Your business and personal information can be kidnapped without it ever leaving your possession. Ransomware is the 21st century variant of the centuries-old extortion racket that is costing organizations billions of dollars around the world. (Photo: Wikipedia)
When I was a young man in the 1970s and ’80s, we saw an upsurge in the activities of Leftist terrorist groups like the Red Brigades, Action Directe and Columbia’s FARC. A common threat from those groups was the use of kidnapping and ransom to supplement the funding they got from the Soviet Union and its satellite nations.
In the United States, we were fortunate in that this threat never gained the traction it did in other parts of the world, and when Moscow blinked and folded its tents, most of those clowns either went under or turned to other crimes to entertain themselves.
At the same time that was happening, the internet was exploding into an everyday household technology, like the telephone in the previous century. The interconnectivity that resulted led to a whole new portfolio of “cyber” crimes, and now, 40 years later, the 21st century crime of information kidnapping – ransomware – has become a leading threat to businesses and organizations of all sizes.
The way ransomware typically works is disturbingly simple. A cybercrook can buy a ready-made malware exploit on the internet black market known as the DarkWeb, configure it with the ransom amount and type of currency he wants to require from his victims and the e-mail address he wants to work from, then just launch it at whatever e-mail target list he has lined up.
This e-mail – something that looks an awful lot like a legitimate note from PayPal, Amazon or some other well-known business – gets into any business on the target list that doesn’t use e-mail security software, and at least a few recipients at that business will fall for it. When they open the malicious attachment or click on the falsified weblink, their computer gets infected and the ransomware spreads, often locking up the entire network and shutting down the business until the crisis is resolved.
When the ransomware launches at that first computer, it usually encrypts all the files on that system and displays a message announcing the attack, and showing how to pay the ransom to unlock the data. In the meantime, another part of it cruises the network infecting any other computer it can.
By the time a business owner or IT person realizes the extent of the attack, it’s often too late to stop it. Why not pay the ransom? The truth is sometimes that does work, but often it just leads to demands for more of whatever they’re demanding. Just like with real-world kidnapping and ransom, you just can’t trust the bad guys.
An old friend and colleague of mine, Kevin McPeak, is a Principal Cyber Architect with Symantec Corporation, an industry leader in the area of malware protection. Kevin and I worked together at a federal agency in Washington, and he’s currently in high demand as a speaker on these topics.
I admit, I was a bit surprised at what he told me about recent trends in ransomware. “The number of new ransomware families emerging shot up during 2016. With 30 new families appearing each year for 2014 and 2015, the number more than tripled to 101 in 2016. The trend suggests that more and more attackers are now jumping on the ransomware bandwagon and creating new ransomware families or modifying existing ones.”
Well now, isn’t that just delightful. It’s also strong evidence that ransomware works as an attack vector and funding mechanism.
“The majority of ransomware infections during 2016 occurred on consumer computers (69 percent). This is marginally up from 2015, when the proportion of ransomware infections occurring on consumer computers was 67 percent,” Kevin adds. “Most ransomware threats are indiscriminate and the infection experience is similar for businesses and consumers. However, a small number of groups have begun to specifically target businesses with ransomware attacks designed to infect multiple computers on a single network and encrypt valuable data.”
It’s probably safe to infer from this that consumers’ personal computers are simply not protected to the same level that a business’s network is; unless you’re in the information technology or security fields as part of your job, you’re likely not as aware of all the threats that may hit your home devices.
Regardless, those statistics leave an awful lot of businesses that were hit with ransomware attacks. The costs associated with such an attack – even if you don’t pay the ransom – can be staggering.
Consider, for example, your average daily revenues. Unless you have an old NCR mechanical cash register instead of a networked point-of-sale terminal, you won’t be able to process any transactions. Likewise with your website traffic. Everything stops because your data, all your files, all your accounting and inventory information, is locked.
And you don’t have the key.
So let’s assume that the worst has happened and you get hit with a ransomware attack. One of your employees fell for a phishing e-mail and now your computer network is locked up. If your walk-in business relies on this network for sales, NICS background checks, etc., you might as well close up now for the rest of the day. Maybe tomorrow as well.
First off, I’m not going to tell you whether to pay the ransom or not; there is a lot of back-and-forth on that right now, and frankly it’s a decision that you, your attorney and your insurance company need to make together.
Remember Grandpa’s old saying that “an ounce of prevention is worth a pound of cure”? That absolutely applies here. Make sure that all of your employees with email understand the threats that can come through to their inboxes. There are network applications designed to scan e-mail as it arrives for malware and viruses; look into these options and see if there’s one that fits your budget.
Back up your data regularly to a cloud service or a tape drive, and do it every night if you can. This will be important later if worst comes to worst.
My company’s service provider for e-mail protection runs a blog with a lot of great information on this and other threats, and it’s open whether you’re a customer or not (https://blog.barracuda.com). Full disclosure: these guys work for me and do a great job!
Earlier this year when things on the ransomware front started to explode and get a lot of press, they posted some guidance on what to do if you’re hit. Hint: read and maybe print this now, before the worst happens.
Quarantine the system and protect what you can. The second a ransomware message appears on a PC, laptop or terminal, PULL THE PLUG! Unplug the network cable, any and all external drives, thumb drives, hell, unplug EVERYTHING for now! The key is to try and stop the spread of the malware as fast as you can.
Assess the damage. Find out how many computers that message was seen on, and confirm that they’re all disconnected. Maybe turn off your modem or router where your network comes into the business, just to be safe, and tell your employees to not open any e-mail until you say otherwise.
Identify and remove the malware. At this point, whether you have an in-house IT person or not, you’ll need a cyber-security consultant to help you with the recovery. Your insurance company or attorney will likely have someone in their Rolodex they can refer you to; they’ll be able to bring in tools to find out what the specific malware is, and how best to remove it.
Decrypt your data. The IT person may also be able to decrypt the information that was encrypted. This step may not be necessary if you run those nightly backups I suggested earlier; worst case is you only lose a day’s worth of information after an attack, and you won’t have to pay extra for decryption services.
Restore your network. The computers that were initially infected should be considered gone, until they can be rebuilt and put back in service on your network. Hard drives are pretty inexpensive these days, and with malware getting more and more sophisticated, I’d start with new drives and a brand-new operating system. Reload your operating system from a fresh disc, update it to the current patches and reinstall whatever software you need, including the security tools. Lastly, restore the data from last night’s backup tapes and you’re back in business.
There are a lot of good resources out on the internet for information on ransomware and other emergent cyberthreats; the two that I’d go to first for this topic are NoMoreRansom! at https://www.nomoreransom.org/en/index.html, and ID Ransomware at https://id-ransomware.malwarehunterteam.com/index.php. The first site has a ton of good stuff and can walk you through the best ways to respond to and recover from a ransom attack. ID Ransomware is a more technical website where your IT person can upload sample data from the attack and identify the family it came from; this will help clean it up.
I won’t kid you, this is serious stuff that can cost you a LOT of money, before you even consider paying any ransom, and it’s not a situation that your teenage neighbor kid can help you with.
Ransomware is about the most dangerous threat we are seeing right now, and it takes a serious effort to both prevent it and recover from it.
Don’t underestimate it.