Ransomware Is No Joke

Cybersecurity Ventures, a research firm tracking the economic and security data surrounding all things cyber, estimates that the cost of ransomware attacks — and the subsequent reaction to these events — surged to more than $8 billion last year and is on track for somewhere north of $11.5 billion in 2019.

Ransomware, a particularly malicious type of software that infects a user’s phone, computer or server to block access to a computer system until the blackmail is paid out, happens about every 14 seconds to someone around the world. While these attacks can happen to literally anyone, most of these scams target small businesses that generally lack a sufficient IT security infrastructure to repel them.

There have been plenty of high-profile ransomware attacks on giant companies, too. Sony Pictures Entertainment several years ago was viciously targeted by hackers who essentially held the company’s most private information — candid emails between agents about A-list Hollywood actors, salary data, etc. — hostage as retribution and leverage against the studio following the release of the minimally controversial comedy film “The Interview.” It was a terribly embarrassing, expensive and informative lesson for Sony. A few years later the infamous WannaCry ransomware outbreak hit on a global scale, affecting the British National Health Service (NHS) particularly hard. WannaCry infected more than 200,000 users in 150 countries, costing the NHS alone more than $120 million.
Last September, the Justice Department charged a North Korean man with masterminding the Sony assault and the WannaCry attack. Park Jin Hyok was part of the hacking team known as “Lazarus” that the Justice Department says is sponsored by the North Korean government.

“The scale and scope of the cybercrimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” John Demers, an Assistant Attorney General for National Security, said at the time.

Ransomware attacks, whether nation-sponsored or operated by nefarious individuals or groups, can be deadly serious. The city of Atlanta, for example, spent more than $2.6 million last year on emergency IT services after a ransomware attack crippled a variety of city services and databases for several days. Often, the culprits demand payment — to either “unlock” the data that’s being held hostage or as payment for not releasing sensitive IP or customer data — in Bitcoin or other cryptocurrency.

And the attacks aren’t stopping. As of this writing German manufacturer Pilz, one of the world’s largest producers of automation tools, had been hit with a ransomware attack. “Pilz GmbH & Co. KG has been the victim of a targeted cyberattack,” read the company’s website. “Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional. As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.” The attack was tied to the BitPaymer ransomware, known for targeting high-value businesses in the hopes of extorting large ransom payments.

But it’s not always that sophisticated

One of the most common scams going these days involves an unsolicited email or text message when clicking on a corrupted link or website that says, essentially, “We’ve recorded a video of you watching pornography, and it’s graphic, and unless you pay us $X via Bitcoin or Western Union, we will send this video of your private activities to everyone in your contact list.” There are variations, but this is the predominant shame-fear tactic of choice.

This is where it gets interesting. Depending on the level of sophistication of the person targeted, these cons can have legs. The fear of having something so personal potentially shared with everyone they know can be a strong motivator. Fortunately, most people these days recognize it’s an empty threat, even if it is a hassle to debug and guard against. But there are definitely some people who pay the blackmail.

For companies, particularly those of the small and midsized variety, having your vital corporate information held hostage — as well as the applications that are mission-critical to day-to-day operations — can be daunting enough to just pay the ransom rather than hoping law enforcement can come to your aid. This was the case for a couple of Florida cities earlier this year. Riviera Beach’s City Council agreed to have its insurance carrier pay 65 Bitcoin (about $592,000 at the time), while Lake City paid a $10,000 deductible. Compare that to Atlanta’s $2.6 million, or Baltimore, which also was hit and whose costs are expected to reach more than $18 million, and it’s not hard to understand why it’s tempting to just pay. But is it the right decision?

No less an authority than Symantec, the parent company of the Norton antivirus security software suite, warns companies of all sizes to not pay the ransom. The reasoning is sound: Paying them off only encourages them to do it again. Additionally, the FBI’s official statement on cybercrime notes that “by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Along with an onslaught of progressively more targeted and “legitimate-looking” phishing attacks perpetrated via email and text messages (who hasn’t received a wonky “account issue” text allegedly from their bank or credit card company?), ransomware maestros are upping their game to strike at the heart of companies’ IT infrastructure.

Experts advise companies to restore any impacted files from a reputable data backup provider as the first step to regain access to organizational data. Obviously, regardless of the size of your operation, it is essential to secure and correctly install the appropriate antivirus software and firewalls as well as content filtering software that scans and bounces would-be ransomware entries before any employees have a chance to click on a malicious link. Security software should run posture assessments — evaluations of system security based on the settings of your specific system — checking to make sure you have the latest antivirus updates and code and ensuring all necessary updates are in place, plugging potential security holes. Your VPN or security software vendors will frequently include posture assessments with their offerings.

In addition, make sure your IT team or your service provider is on top of all the latest, continuous security software patches and updates. That’s where most of these hijinks are first identified and stubbed out before they become a serious threat. It’s important, say experts, to have strong policies in place for both the IT staff and end users. Backup, while important, is an after-the-fact solution. Once the system has been compromised, someone else is in control of the data, so a strong security strategy to prevent the exploit in the first place is ideal.

Because end users are such a weak point, education is key, and it’s more than just an awareness issue. Studies have shown that even users who are aware of the potential consequences of their actions may click on links from unknown senders, so it’s essential to reinforce the severe consequences of such actions, as well as what to do if they receive one of those questionable emails. Be sure all users know to avoid providing any type of personal information when responding to these unsolicited emails and texts. And don’t assume that ANY message or email from someone you “know” is actually from that person.

Finally, it’s really all about awareness, anticipation and an acceptance that human beings are going to make mistakes. Foster a culture that makes employees — even the most senior and esteemed — willing to immediately bring these types of threats to the attention of IT experts early and often to avoid the cascading consequences of burying them due to shame or embarrassment.