Search Rocket site

Ransomware Put Mainframe Security in the Spotlight, but There’s More to Learn

Ray Overby

August 6, 2020

Over the past six years, ransomware has put cybersecurity on the map in a way few other security threats have. The attacks were so pervasive and sophisticated with dramatic James Bond-esque narratives, that they brought cyber-attacks into the mainstream media where they had seldom been highlighted before.

Ransomware made cyber-attacks very public and very personal, instilling fear that the attacks could target everyone – from the biggest corporations to the smallest municipal agencies, down to individual users – and at a high price. In 2018, the City of Atlanta discovered ransomware had seized several citizen-facing city systems, including bill payment applications. While the mayor refused to pay the $51,000 ransom, the city predicted recovery could take as much as $17 million.

Another example: Hollywood Presbyterian Medical Center was forced to shut down several departments and divert patients to other institutions while their IT system was held for ransom. The hospital eventually paid around $17,000 worth of bitcoins to regain control of their system.

While there was talk of ransomware tactics decreasing as of late, attackers continue to strike servers holding mission-critical data. By 2021, a new organization will fall victim to ransomware every 11 seconds.

Is the mainframe vulnerable to ransomware?

Ironically, headline-grabbing ransomware attacks significantly increased cybersecurity awareness, inspiring IT professionals to acknowledge the hidden vulnerabilities in their systems. Although the mainframe is known for security, reliability, and scalability it’s still a top target for attackers. And it turns out, it’s also vulnerable to ransomware.

Nordea bank was the first known victim of a mainframe hack documented by the press, in 2012. Another attack at an unnamed bank was the first known case of mainframe ransomware. This four-part social engineering attack mixed phishing and keylogging to steal one mainframe programmer’s credentials. Hackers then submitted job control language (JCL) statements to scan for sensitive data sets and encrypt them with custom ransomware.

Like any other system, mainframe security is at risk within its application and main operating system (OS). When it comes to cybersecurity, mainframe pros typically jump to popular application scanning tools. While these products do help mitigate vulnerabilities, they miss code-based, OS-level vulnerabilities, which can be ultimately more damaging than attacks on applications alone.

OS-level vulnerabilities can cause greater damage, opening the door to the most sensitive information and control of an entire system – like the attack Hollywood Presbyterian Medical Center suffered. Hackers at the OS-level can reach everything on the mainframe, from sensitive user credentials to application data.

Regardless of how closely organizations lock-down the configuration side of the mainframe, just one code-based vulnerability leaves everything open to attack. Hackers are even capable of completely covering their tracks by disabling common system logging or security controls.

Even though ransomware attacks cause extreme damages – both in recovery time and money – their star power helped increase the public’s consciousness of cybersecurity. So let’s learn that lesson and take awareness a step further, acknowledging the OS-level vulnerabilities that threaten the most important IT systems. Without better education around every risk to the mainframe, all other cybersecurity efforts can be easily undone.

Related posts


The Importance of PCI DSS Vulnerability Management for z/OS

Separation of Duties is a Critical Part of your Modern Mainframe Security Strategy

Why You Need a Mainframe Security Architect