Why Las Vegas is a magnet for malware attacks

By Mick Akers

Tuesday, March 7, 2017 | 2 a.m.

With advancements in technology affecting just about every aspect of life nowadays, the way criminals hold victims hostage for ransom has evolved along with it.

The Las Vegas Valley came in at No. 1 on Malwarebytes’ list of the most targeted ransomware cities in the country released in December.

Malwarebytes, a cybersecurity company that protects businesses against online threats such as malware, ransomware and exploits, said that metropolitan Las Vegas area saw more than 300 times more instances than the No. 10 city on the list, Fort Wayne, Ind. The study also revealed that Las Vegas saw 500 times higher ransomware rates than the levels of the other 40 cities on the list.

Various reasons make Las Vegas a prime location for infecting users with malware, according to Adam Kujawa, Malwarebytes’ director of malware intelligence.

Las Vegas’ many conventions are a prime attraction. “Folks are bringing their personal or work computers, they are answering emails and trying to do their jobs,” Kujawa said. “However, since Vegas is also known for other things such as heavy drinking and partying, users may let their usual defenses down because of the lax environment and open malicious attachments or click on malicious links.”

In addition, the availability of Wi-Fi in resorts and convention centers also attributes to ransomware attackers targeting Las Vegas.

“Another possible reason lies in how many wireless networks users can connect to, in every hotel or casino, that are likely not utilizing the top level of security for the folks connecting to them,” Kujawa said. “This could lead to things like man in the middle (MITM) attacks from attackers sitting on the same wireless network, or redirections of users’ browser to things like fake login pages or portals that require personal info (like email address and name) to be submitted.”

That information could then be used to target the user with malicious phishing attacks or other types of scams, resulting in malware infection, according to Kujawa.

Kujawa said that open Wi-Fi networks with minimal defense is the reason why ransomware is everywhere, as it is prominently distributed through malware.

Malware is software that aims to damage or disable computers and computer systems, obtaining sensitive data in the process. Common forms of malware include Trojan horses, viruses and worms.

Metro Police spokesman Michael Rodriguez said he’s not certain about the number of calls the department sees a year. He said Metro forwards calls about suspected internet crimes to the Federal Bureau of Investigation.

“A lot of times we don't take those types (ransomware) of reports — we send them over to the FBI because they don't originate here (in Las Vegas),” Rodriguez said. “When we get calls on these extortion-types of scams on the internet, they’re generally investigated by the FBI, even if they file a police report here, we still send it over to them.”

The FBI could not be reached for comment.

One local business targeted by an attempted ransomware threat, the dental office of Dr. Jason Downey, was prepared to deal with such an instance.

“Luckily we have a very good internet technology (IT) guy, so all of our data was backed up as of 6 p.m. the night before,” Downey said. “So he went back and deleted that 12 hours and reloaded our system.”

Downey said that since the computer was already backed up, he didn’t have to pay to get a release on his system.

“It didn’t cost me anything other than the hassle, frustration and headache of someone trying to do this to us,” Downey said.

Since he knew his data was backed up, Downey said he didn’t inquire about how much ransom was demanded.

It’s tough to track ransomware attacks because they can come from all around the world.

“The ransom was written on the computer program Notepad. Clearly English was not their first language, as the grammar was horrible,” Downey said.

Downey’s IT technician traced the attack to the dark web. The darkweb is the encrypted network that exists between Tor servers and clients, which cannot be indexed by conventional search engines.

Downey recommends all business owners back up their data. He also recommended backing up the information off-site to curb further contamination of other systems.

“Since then we make sure to back up every night, so in case it does happen again, we just lose what we backed up overnight,” he said.

A common way for ransomware attackers to infect businesses is through emails that appear to be legitimate, according to Kujawa.

“Keeping internet-facing applications up to date and from spear phishing attacks, where attackers will specifically craft a convincing email and attachment so that users will open it, thinking the contents to be important and legitimate,” he said. “Oftentimes those attachments result in malware being downloaded and executed on the corporate system.”

Kujawa said being prepared, as Downey was, is the best way to combat this type of attack, as keeping incremental backups of important information with historical backup functionality is key.

“The solution to these attacks is to keep things updated, utilize security technology that focuses not only on the threat currently on the system, but also the distribution method (exploit kits, phishing attacks, etc), using things like anti-exploit technology,” Kujawa said. ”Ransomware is a constantly changing threat … So having a product that relies more on behavioral detection as well as signature-based detection gives you the best of both worlds and the greatest chance of catching the ransomware before it causes too much, if any, damage.”