Ransomware is messy, ugly, and not going away! Five steps you can take to protect yourself and your organization.
Imagine you work at a busy hospital. You arrive at work to find what might be described as a waking nightmare. You sit down to start your day and realize that you suddenly are unable to access the network. Your digital files have been taken captive by an unknown entity. Critical patients have to be re-routed to neighboring hospitals. In many of your daily efforts, you have to revert from computers back to pen and paper. This all happened to a California hospital in February of this year. This hospital was faced with a surreal choice. In order to retrieve its files, it was forced to pay a ransom to an unidentified group. Original news accounts stated that the hospital paid a ransom in the millions to the hackers who had seized control of its network. While those numbers were wildly inaccurate, the hospital did eventually decide to pay $17,000 worth of bitcoin to have its data returned. The entire drama took over a week to unfold. Turkish hackers eventually claimed responsibility for the attack.
Yes, this all might sound like the script to a Hollywood blockbuster, but sadly it’s not. It did however, happen to a hospital only steps from the studios who might produce such a vehicle. The Hollywood Presbyterian Medical Center found itself part of a very real and growing list of those who have been victimized by a maturing and terrifying weapon in the arsenal of cybercriminals: ransomware.
The same month attackers had locked up the data at Hollywood Presbyterian, the news was filled with the emergence of a virulent strain of ransomware called Locky. FORBES reported that Locky was infecting at least 90,000 machines a day, asking victims to shell out roughly $420 to have their files unlocked.
The police department in Tewksbury, Massachusetts (population 28,961) suffered through a not un-similar drama late last year. After some notable system difficulty, the department received a digital message explaining that its personal files had been encrypted and the decryption costs were $500. After unsuccessful attempts to unscramble the files by federal and state law enforcement agencies as well as two Internet security agencies, the department finally relented and paid the ransom.
Similarly, the four-member police force in Collinsville, Alabama (population 1,974) were hit with a comparable attack in June of last year. Chief Gary Bowen refused to pay the ransom (effectively letting his files disappear into ether). “There was no way we were going to succumb to what felt like terrorist threats,” Bowen told the Boston Globe (which sounds strikingly like something I believe John Wayne would say if he ever had to deal with cybercrime).
Ransomware is, in essence, a strain of malware. It usually infects a computer through the use of a popup advertisement or phishing scheme. Most recently users have been infected by clicking the advertisements located within legitimate websites such as the New York Times. Ransomware locks down a computer that can, in theory, only be unlocked through paying a ransom to those who infected the system. Infected users are often not aware of the problem until they can no longer access their data or begin seeing computer messages advising them that they will need to pay a ransom in exchange for a decryption key. These messages usually include instructions on how to pay the ransom.
Ransomware has gotten crazy sophisticated. Graphic artists and translators are employed to make sure demands are presented clearly and in a local dialect. Call centers have been employed to walk victims through paying ransom. Really…call centers.
Authorities advise against paying ransoms. This is because it emboldens cybercriminals, funds could potentially be used in separate malicious activity, and payment doesn’t necessarily fully destroy malware on an infected computer or ensure that data will be returned (although not unlocking data after a ransom is paid would be in bad practice for cybercriminals who definitely want to entice victims to pay ransom). It is easy however, to see why Hollywood Presbyterian would be anxious to reclaim its data, even if it meant shelling out a pretty penny to do so. Its data often means the difference between life and death. For many, hijacked data may hold a related place.
Ransomware isn’t just an issue for businesses. Consider pornography popping up on a laptop provided to you through your work, that can only be removed if a ransom is paid. How about receiving a message that tells you that, unless you pay a ransom, illicit emails exchanged between you and a mistress will be sent to your wife? What if you were sent a video of yourself watching pornography taken via your laptop’s camera along with a threat to broadcast the video online? Would you pay the ransom? What if all of the photos that remained of a recently deceased loved one, such as a spouse or a child, were suddenly held hostage. What about a nearly completed draft of your first novel? What would you pay to have this data returned to you?
This is why we will not see the end of ransomware anytime soon. In fact, we are only beginning to see the power of the problem. As all of us are more willing to store our personal and sensitive information digitally, as well as data critical to our emotional and physical well-being, this data and information will only become more enticing to actors who can exploit this information for financial gain. The marketplace for ransomware is growing. So too are the number of businesses and individuals who are falling victims to attack. When you consider that legitimate news organizations falsely reported that a hospital would pay a number in the millions to have their data returned to them, you begin to see the breadth of the problem. The worth of our data is incalculable. That’s why it’s so alluring.
Imagine if ransomware was automated? It’s not far-fetched. What if someone only needed to release the ransomware and sit back and watch it collect? While regular people fight to reclaim data rightful belonging to them, malicious actors in some far off place dive into swimming pools full of bitcoin and unlawfully seized data like Scrooge McDuck. Possibilities!
So you’d rather not turn your laptop into a paperweight, I understand. What do you do to protect yourself? Honestly, a lot of it is common sense. My colleague Scott Brady, recently wrote a column on Technology Story, and a lot of it applies here. You really do need to think about being online like walking through a dangerous section of town. You need to be constantly on alert and monitoring your surroundings. You may even want to place a sticky note next to your monitor that reads: THINK BEFORE YOU CLICK! Anytime you are going to click on a link in an email, download a file from the Internet, visit a website, or enter information take a moment to consider your actions. Could the link be malicious? Could the website be illegitimate? Could the download potentially corrupt my drive?
Here, meanwhile, are five specific things you can do to protect yourself and your organization from ransomware:
Backups. Not Just for Injured Quarterbacks Anymore: Whether you are a business or an individual, you need to be constantly backing up your systems and your data. These backups will be invaluable if you ever find yourself the victim of a ransomware attack. In this case you can focus not on retrieving the data that is being held hostage but instead in disinfecting and restoring your systems while learning how to ensure that the problem doesn’t happen again.
Patches. Not Just for Snooty Englishman Anymore: There is a reason why software vendors sent out updates to their systems. In many cases it’s to patch dangerous vulnerabilities that they’ve discovered. It’s easy to ignore these updates. They can be annoying, especially when you’re just trying to accomplish your day-to-day tasks. But ignoring these updates could allow an attacker access to your network.
Consider subscribing to the US-CERT National Cyber Awareness System. US-CERT is the United States Computer Emergency Awareness Team, a branch of the Department of Homeland Security. By signing up for a free subscription, you will be sent constant news on updates and vulnerabilities from various software and hardware vendors. It can add an extra prompt. For instance, if you use WordPress and WordPress just released an update, it may remind you to check and make sure you have installed the recent WordPress update. That goes dido for Adobe, Apple, Microsoft Windows, etc. It can also help keep you informed about any malware that has been discovered slithering its way around the world wide web.
Testing. Not Just for Apathetic High School Students Anymore: Organizations have found a lot of success by sending employees random simulated phishing attacks to discover which of them get a little click happy. This awareness training can help lower the rates of people who will fall victim to an attack. It may even be worth making these results public, at least internally. Sure it may seem a little cruel to publicly shame an employee for falling victim to one of these simulated attacks, but they will be far less likely to make the mistake again. Let’s be honest, we are not far from the day when allowing a breach, even accidentally, will be a cause for termination.
Segmentation. Not Great for Society but Great for Data: It’s important to closely manage the use of privileged accounts. No users should be granted access unless absolutely necessary. Meanwhile configure access controls and permissions appropriately. People should only be allowed access to what they need to accomplish their jobs. By applying the principle of “least privilege” you can help limit the capability of malware running through your system.
Don’t Be a Fool. Stay in School: The best tool for protecting yourself and your organization is education. You should be constantly learning the latest in cybersecurity best practices. This goes for leaders as well as their team members. Being proactive is the best way to avoid a cyber attack. So often we see organizations only consider cybersecurity a priority after they’ve been victimized. By then, it’s too late. Consider taking classes whether it be online or in-person that will help you develop the skills needed to spot, avoid, and remedy a cyber attack. At Future Point of View, we are constantly training leaders and their team members in cybersecurity best practices.
Ransomware is scary, and it’s wildly lucrative. Therefore, it’s a problem that’s not going to disappear. Through diligence and education however, you can help protect yourself and your organization from falling victim and having your critical data held hostage.
About the Author
With a background in both content creation and business technology, Corey White brings a unique perspective to FPOV. As a multimedia journalist, Corey developed media for a wide variety of platforms, finding innovative ways to incorporate technology into his creation process and distribution methods. Also a former eCommerce manager, Corey understands the opportunities and challenges leaders face as they work to onboard new technologies and processes into their organizations. He is focused on helping leaders rise to those challenges and maximize those opportunities.