A few days ago I was speaking with a friend of mine who operates a Managed Service Provider (MSP). He shared with me a story about a client of his who was recently hit with ransomware. In this conversation he told me about the cost of the event (it was heavy) and amount of downtime his client experienced (it was multiple days). Later I will share one other startling fact.
So, what is Ransomware?
Similar to malware or a virus, ransomware is a malicious software created by blackhat hackers. Unlike, a viruses and malware that can impact network traffic, install key loggers or Trojans, or potentially delete data ransomware locks out an individual or company from accessing data. Those users are greeted by a message demanding payment for a release of the restriction.
1. This is a BIG problem getting Bigger
CNN has reported that the FBI has released estimates that cyber-criminals have collected a record number of ransoms during Q1 of 2016 and the number is only growing larger.
- $209M was collected in the first three months of 2016
- The FBI is projecting over $1 billion in losses by the year end.
The hackers goal is to get paid. In most cases their interest in your data is directly tied to your ability to pay, so they keep their demand proportional to the perceived budget of the victim.
2. There are 3 main variants of Ransomware
In most cases these are spread via spam or phishing emails, malware already found on the user’s PC, or accidental downloads from malicious websites.
3. It can happen fast!
It can take only 15 minutes from infection to demand. Your data is held hostage before you even know there is a problem. There are 5 fundamental stages of an attack.
- Installation and Infection: The software executes on a computer in the case of CryptoLocker it uses the Angler Exploit Kit.
- Execution: This is the phase where the software performs a self-installation on the affected computer.
- Cyber-contact: The software contacts the cyber-gang’s control server and two keys are generated with one installed on the victim’s PC, the other retained by the criminals. Any backup capability on the impacted machine is also disabled or deleted during this phase.
- Encryption: At this stage all common user data (documents, jpegs, mp3’s etc.) are encrypted and the user loses access.
- User Notification and Extortion: The user is then alerted to the infection and demand for payment is made by the cyber-gang.
4. And it can take a long time to get your data returned, with wide impact
It has been reported that 72% of organizations’ hit by ransomware found themselves unable to access their data for at least two days after the attack. 32% also reported no access for 5 or more days. Additionally, 47% of the attacks impacted 20+ employees with 86% of all infections affecting at least 2 employees. These events are rarely isolated to a single victim.
5. Finally, it can be expensive both in absolute dollars, but also your reputation
There are many stories of ransom payments you can find on the web, but let’s look at one story about Hollywood Presbyterian Medical Center (HPMC). The institution was forced to pay $17,000 to free their files and return to operations. The reality is the cost of the ransom often is minimal vs. the loss of revenues. HPMC was losing far more, an estimated $100,000 daily just from the inability to perform CT scans.
Reputation risk is the intangible impact that often cannot be immediately measured when a cyberattack occurs. Customers can lose trust in the company affected and find alternate vendors to meet their needs. In the case of HPMC, an institution holding sensitive personal and medical data, this loss of trust can be financially crippling long term.
Think of your own business, how long could you be without your mission critical data and intellectual property? I know in my case it would be difficult to serve my customers if my data was held hostage for more than 24 hours. At that point, it would be difficult to support client systems and conduct the day to day financial transactions necessary to run my business.
So what can you do?
There are a few best practices you can follow to minimize the risk of being hit by ransomware. Here are a few guidelines in no particular order.
- Backup your data, make sure you have multiple copies of critical data and one set is outside your primary PC. Cloud Services can automate this process for you so you know your backups are current.
- Be careful with email! Don’t click on links within emails or download attachments from senders you do not know.
- Patch your PC’s and Servers. Hackers love to exploit known issues found on machines that are not up to date with their security and operating system updates.
- Use Anti-Virus. Sounds like a no-brainer, but talk to 10 friends and I bet you will find 2-3 that are running with no or outdated virus software. Additionally, use an anti-virus that have a real-time scanner and automatic update capabilities.
- For business owners, I suggest implement a web filter which will block most virus, malware and phishing attempts that can lead to ransomware. These can be bought in standalone units, or embedded in most higher-end firewalls.
So that startling fact that I promised you
The customer of my friend that got hit by CryptLocker and paid the ransom got HIT AGAIN just a few days later.
You may ask how can this be?
The reality is these cyber-criminals are bullies that prey on the weak and unprotected. They understand that you or your company cannot make the security changes fast enough to protect your network once breached. They will try to attack over and over until you eventually put all the technology in place to protect yourself.
This is the #1 reason why you need to build a solid security plan in place BEFORE trouble finds you! I suggest at least twice annually meeting you’re your internal IT team or IT vendor to review your security posture and reduce the risk of ransomware. As indicated earlier it a problem that is only getting BIGGER!