The Digital Pandemic? Guarding Against Ransomware

With the COVID-19 pandemic heading into the rearview mirror, security prognosticators are warning about a “pandemic” that could last considerably longer. 

“This is a digital pandemic,” said local security expert Morgan Wright, who currently serves as the chief security officer for Sentinel One. “It’s spread beyond borders, it’s global at this point and it’s hurting everybody.”

Ransomware attacks are nothing new. In fact, said Wright, they’ve been around about 15 years. But the phenomenon is on everyone’s radar screen, at least on the East Coast, following the May Colonial Pipeline ransomware attack. In response, the oil refinery halted pipeline operations, creating a minor panic that quickly affected the East Coast gas supply. 

“Colonial Pipeline was a watershed moment,” Wright said. “This was criminal ransomware operating with the implicit approval of Russia that was able to attack and affect the critical infrastructure of the U.S. without crossing our borders. I do a lot of stuff for national and cable news. Some things are just a story here and now, and some things make the news cycle. This is one of the first times ransomware became part of the news cycle.”

But a quick internet search shows that ransomware is much more prevalent than Colonial Pipeline or the Solar Winds’ supply chain attacks of late 2020. Lately, everything from public school systems and universities to the New York City Subway and Martha’s Vineyard Ferry, to unemployment offices, healthcare systems, even your run-of-the mill small business, have been the victim of a ransomware attack. Ransomware is quickly becoming its own industry, and more of a guaranteed get-rich-quick scheme that’s as simple as reaching out to a site on the dark web. The industry is unfortunately fast-growing, doubling in 2020 following explosive growth in 2018 and 2019. 

“In the last two-and-a-half years it went from kind of a marginal technique to being the number one problem, and it’s costing people billions of dollars,” said John Gilmore, the director of research for Abine, a data privacy company. 

It’s evolved from a simple consumer scam, where hackers convince members of the public to send them money via gift cards to pay fake outstanding fines, or purchase products that don’t exist. Now, ransomware attacks can be highly complex. 

“Unlike in the past, the people that wrote the ransomware code itself and the people doing the scam emails were all the same people. What happened in the last two years is that the industry has become specialized. The people that actually write the code are not the ones who execute the attacks,” he said. “They can license the software to anyone that wants to use it, so you have this proliferation of potential attacks. It’s a real franchise model. Criminal organizations are collecting money but don’t have to attack anyone. It’s a great way to make a quick buck.”

Another thing that has helped its growth is the move to more remote work since the onset of the COVID-19 pandemic, he added, and it’s something to pay close attention to as the traditional workplace evolves.

“The fact that 80% of the public suddenly had to start working from home helped this spread. It was like a gift from heaven to all of these guys. Suddenly everybody was using private or web-based email with none of the protections of typical corporate email. Everyone was using cloud-based storage, sharing their password over Slack, and over chat, texting each other the Zoom password or VPN. That sort of thing suddenly allowed these guys to collect massive amounts of worker credentials. It became 100 times easier overnight,” he said.

The rapid rise of ransomware and the more widespread use of bitcoin are inextricably linked, as the new form of currency helps to further anonymize its user. 

“Ransomware is a problem because right now when ransomware is paid you often don’t know who you’re paying it to,” said John Wood, CEO of Ashburn’s Telos. “If you can’t target or attribute where an attack is coming from it’s very hard to figure out how to solve it.”

There are several ways that ransomware attacks happen, the chance of which can be lessened if the private or public sector has its guard up. In the case of the Solar Winds attack, hackers got into the system due to a weak password.

“I would make the argument that for a software company, their source code server, which is arguably their most important asset, needs a really strong password,” said Wood. “In the SolarWinds case it was solarwinds123. That’s not a strong password.”

Wood said user access control should be set at the highest level possible to avoid hackers accessing dormant accounts via malware. Multi-factor authentication is also a tool that should be used to guard against attacks.

Unpatched systems are also particularly vulnerable, Wright said, and that was Equifax’s downfall for its 2017 data breach. Zero-day exploits that expose a security vulnerability can also make an organization an easy target for hackers. Traditional phishing, or spear phishing, is the method still favored by many nation states, he added. 

By and large, hackers are looking for “low-hanging fruit” for easy access to disrupt systems and demand a ransom, Wood said. His advice is simple—practice good cyber hygiene by adopting the best cybersecurity practices throughout an organization.

Gilmore said he doesn’t totally buy into the angle of communist countries working through digital pipelines to take down America’s infrastructure. Instead, he believes the greater and more prevalent threat is hackers targeting small businesses. 

“If you look at the data, 70% of all ransomware attacks have been happening to businesses with fewer than a thousand employees. Thirty percent are with less than a hundred employees. The vast bulk of what happens on a day-to-day basis is fairly lowball. The median payout is $70,000, but that’s about double what it was a year ago. All we hear about in the media is big multi-million dollar, very damaging attacks on big corporate entities. The real story is it’s a problem for small and medium businesses and it’s growing very quickly,” Gilmore said.

In addition to demanding a ransom payment that can have more sticker shock for a smaller organization than a larger institution, disrupting a business’s systems could represent a far higher loss in income. 

It’s also a big problem for the public sector, he said. In the spring of 2018, a major ransomware attack on the City of Atlanta disrupted its payment software systems and compromised legal documents and police dashcam videos. Millions of dollars would be expended in the recovery effort. Countless other examples of state and local government systems being targeted have received mostly local media coverage over the years.

“People think of hackers targeting these organizations. That is not at all true. Organizations that are committing financial scams…they’re opportunities. They throw out bots that scan for opportunities. Once they’ve infected a lot of organizations they look through and choose who is going to be the easiest, quickest payment. In most cases they do not want to hit a Colonial Pipeline, or big public organizations. They want it to be low profile,” Gilmore explained. 

The commonwealth’s largest town has not taken the prevalence of this type of news sitting down. Leesburg in recent years has invested heavily in an IT Strategic Plan, with a strong emphasis on robust cybersecurity measures. This investment is particularly remarkable because the county seat’s funding for new staffing positions or new programs in its General Fund has been almost flat. But Leesburg looks to the all too frequent examples of other localities who allowed their cyber defenses to be weak, or out of date.

“One of the major things identified [in the strategic plan] was that we needed to invest in strong cybersecurity defenses, and we have set aside a significant amount of the budget to do that,” said Clark Case, director of the town’s Finance & Administrative Services Department.  “A lot of that was building stronger infrastructure. That requires money, that requires updating systems and equipment as well, and investing in some services that make our cyber defenses stronger. There are a couple of staff positions that are designed to help us be better positioned to be better defended and more resilient.”

It has been a costly, but necessary, investment, he added.

“We don’t regard it as an enhancement; we regard it as essential base level spending that’s being driven up by the cyber criminals. We can’t afford not to. If you don’t [invest in cybersecurity] you will be locked down, you will be unable to provide essential services. Our position has been to do a lot of planning and a lot of implementing of cybersecurity infrastructure. That’s been our number one emphasis, but it’s been expensive for the town,” Case said.

Jakub Jedrzejczak came onboard as the town’s director of information technology in the spring of 2019, and immediately placed a strong emphasis on cybersecurity, in concert with the strategic plan. He now runs monthly training for all of the town government’s employees, across all departments. 

“When I got this job two years ago, in the first month the training program was the number one foundational piece,” he said. “I am personally a strong believer that in the IT office, we design everything around people, process and technology. You can’t separate one and forget about one. You have to have people following the process using the right technology. That is really the foundation for cybersecurity.”

Healthcare organizations are also a particularly vulnerable target, Gilmore said.

“By exploiting medical records, that’s pretty much the best data for robocall scammers. They can sell medical data or they can use it themselves to do other sorts of mass attacks,” he said.

Both of Loudoun’s major hospital systems, Inova Health System and HCA’s StoneSprings Hospital, largely declined to comment for this story. A statement provided by StoneSprings noted its investment and focus on the best security practices.

“StoneSprings Hospital Center has a number of robust security strategies, systems and protocols in place to help protect data. As you might imagine, not publicly discussing the details of our security measures is part of our overall protection strategy. Additionally, we follow federal, state and local requirements on reporting and notification,” the statement read.

Wright said Loudoun’s reputation as the global epicenter of Internet traffic makes the county a prime target for ransomware attacks. Hackers would love to take down a data center, he said, but acknowledged they tend to be armed with the highest and best cybersecurity systems and practices. While they may not have the budgets of a data center provider, both public and private sector organizations need to invest heavily to defend themselves against ransomware, he said. For those organizations that deal with public infrastructure, the investment needs to be the greatest.

“Companies need to spend proportionate to the threat they are facing,” he said. “You pay someone in proportion to the job they do. You need to spend the same way according to the threat.”

There needs to be greater collaboration among law enforcement, the intelligence community, the military, and the commercial world in combating ransomware attacks, Wood said.

“I’m seeing industries beginning to band together, even though they may compete at a high level. If they know this activity is occurring in [an] energy business, they’ve got to make sure all other energy businesses know this activity is happening. If they get hacked it’s bad for the entire industry,” he said. “It is causing alliances that in the past have not been quite there. I think these alliances are here to stay for some period of time.”

The phenomenon is so widespread, Wright acknowledged, that taking out one cyber criminal organization will do little to topple the threat. The best offense is a great defense, security experts all agree. 

“Ransomware is like cartels or criminal organizations. You might take out one, but it’s like whack-a-mole. There’s 10 more to take their place,” he said. “We cannot arrest our way out of ransomware.”

Top 10 Ways to Avoid a Ransomware Attack

Having your business or organization fall victim to a ransomware attack can be a costly endeavor. According to Veritas’ 2020 Ransomware Resiliency Report, 66% of IT professionals and executives surveyed said it would take their companies five days or more to fully recover from a ransomware attack.

Time is money, and that doesn’t even begin to take into consideration whether you consider forking over a hefty ransom payment to hackers.

The Forbes Technology Council recently put together a list of the top 10 things you can do to guard your business against these types of attacks.

  1. Keep your systems patched and updated.
  1. Practice zero trust.
  1. Take a cybersecurity class.
  1. Ensure your antivirus software is up to date.
  1. Disable remote desktop protocol (RDP) on your computer.
  1. Leverage endpoint protection.
  1. Employ SASE technology.
  1. Be wary of emailed links and attachments.
  1. Don’t use public WiFi.
  1. Perform daily backups.

Leave a Reply