The threat: Ransomware causing companies big bucks

Submitted photo

Cybersecurity expert J.J. Thompson has been proofing computer systems against malicious attacks for decades. But he didn’t realize how far the ransomware threat had permeated Indiana until a couple of years ago, when he ate lunch in a tiny diner near Tipton.

“I was listening to farmers talk about ransomware,” he recalled. “You know something is a global problem when farmers in Tipton are sitting in a diner, eating tenderloins and talking about their fear of getting ransomware on their tractors.”

Ransomware is a specialized form of malware that often infects computers (including those on tractors) via email attachments. Click on the attachment, and software instantly encrypts the system’s data, making it impossible to access until the victim pays a ransom that can range from a few hundred dollars to north of a million.

If the victims pay, they typically receive a set of encryption keys allowing them to unlock their information.

“We’ll see continuing ransomware-like attacks, and they’re going to be made nastier and nastier,” said Thompson, founder of Indianapolis-based Rook Security and now senior director of managed threat response for Sophos, a United Kingdom-based security company that purchased Rook in 2017.

Incidents increasing

No one’s quite sure how often such incidents happen in Indiana, but all experts agree that the number of infiltrations and attempted infiltrations is rising.

In the winter of 2016, a Madison County attack locked up most of the county’s systems, forcing the police to revert to writing paper tickets until the city paid a ransom of $21,000. And this year, LaPorte County forked over $130,000 (about 10.5 bitcoin, the preferred medium for ransom payments) when its systems were infected.

According to Doug Rapp, president of the Cyber Leadership Alliance (a Hoosier not-for-profit that brings together state experts to, among a great many other things, promote cybersecurity), Indiana attacks are becoming not only more frequent, but more precisely targeted.

“We’re seeing a rise in two particular areas — government and health care,” Rapp said.

He said criminals know if they are able to lock up information protected under the Health Insurance Portability and Accountability Act of 1996 — known best as HIPAA — health providers are more likely to pay the ransom. That’s because they can face fines if the information is spilled onto the internet.

“And schools have a lot of personal information, particularly about minors, so that’s a lucrative target,” Rapp said.

Attackers who use ransomware range from lone wolves to well-organized international crime syndicates to rogue nations, he said.

“We used to joke about a certain country,” Rapp said. “When their government cybersecurity employees got off work, you could see an immediate rise in criminal enterprises. I won’t mention Russia’s name on that.”

In a bind

While major corporations and large government agencies have taken detailed, elaborate steps to guard against the problem, smaller municipalities, companies and organizations are in something of a bind. Protecting such small groups against ransomware (or at least improving their chances of recovering from an attack) can be time-consuming and costly.

That might explain why so many attacks are now targeted at just such second- and third-tier targets. They can’t pay as much, but they’re also far, far more likely to have exploitable vulnerabilities such as primitive, ad hoc computer systems, tiny IT staffs, and a tendency not to install software patches promptly.

“There are criminal enterprises out there that are just trolling for vulnerabilities, and they don’t care if you’re a bank or a liquor store,” Rapp said. “They’re just looking for an unsecured internet connection. There’s no set of businesses that are untouched.”

Many malware-infected institutions choose to pay ransoms, given that catching the people responsible, or even identifying them, is often next to impossible. Small businesses sometimes don’t even know to whom to report such incidents. And no one’s quite sure how many attacks happen in Indiana, because many victims are reluctant to acknowledge them.

“Nobody wants to highlight where these things have happened,” Rapp said.

“People in general, across the board, don’t like to talk about breaches. It’s always been a problem when you try to collect information. People don’t like to share their vulnerabilities.”

But not everybody who has experienced a ransomware attack keeps quiet. That certainly wasn’t the case for Hancock Regional Hospital, a 100-bed Greenfield facility that had all its files locked up by hackers in January 2018.

Instead of lying low, Steve Long, president and CEO of Hancock Health, started blogging about it almost immediately.

“We made the decision early on to be very transparent because we felt our community deserved to know what happened,” Long said.

Since then, the hospital system has shared details of the incident during an appearance on “60 Minutes” and at some 30 meetings around the country.

“Everybody is concerned about reputational risk,” Long said. “That’s why they don’t say anything. But I can tell you that, in our local community, we have had overwhelmingly positive feedback about our transparency.”

Prevention is difficult

The lesson Long shares with other CEOs is that, while preparation for an attack can blunt its consequences, it often can’t prevent it. After all, his hospital system wasn’t exactly wide open. It had run phishing tests on emails to make sure workers didn’t open dicey-looking files, hired a company to test the network for penetration threats, and used another firm to watch at all times for intrusions.

“We were pretty average- to above-average prepared,” Long said. “We had everything in place that you would expect.”

All to no avail. The hackers uploaded the ransomware using credentials issued to a vendor, which were purchased on the dark web. The hospital’s antivirus system caught that first attack, but the invaders persisted.

“They changed the signature of the virus and it went right past our protection,” Long said. “Unfortunately, the company we were paying to monitor our network all the time didn’t catch it.”

The hospital’s computer system was completely frozen, and its staff thrown back into the Stone Age. Or at least, the 1950s.

“We had zero computers running, aside from patient-facing equipment like IV pumps and things like that,” Long said. “Everything else was shut off.”

Since there was no way to rapidly restore their systems without the encryption keys they were offered if they agreed to the ransom, the hospital opted to pay about $55,000 in Bitcoin to obtain them.

There’s little hope the perpetrators will ever face justice, even though the FBI was able to identify them.

“They were a couple of guys from Iran,” Long said. “The FBI has extradition warrants against them, so if they ever leave Iran and go to a country with an extradition agreement with the U.S., they will be captured and brought here.”

The hospital system now has even more stringent precautions in place.

Fred Cate, senior fellow at Indiana University’s Center for Applied Cybersecurity Research, said such threats are as pervasive in cyberspace as airborne bacteria is in the real world.

“If you buy a new computer, take it out of the box and plug it in, from the moment you access the internet, it will get its first malware attack in about seven seconds,” Cate said.

However, he (along with other experts) said smaller organizations can take some fairly straightforward steps to ward off an attack or, at the very least, mitigate its effects. For instance, apply software patches immediately, train employees not to open suspicious email attachments and remember that not everything in your system has to be connected. If, for instance, payroll is kept on an isolated system, it won’t go down if the main system is successfully attacked.

“We’ve gotten this notion that my refrigerator has to be able to turn on my lights and talk to my car,” Cate said.

“That means a vulnerability in one of those is now shared with all of them.”

Backing up files

The best precaution is to regularly back up critical files and store them offline. That way, if your data is encrypted by ransomware, in theory all you have to do is reboot and download the stored information.

Ideally, everything should be backed up nightly, with the file physically stored in a vault. But that could be an onerous and expensive chore for small companies and government entities.

“For most school districts and utilities, that’s not the level at which they’re operating,” Cate said.”“They might have one IT employee, not an army of people.”

The answer, he said, is to still do backups, but less frequently. That’s far, far better than nothing.

“If you can’t afford Grade A backups, have Grade B backups,” Cate said. “At my house, I back up twice a month. So if you compromise my data, the most I risk losing is two weeks. Don”t let the perfect be the enemy of the good.”

[sc:pullout-title pullout-title=”Ransomware tips” ][sc:pullout-text-begin]

While cybersecurity experts say it’s

extremely difficult to avoid ransomware

incursions, some fairly basic steps can

mitigate their effects.

Back up files. If vital files are regularly

backed up, recovering from a

ransomware attack can be as simple as

rebooting the system and reloading the

data. Just make sure the backups aren’t

linked into your system, lest they also

get encrypted during an attack.

Educate employees about email

attachments. The bulk of ransomware is

delivered via email attachments. Though

some are fairly clever, others are obviously

non-work-related items that can be

easily spotted with a bit of training. For

example, never open anything offering

tips on how to improve your love life or

nude pics of a celebrity.

Keep software up to date. Apply any

software patches immediately. The

cybersecurity industry is rife with

stories about companies that could have

avoided expensive ransomware attacks

entirely if they’d installed patches in a

timely manner.

Don’t link everything. Remember that,

if everything in your system talks to

everything else, a breach anywhere is a

breach everywhere.

Be stingy about who gets administrator

privileges. Possessing an admin’s access

makes downloading ransomware easy.

Restrict the number of employees

who can do this, and definitely restrict

outside vendors.

Beef up passwords. Make sure

employees have strong passwords, and

that they’re regularly changed.

If you decide to pay ransom, be

advised that it might not work. Just

because ransomware hackers say they’ll

give you access to your data if you pay

doesn’t mean they will. After all, if they

were honest, they wouldn’t do what

they’re doing.

Source: IBJ research

[sc:pullout-text-end][sc:pullout-title pullout-title=”Pull Quote” ][sc:pullout-text-begin]

"If you buy a new computer, take it out of the box and plug it in, from the moment you access the internet, it will get its first malware attack in about seven seconds."

— Fred Cate, senior fellow at Indiana University’s Center for Applied Cybersecurity Research

[sc:pullout-text-end]