Ransomware Education 101: How to Protect your Company from Being Held Hostage

For today’s Ransomware Education 101 class, close your eyes and imagine this scene …

You come home after a long day of work to find your house completely sealed, you can’t get in, and your key no longer works. Peering through the window you see everything inside is held hostage, but you’re completely helpless. Suddenly a message pops up on your phone “Pay us $5,000 now to unlock your home.”

This is exactly what happens in ransomware attacks, but instead, it’s your company computers, network, or web servers that are held hostage. Damage can be minor with only a few computers affected or catastrophic as in the recent case at Hollywood Presbyterian Medical Center in Los Angeles, whose internal system was shut down for over three weeks with ransom demands of $3.7 million dollars to provide the key. Between 2013 and 2014, there’s been a 250 percent increase in new crypto ransomware viruses introduced, making it one of the largest, and most expensive security threats today.

Big or small, no company is safe. The Department of Justice estimates 260,000 computers have been attacked by the CryptoLocker virus since its inception in 2013. The ransomware phenomenon started in 1989 and is attributed to Dr. Joseph L. Popp, a Harvard-educated biologist, who was turned down for a position at the World Health Organization (WHO). In retaliation, he wrote the first “cyber-extortion” program targeting WHO-affiliated AIDS research facilities. Mailing out floppy disks containing the virus disguised as AIDS education material, he followed up with an unlocking ransom letter for $189 with instructions to mail payment to a PO box in Panama.

Fast forward 27 years to reveal incredibly sophisticated cybercriminals continually refining their crypto-virus tactics to feed a highly profitable worldwide empire. According to the FBI’s Internet Crime Complaint Center, after only one year the Cryptowall virus alone racked up an estimated $18 million in losses across end users and corporate victims.

The weak link in this flourishing business is humans.

Human error accounts for 95% of all security hacks. cyber-criminals understand and exploit this fact with laser-like precision. Workers are more concerned with productivity than security because to them, it’s the IT department’s job to protect their files regardless of their daily behavior.
Common tactics used to lure employees and infiltrate enterprise networks
Phishing Schemes – Present users with a link or file to download, disguised as something they want or trust, typically delivered via an email message or ad link on a website. The emails are done well, using realistic layouts from trusted senders like national banks, Amazon, Ebay, Microsoft, and the IRS to motivate user action. Once clicked, the malware encrypts all files and locks the system down delivering a ransom note requiring payment to unlock the data.

Security Software Not Updated or Done Incorrectly – Hackers constantly troll for security breaches, just a tiny hole is enough for them to snake their way into your infrastructure or POS system. To make this more confusing, often ransomware viruses are hidden in false anti-virus or Windows update alerts sent to unsuspecting users. Tricked by what looks like a legitimate action, they unwittingly start a nasty chain reaction.

Corrupt USB Devices – Removeable storage devices can spread ransomware like the plague. The virus embeds in the device and infects any machine it touches. This method is especially prevalent with staff working from home or traveling for business requiring them to use various machines across your network. No other action other than inserting the USB in the machine is necessary for the virus to be activated. It’s that easy to have your IT infrastructure break down.

Embedding Ransomware in Useful Applications and Web Sites – The virus is disguised as a benign and helpful tool such as a browser toolbar, third party executable file (EXE), file-sharing site, messaging app, or any number of hard-to-recognize Trojan horses. Once the link or file is activated, the encryption virus does its thing. Victims can also infect their computers simply by visiting a compromised website, no download necessary. Sites that cause the most trouble include those that promote pirated movies/songs, TV and sports games, and pornography.

Don’t underestimate this group of criminals. They are superstar marketers honing their approach using market research, engagement strategies, and even sophisticated A/B split testing to determine which approaches best earn the trust of your employees. Masters of manipulation, they prey on the blind trust and predictable digital habits of the public to earn a living. The average ransom charged ranges from $300 for home computer users to thousands for corporate victims. Roughly 23% of users click through phishing emails and 10% download files, meaning at $300 per incident this nasty group of hackers is pulling in some serious change.

A few weeks ago the St. Louis library system was attacked paralyzing 16 locations across the city and demanding a $35,000 ransom. The victim refused to pay, instead opting to wipe the entire computer system and rebuild from scratch, a solution that may take weeks. When evaluating the cost of alternate solutions often the ransom seems like a small price to pay to quickly return to normal.

Seems crazy that law enforcement can’t track the payment trail and arrest these criminals, right? Logical yes, but the advent of Bitcoin in 2008 opened up a seemingly untraceable payment source available to the global market. Identified by the U.S. Treasury as a “decentralized virtual cryptocurrency” Bitcoins are purchased by the victim and once paid to the cybercriminal can later be converted into hard currency, a pretty fancy legitimate tool for the old-fashioned practice of money laundering.

The big question is, if hit, should you pay? Law enforcement advises victims not to pay ransom because it only encourages repeat criminal activity. That said, there are many examples of public agencies paying the extortion fees simply because the time and cost to start over is catastrophic compared to the fees. In 2015 the Tewksbury police department paid $500 to an anonymous hacker to restore operations after five desperate days trying unsuccessfully to unlock the virus with in-house IT staff. To pay or not is a personal decision based on the speed and accuracy with which an organization can restore critical data back-ups and enact their disaster recovery plan. In the case of the Swedesboro-Woolwich School District in NJ, the attack crippled their entire system and demanded a ransom of 500 Bitcoins or $124,000 dollars. They opted not to pay and spent up to a week restoring their files using IT resources, employee volunteers, and assistance from investigating agencies including the New Jersey State Police, FBI, and Homeland Security. Here at Swift Systems, our clients never pay. We are able to restore their systems using professionally maintained backups.
How can you protect your business from a ransomware attack?
Bad news, there is no cure, only recommendations to shore up your company’s cyber security defense strategy to reduce exposure to risk and to have plans in place in case you are breached. Of utmost importance, have a strong IT team well-versed in ransomware prevention tactics. If you are not 100% confident in your IT resources, contract with a Managed Service Provider with broad cybersecurity experience. For any business owner, the worst time to realize weakness is after you’re received a ransom note. By then, it’s too late.

Take these actions today to protect your company’s data.

1. Keep your operating system up-to-date – Ensure OS updates are current for all users, validate anti-virus licenses are current and set to install real-time updates, implement spam blockers, and verify the strength of your firewall. If possible, attempt to hack into your own system to test security processes. Required scheduled maintenance is preferred making it less likely your company will fall prey to workers that ignore repeat desktop update alerts.
2. Backup critical files on a daily basis – Verify back-ups are stored off-line and are in no way connected to shared network files that can be infected by a cryptovirus.
3. Develop and document a disaster recovery plan for your organization – Backup files won’t help if there is no plan in place to restore operations and knowledge of how long it will take to execute.
4. Implement an employee cybersecurity education initiative – Require employees to participate in education regarding crypto viruses and how they work, acceptable email links and attachments, how to spot imposters, websites to avoid, and how viruses spread by USB device from machine to machine.

Now is the time to evaluate and test current security protocols for infrastructure vulnerabilities. Even if you have an in-house technical staff consider engaging an IT vendor that offers Cyber Security Defense Strategies to deliver experienced resources to guide your company into the unknown future and bring you peace of mind. Reach out to Swift Systems, and see how we can protect you from ransomware attacks.

Let our Specialists take care of your IT Support