While media attention has focused on terrorist incidents and the presidential primaries, a growing number of business emergencies caused by ransomware are sweeping the globe. The risk of this situation escalating into a significant public- or private-sector crisis is growing. Immediate attention is necessary.
According to KrebsonSecurity.com post this week, the Henderson, Ky.-based Methodist Hospital was “operating in an ‘internal state of emergency’ after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.”
In addition, last month, Hollywood Presbyterian Hospital was held hostage by hackers who initially wanted 9,000 bitcoin, but ended up settling for much less to unencrypt their critical data.
While these two hospital security incidents received media attention, the much wider ransomware problem has received minimal attention, with the exception of a few technology and business magazines. Governments, businesses and even personal PC owners need to understand these recent events and take appropriate actions.
How significant is this issue? According to a Forbes.com article last month, Locky, a new form of ransomware, is infecting at least 90,000 PCs a day. This article points out that the FBI is investigating many more ransomware cases.
“During a nine-month period in 2014, the FBI received 1,838 complaints about ransomware, and the agency estimates victims lost more than $23.7 million, The Washington Post reported Monday. In 2015, the FBI received 2,453 complaints, and victims lost $24.1 million.”
The ransomware metrics are surging in 2016. I have spoken with dozens of business leaders who have come face-to-face with ransomware in the past few months, and the overall growth is simply staggering. Furthermore, there is a silent group of people who never report ransomware to the authorities. Fearing reputation loss or not wanting to take the time, they just pay the ransom for “convenience.” Most get their data back — but some do not. This tech article recommends that you never pay.
Once infected, bad things can happen. Here is a true story from 2014 from one user who was infected with a nasty type of ransomware called Cryptolocker. Note that the most important key to surviving a ransomware attack is having good backups of data. Here is an excerpt as to why this story has a happy ending: “Because of this backup system, we were able to pinpoint a time before the Cryptolocker infection and restore our systems from that point. ...”
For more actions to help mitigate ransomware risks, see the list at the end of this blog.
Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.
First cases of ransomware infection were seen between the years 2005-2006 in Russia, but global growth has been significant in the past few years. I initially wrote this Public CIO magazine article on ransomware in 2013, when I described this new menace as a “scary evolution of online fraud.”
For the bad guys, ransomware is seen as a way to cut out the middle man in monetizing their hacking exploits, since there is no stealing and selling of sensitive data. Note that most data breach metrics don’t apply to ransomware, since the hackers are not actually stealing your data. They are just encrypting it.
Just in case you think you are immune to ransomware because you own an Apple Mac, think again. Ransomware that affects Macs was recently found; however, the Mac operating system (OS) was quickly patched before many people were impacted. Still, new forms of ransomware are likely that will impact all types of PCs.
It is also clear that new forms of ransomware are becoming more sophisticated, because they also try to find and encrypt your backup data. As described here, Locky ransomware encrypts local files and attempts to encrypt unmapped network shares. Note: The same article describes how Locky can be installed via fake invoices.
This PBS News Hour video describes ransomware taking down an L.A. hospital for hours.
Ransomware: What Actions Are Needed Now?
Here’s what you should do now to help protect yourself.
First and foremost — BACK UP YOUR DATA! For home PC users, cloud storage is better than no backup, but you need to be careful that your connected backups may also be at risk. For example, I back up my home PC data files to an offline storage device.
For public- and private-sector enterprises, take some time to determine the best backup architecture. In Michigan, we used a mixture of backup tapes, cloud computing and other forms of backup storage when I was CSO and CTO from 2009 to 2014. No, this message is not new, but too many organizations do not have adequate backup solutions that protect them from ransomware.
I fully expect smarter next generations of ransomware to find and encrypt cloud backups — but that is another article (and argument) for another day. (For those who doubt this, see this Brian Krebs article on cloud data and ransomware. Still, cloud backups are better than no backups.)
Second, get trained on what to watch out for regarding phishing. Also, train your employees on tricks that the bad guys use to tempt us into becoming a victim. I have written extensively on this, so I will just point you to a few of these articles on the importance of end user awareness training. Here’s what you can about phishing. And, ten recommendations for end user awareness programs.
Third, if you are a system’s administrator, consider these CSO magazine online tips. Also, there are admin features that you may want to disable, specifically review this advice on disabling VSSadmin.exec.
Consider this quote: “Since Windows Vista, Microsoft has been bundling a utility called 'vssadmin.exe' in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer. Unfortunately, with the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it.”
After I initially published this blog, a few industry colleagues pointed out that we all need reminders to take the basic steps to not get infected in the first place. These preventive measures include: up-to-date antivirus software, limited admin privileges, current operating system (OS), segmented privilege accounts, etc.
This blog from MPA Networks offers more tips on stopping ransomware before it even starts.
Where is ransomware heading? Will the extortion costs rise? Will the impacts of not paying become more severe?
Answer: Almost certainly the answer is yes. Over the next two years, I expect to see some high-profile ransomware that affects a major government operation or global company. In this BBC article, Brian Krebs said,
"It's a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted.
"I also worry that these more deliberate attackers will take a bit more time to discern how much the data they've encrypted is really worth, and precisely how much the victim might be willing to pay to get it back."
If you want to learn more on the Locky ransomware, I recommend this FAQ on how MSPs can act now.
In summary, I urge you to take the simple precautionary step of backing up your data to protect yourself against ransomware. Backups can also help in the event of a computer hardware failure, data corruption or during other operational incidents.
A final thought: You will sleep better knowing you have good system backups, even if you never encounter ransomware.