s IT staff worked to recover from the first cyberattack , Diorio said , they discovered more attempts to compromiseAttack.Databreachcomputers and data on Thursday . “ To limit the possibility of a new infection , ITS is disabling employees ’ ability to open attachments generated by DropBox and Google Documents , ” she wrote in an email . “ The best advice for now is to limit your use of emails containing attachments , and try to conduct as much business as possible by phone or in person. ” She described the aftermath of the ransomware attackAttack.Ransomas a “ crisis ” and reassured employees they should not feel personally responsible for the incident . The county first learned of the problem earlier this week after an employee openedAttack.Phishinga malicious “ phishing ” email and accessed an attached file that unleashed a widespread problem inside the county ’ s network of computers and information technology . The intent of that ransomware attackAttack.Ransomwas to essentially access as many county government files and data servers as possible . Then , the information was encrypted or locked , keeping employees at the county from accessing operating systems and files . The person or people responsible for the infiltration then demandedAttack.Ransomthe county payAttack.Ransomtwo bitcoins , or about $ 23,000 , in exchange for a release of the locked data . The county refused to payAttack.Ransom. County officials say they anticipate the recovery time for Mecklenburg County government operations will take days . “ We are open for business , and we are slow , but there ’ s no indication of any data lossAttack.Databreachor that personal information was compromisedAttack.Databreach, ” Diorio said . Diorio said third-party security experts believe the attackAttack.Ransomearlier this week by a new strain of ransomware called LockCrypt originated from Iran or Ukraine . Forty-eight of about 500 county computer servers were affected .
Federal officials , Microsoft and Cisco are working with the city of Atlanta to resolve the attackAttack.Ransom, but Atlanta 's mayor wo n't say if the city paidAttack.Ransomthe $ 51,000 ransomAttack.Ransom. As of Saturday , Atlanta officials and federal partners were still “ working around the clock ” to resolve the ransomware attackAttack.Ransomon city computers that occurred around 5 a.m. on Thursday , March 22 , and encrypted some financial and person data . As @ Cityofatlanta officials & federal partners continue working around the clock to resolve issues related to the ransomware cyber attackAttack.Ransomlaunched against the City , solid waste & other DPW operations are not impacted . — ATLPublicWorks ( @ ATLPublicWorks ) March 24 , 2018 On Thursday , the official investigation included “ the FBI , U.S. Department of Homeland Security , Cisco cybersecurity officials and Microsoft to determine what information has been accessedAttack.Databreachand how to resolve the situation. ” A city employee sent WXIA a screenshot of the ransom demandAttack.Ransom, which included a pay-per-computer optionAttack.Ransomof $ 6,800 or an option to payAttack.Ransom$ 51,000 to unlock the entire system . CBS 46 reported that the ransom demandAttack.Ransomand instruction said : Send .8 bitcoins for each computer or 6 bitcoins for all of the computers . ( That 's the equivalent of around $ 51,000 . ) After the .8 bitcoin is sent , leave a comment on their website with the provided host name . They ’ ll then reply to the comment with a decryption software . When you run that , all of the encrypted files will be recovered . On Friday , March 23 , city employees were handed a printed notice as they walked through the front doors . They were told not to turn on their computers until the issue was resolved . Officials were still unsure who was behind the attack . Mayor Keisha Lance Bottoms advised city employees and customers to monitor their personal information , although there was no evidence to show customer or employee data was compromisedAttack.Databreach. Mayor Bottoms clarified what services had not been impacted and were still available to residents and which ones had been impacted . Mayor Bottoms will not say if Atlanta intends to pay the ransom demandAttack.Ransom, saying , “ We will be looking for guidance from , specifically , our federal partners on how to best navigate the best course of action. ” During a press conference , Bottoms said , “ What we want to make sure of is that we aren ’ t putting a Band-Aid on a gaping wound. ” She then turned the press conference over to Richard Cox , the City of Atlanta 's chief operations officer ; the poor dude is brand new to serving as Atlanta ’ s COO . He confirmed the existence of the ransom demandAttack.Ransombut would not reveal the contents .
Atlanta mayor Keisha Bottoms said on Thursday , March 22 , that hackers attackedAttack.Ransomthe city ’ s network system and encrypted data . The details are somewhat slim for now , but hackers reportedly used the SamSam ransomware and demandAttack.Ransomaround $ 51,000 in Bitcoin to unlock the city ’ s seized computers . Atlanta is currently working with the Department of Homeland Security , the FBI , Microsoft , and Cisco cybersecurity officials to determine the scope of the damage and regain control of the data held hostage . “ Our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue , ” the city ’ s official Twitter account states . “ We are confident that our team of technology professionals will be able to restore applications soon . Our city website , Atlantaga.gov , remains accessible and we will provide updates as we receive them. ” As of Thursday afternoon , the city said it faced outages on various “ internal and customer facing applications , ” such as means for accessing court-related information and paying bills . But the city itself isn ’ t exactly under siege : Airport , public safety , and water operations remain unaffected by the attack , and the city payroll wasn ’ t touched . The only bone Atlanta is throwing the public is that the attack affects “ various city systems. ” According to Atlanta ’ s newly appointed chief operating officer , Richard Cox , Atlanta Information Management officials were made aware of problems with internal and customer-facing applications at 5:40 a.m. Thursday . At the time , he acknowledged that the city fell prey to ransomware , but given the investigation is still ongoing , he couldn ’ t provide the extent of the damage . “ The ongoing investigation will determine whether personal information , financial , or employee data has been compromisedAttack.Databreach, ” he said during a press briefing . “ As a precaution , we are asking that all employees take the appropriate measures to ensure their data is not compromisedAttack.Databreach. The city advises employees to monitor and protect personal information and in the coming days we will offer employees additional resources if needed. ” What the city didn ’ t officially disclose was the ransomware note discovered in the investigation . A screenshot reveals the hackers ’ demandsAttack.Ransom: 0.8 Bitcoins for each seized computer , or six bitcoins to unlock all computers held hostage , equaling to around $ 51,000 in real cash . Once Atlanta sends the Bitcoins to a digital wallet , the city is to leave a message containing the host name on a specific website . The hackers will then provide decryption software to release the computers from captivity . The SamSam malware doesn ’ t take the typical route of installing itself on computers when unsuspecting owners click a link within an email . Instead , hackers findVulnerability-related.DiscoverVulnerabilityunpatched vulnerabilities in network servers and manually unleash SamSam to seize key data systems and cause maximum damage to the company ’ s infrastructure . SamSam is one of many in a family of ransomware targeting government and healthcare organizations . It was first observed in 2015 and encrypts various file types using the Advanced Encryption Standard ( aka Rijndael ) . It then encrypts that key with RSA 2048-bit encryption to make the files utterly unrecoverable . As of Friday morning , Atlanta ’ s main website and its affiliated portals remained unaffected by the ransomware attackAttack.Ransom.
Officials at a medical practice in Blue Springs say they are taking steps to strengthen privacy protections after a ransomware attackAttack.Ransomaffected nearly 45,000 patients . Blue Springs Family Care discovered in May that hackers had installed malware and ransomware encryption programs on its computer system , giving them full accessAttack.Databreachto patient records . Ransomware is a kind of malware that locks up a computer . The attackers typically demand a ransomAttack.Ransom, often in Bitcoin or other cryptocurrencies , as a condition of unlocking the computer and allowing access to the system . Melanie Peterson , Blue Springs Family Care ’ s privacy officer , says the medical practice did not pay a ransomAttack.Ransom. Rather , it was able to use backups to regain computer access . In a letter to patients , Blue Springs Family Care said it had no evidence patients ’ information had been used by unauthorized individuals . But it said it had taken steps to strengthen its defenses against similar attacks in the future . Peterson says the family medical practice has essentially rebuilt its computer system from scratch “ to make sure that no traces of any kind of virus were left in the system. ” The number of affected patients was as large as it was because the medical practice is required to keep medical records going back 10 years . Peterson says both the FBI and Blue Springs Police Department were notified of the attack . So far , the hackers have not been identified , she says . Blue Springs Family Care ’ s computer vendor discovered the ransomware attackAttack.Ransomon May 12 . In its letter to patients , Blue Springs Family Care said it hired a forensic IT company to help quarantine the affected systems and to install software to monitor whether any unauthorized person was accessing the system . The attack on Blue Springs Family Care was not an anomaly . Health care businesses in particular have been targeted by ransomware attacksAttack.Ransom. According to Beazly , a cybersecurity insurance company , 45 percent of ransomware attacksAttack.Ransomin 2017 targeted the health care industry . Financial services , which accounted for 12 percent of ransomware attacksAttack.Ransom, were a distant second . Last month , Cass Regional Medical Center in Harrisonville , Missouri , reported a ransomware attackAttack.Ransomhad briefly cut off access to its electronic health record system on July 9 . Hospital officials said there was no indication patient data was accessedAttack.Databreach. Cass Regional was just the latest of many Missouri health care institutions targeted in the last few months by cyber-attackers . Others include Children ’ s Mercy Hospital in Kansas City , Barnes Jewish Hospital in St. Louis , Barnes-Jewish St. Peters Hospital in St. Peters and John J. Pershing VA Medical Center in Poplar Bluff . In Kansas , the Cerebral Palsy Research Foundation of Kansas , the Kansas Department for Aging and Disability Services , Atchison Hospital Association and a private medical practice in McPherson have all been hit with cyberattacks since March . “ If you think about what ’ s in a health or medical record , there ’ s a lot of information that could be used to create or falsify documents on an individual , ” says Madeline Allen , an assistant vice president in the cybertech practice at Lockton Companies , a Kansas City-based insurance broker . “ So think about your medical record that contains not only your health information but also your name and address , your social security number , your date of birth , oftentimes a driver ’ s license number . “ All of those things can be used to impersonate you , whether it be to open a line of credit , apply for a loan , file a tax return – all of those things . Pretty much everything you need would be found in your health record , '' Allen says . `` If you can get a full health record on someone , it ’ s pretty valuable information to the bad guys as they ’ re looking to monetize that information. ” For health care institutions , Allen says , it ’ s not so much a question of whether they will be attacked as when . As such , she says , apart from instituting technical measures , the most important thing they can do to ward off cyberattacks is to educate their employees . “ Let them know that people are constantly trying to attack from all angles and the attacks are pretty sophisticated , ” she says . “ It ’ s very easy to click on a link thinking it ’ s legitimate or respond to an email that looks legitimate when in fact it ’ s not . So I think the education of employees and staff is perhaps the biggest step that health care facilities can take . ”
Cloquet school district has been hit by a ransomware attackAttack.Ransomsecond time in the past three years . The ransomware is a virulent computer malware , which attacks by spreading from one computer to another and locking up the access to the network servers . The ransomware also encrypts the documents and then demands ransomAttack.Ransomfor providing a key to unlock encrypted files . In March 2016 , the previous occasion when the ransomware attacked , the district cancelled the school for one day so as to let the technology staff have time for recovering from the malware . During that attack , the district servers as well as over 600 computers got infected badly . The current attack took place during the summer vacation , and was not as harmful as of last time . As per staff report from T.J. Smith , Cloquet School District Technology Director , the virus has encrypted files available on all the servers except one , this included the network shared drives . However , the attackAttack.Databreachdoes not indicate stealingAttack.Databreachof any information . The virus only encrypted the files , so that the users were not able to open them . Board members of Cloquet School were explained by Smith on 13 Aug , 2018 , that the district only was left with two options other than succumbing to the demands of ransomAttack.Ransomby the hacker - one , trying to recover data with a probability that the data may not be retrieved and then it would be a complete waste of money and time . The second option was to plan out the way of recreating the data and rebuilding the affected servers . Smith , however , advocated for second option as the data lost was not so important and the insurance will help in paying out for recovering the infected servers . Unanimously , the board members also voted for second option , which is recreating the data and rebuilding the affected servers . Besides , the board members suggested hiring a `` forensic '' company to investigate on the ransomware attackAttack.Ransomand determine the source from where the virus has entered . On a brighter side , Smith revealed that the technology staffs have been able to recover some of the lost data , and they are also capable of recreating the data that is unrecoverable . He also commented that the process of recovery will not at any cost affect the commencement of the school session in the month of September .
Files that were scrambled in a ransomware attackAttack.Ransomon Hāwera High School in Taranaki included school assessments that students had only partly completed as well as backups , principal Rachel Williams has confirmed . More help is on the way for schools battling ransomware and other malware , but it has come a little late for the school which is being held to ransomAttack.Ransomfor US $ 5000 by hackers . N4L , the Crown-owned company that manages the provision of broadband to schools , said it would improve online security as part of a wider upgrade of its managed network that is due to be completed by October next year . The 2450 schools and 800,000 students on the network will get a new security solution supplied by Californian company Fortinet which would provide `` more robust protection against online threats , such as phishingAttack.Phishingand ransomware '' , it said in a statement issued on Monday . Ironically , that was the same day that staff at Hāwera High School switched on their computers to discover the message demandingAttack.RansomUS $ 5000 ( NZ $ 7352 ) in bitcoin for the return of encrypted data on a server containing students ' work and teaching resources . Hāwera High School is connected to ultrafast broadband via N4L , but N4L chief executive Larrie Moore said the school had opted out of N4L 's existing security solution and was instead using an alternative commercial offering . `` We 've been in touch with the school and their IT company to offer our support , '' he said . `` Until we know how the school 's network was compromised , we are unable to say whether the new Fortinet solution would have prevented it , '' he said . But Moore said there was no `` silver bullet '' for malware . Instead , technological protections needed to be used in combination with `` continuous education around good digital citizenship '' , he said . Williams said many of its students and teachers had backed up their files in the cloud and were not affected by the ransomware attackAttack.Ransom, but backups stored on servers at the school were also encrypted by the hackers . `` We have been working today on getting a clearer audit of student and staff work and where we are at . Some students are really not affected at all because they have saved their work on their cloud-based system . `` If students were part-way through an assessment , some of those are the ones that are encrypted and we ca n't access those at the moment . '' The school was working with NZQA to make sure those students were not disadvantaged , she said . Others had backups of their work at home , she said . Williams was not sure how the malware had arrived at the school , saying that was still being investigated . The Government is not believed to have any rules on whether state-funded organisations such as schools can pay ransomsAttack.Ransom, but in 2017 it issued advice against it and Williams said the school would follow police advice not to payAttack.Ransom. While the incident had been annoying , `` you see people 's character come through and we 've seen real resilience from our staff and students '' , Williams said . `` It is not stopping us doing what we need to do . '' N4L said its technology upgrade would be the first major refresh of its network since it began connecting schools with ultrafast broadband at the end of 2013 . Its existing security system had blocked more than 118,000 viruses and malware threats so far during this school year , it said .
The US Attorney 's Office for the District of Northern Georgia announced Wednesday that a federal grand jury had returned indictments against two Iranian nationals charged with executing the March 2018 ransomware attackAttack.Ransomthat paralyzed Atlanta city government services for over a week . Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using the Samsam ransomware to encrypt files on 3,789 City of Atlanta computers , including servers and workstations , in an attempt to extortAttack.RansomBitcoin from Atlanta officials . Details leaked by City of Atlanta employees during the ransomware attackAttack.Ransom, including screenshots of the demand message posted on city computers , indicated that Samsam-based malware was used . A Samsam variant was used in a number of ransomware attacksAttack.Ransomon hospitals in 2016 , with attackers using vulnerable Java Web services to gain entry in several cases . In more recent attacks , including one on the health industry companies Hancock Health and Allscripts , other methods were used to gain access , including Remote Desktop Protocol hacks that gave the attackers direct access to Windows systems on the victims ' networks . The Atlanta attack was not a targeted state-sponsored attack . The attackers likely chose Atlanta based on a vulnerability scan . According to the indictment , the attackers offeredAttack.Ransomthe city the option of payingAttack.Ransomsix Bitcoin ( currently the equivalent of $ 22,500 ) to get keys to unlock all the affected systems or 0.8 Bitcoin ( about $ 3,000 ) for individual systems . `` The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransomAttack.Ransomand supplied a web domain that was only accessible using a Tor browser , '' a Department of Justice spokesperson said in a statement . `` The note suggested that the City of Atlanta could download the decryption key from that website . '' But within days of the attack , the Tor page became unreachable , and the City of Atlanta did not pay the ransomAttack.Ransom. Savandi , 27 , of Shiraz , Iran , and Mansouri , 34 , of Qom , Iran , have been charged under the Computer Fraud and Abuse Act ( CFAA ) for `` intentional damage to protected computers ... that caused losses exceeding $ 5,000 , affected more than 10 protected computers , and that threatened the public health and safety , '' the Justice Department spokesperson said . They are also charged in a separate indictment in the US District Court for the District of New Jersey in connection with another ransomware attackAttack.Ransom, in which a ransom was apparently paidAttack.Ransom.
Two Iranian men already indicted in New Jersey in connection with a broad cybercrime and extortion scheme targeting government agencies , cities and businesses now face new federal charges in Georgia related to a ransomware attackAttack.Ransomthat caused havoc for the city of Atlanta earlier this year . A federal grand jury in Atlanta returned an indictment Tuesday accusing Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri of violating the Computer Fraud and Abuse Act , federal prosecutors said in a news release Wednesday . The New Jersey indictment against the pair was filed last month on broad conspiracy charges that included the Atlanta cyberattack . Byung “ BJay ” Pak , the U.S. attorney in Atlanta , said in a news release that the Atlanta indictment was sought in coordination with the earlier indictment and seeks to ensure that “ those responsible for the attacks face justice here as well. ” The Atlanta indictment accuses the two men of launching a ransomware attackAttack.Ransomagainst Atlanta that encrypted vital city computer systems . The attack significantly disrupted city operations and caused millions of dollars in losses , prosecutors said . The Department of Justice has said the two men remain fugitives and are believed to be in Iran , though they are not believed to be connected to the Iranian government . No attorney was listed for either man in online court records . In the Atlanta attackAttack.Ransom, a ransomware known as SamSam was used to infect about 3,789 computers belonging to the city , prosecutors said . The ransomware encrypted the files on the computers and showed a ransom note demanding paymentAttack.Ransomfor a decryption key . The note demandedAttack.Ransom0.8 bitcoin per affected computer or six bitcoin to decrypt all affected computers . Atlanta Mayor Keisha Lance Bottoms said in the days after the ransomware attackAttack.Ransomthat the ransom demandAttack.Ransomwas equivalent to $ 51,000 . The ransom note provided a bitcoin address to pay the ransomAttack.Ransomand a website accessible only on the dark web , where it said the city could retrieve the decryption key , prosecutors said . The decryption key became inaccessible shortly after the attack , and the city didn ’ t pay the ransomAttack.Ransom, prosecutors said . The New Jersey indictment filed Nov 27 accuses the two men of creating the SamSam ransomware and says it was used to encrypt the computers of more than 200 victims , including government agencies , cities and businesses . Among the other victims are the city of Newark , New Jersey , the Colorado Department of Transportation , the Port of San Diego and six health care companies across the U.S. , according to the Justice Department . The New Jersey charges include conspiracy to commit wire fraud and conspiracy to commit fraud and related activity in connection with computers . The overall scheme allowed the hackers to make about $ 6 million and caused the victims to lose more than $ 30 million , prosecutors said .
The National Security Agency warnedVulnerability-related.DiscoverVulnerabilityMicrosoft about a vulnerability in Windows after a hacker group began to leak hacking tools used by the agency online , the Washington Post reported late Tuesday . The vulnerability has been the center of attention in recent days , following the outbreak of the global “Wanna Cry” ransomware attackAttack.Ransomthat crippled Britain ’ s hospital system and has spread to at least 150 countries . The ransomware is widely believed to be based on an alleged NSA hacking tool leaked by the group Shadow Brokers earlier this year . The government has not publicly acknowledged that the NSA developed the tool . “ NSA identified a risk and communicated it to Microsoft , who put outVulnerability-related.PatchVulnerabilityan immediate patch , ” Mike McNerney , a former Defense Department cybersecurity official , told the Post . McNerney said , however , that no top government official emphasized the seriousness of the vulnerability . Microsoft issuedVulnerability-related.PatchVulnerabilitya patch for its supported systems in March , weeks before Shadow Brokers released the exploit , but many computer systems around the world remained unpatched , leaving them vulnerable to the latest ransomware attackAttack.Ransom. The ransomware campaign has been less devastating to the United States than other countries , but has affected some American companies including FedEx . The events have renewed debate over the secretive process by which the federal government decides whether to discloseVulnerability-related.DiscoverVulnerabilitya zero-day vulnerability to the product ’ s manufacturer , as well as spurring scrutiny of the NSA . Microsoft president and chief legal officer Brad Smith said Sunday that the ransomware attackAttack.Ransomshould serve as a “ wake-up call ” to governments not to hoard vulnerabilities . On Wednesday , a bipartisan group of lawmakers introduced legislation that would codify what is known as the vulnerabilities equities process into law , bringing more transparency and oversight to it . View the discussion thread .
In recent years , ransomware has become a growing concern for companies in every industry . Between April 2015 and March 2016 , the number of individuals affected by ransomware surpassed 2 million — a 17.7 % increase from the previous year . Ransomware attacks function by breaching systems , usually through infected email , and locking important files or networks until the user pays a specified amount of money . According to FBI statistics cited in a Malwarebytes report , hackers gained more than $ 209 million from ransomware paymentsAttack.Ransomin the first three months of 2016 , putting ransomware on track to rake in nearly $ 1 billion this year . But as a result of increased ransom-avoidance , cybercriminals have created an even more insidious threat . Imagine malware that combines ransomware with a personal data leakAttack.Databreach: this is what the latest threat , doxware , looks like . With doxware , hackers hold computers hostageAttack.Ransomuntil the victim pays the ransomAttack.Ransom, similar to ransomware . But doxware takes the attack further by compromisingAttack.Databreachthe privacy of conversations , photos , and sensitive files , and threatening to release them publicly unless the ransom is paidAttack.Ransom. Because of the threatened release , it 's harder to avoid paying the ransomAttack.Ransom, making the attackAttack.Ransommore profitable for hackers . In 2014 , Sony Pictures suffered an email phishing malware attackAttack.Phishingthat releasedAttack.Databreachprivate conversations between top producers and executives discussing employees , actors , industry competitors , and future film plans , among other sensitive topics . And ransomware attacksAttack.Ransomhave claimed a number of recent victims , especially healthcare systems , including MedStar Health , which suffered a major attackAttack.Ransomaffecting 10 hospitals and more than 250 outpatient centers in March 2016 . Combine the data leakAttack.Databreachof Sony and the ransomware attackAttack.Ransomon MedStar and you can see the potential fallout from a doxware attack . Doxware requires strategic , end-to-end planning , which means hackers will target their victims more deliberately . Looking at the data leakedAttack.Databreachfrom Sony , it 's easy to imagine the catastrophic effect doxware would have on an executive of any major corporation . Company leaders hold countless conversations over email each day on sensitive topics ranging from product development to competition to internal politics , and if there 's a doxware attack , the fallout could be extensive . Expect Things to Get WorseThe technology behind doxware is still new , but expect the problem to become worse . Recent attacks have been contained to Windows desktop computers and laptops , but this will certainly change . Once the malware can infiltrate mobile devices , the threat will become even more pervasive , with text messages , photos , and data from apps at risk for being leakedAttack.Databreach. It 's also highly likely that doxware will target more types of files . Workplace emails are currently a big target for hackers . However , a company 's internal communications/instant messaging network is also appealing to hackers using doxware , as the messaging network often serves as a platform where both sensitive business discussion and casual conversations take place , potentially exposing both company secrets and personally embarrassing exchanges . One of these variants hold files ransomAttack.Ransomwith the threat of release and then stealsAttack.Databreacha victim 's passwords . Another mutation , Popcorn Time , takes doxware even further giving victims the option to infect two of their friends with the malware instead of paying the ransomAttack.Ransom.