Ransomware cyberattacks put businesses nationwide at risk in 2017

There’s a new way people are being held for ransom; how can you help reduce your risk?

by Steve Hurst, Director of Security Services & Strategy, AT&T

In the past, ransom often meant someone was kidnapped by criminals, blindfolded, and held hostage in a dark room.

Families, employers or other acquaintances would get a ransom notice. If they wanted to see the victim again, a ransom would need to be paid. If they took too long to respond, the dollar amount might go up.

It was all about the money.

Today, the world has evolved. The concept of ransom has evolved with it – though it’s still all about the money.

Someone can still be physically captured and held for ransom, but given the amount of valuable information being stored electronically, it’s now easier and less risky for the “bad guys” to do things digitally. They can simply load code onto a computer or phone and prevent you from accessing your data.

Once cybercriminals get control of your information, they’ll demand payment if you ever want to see your data again. This is now known as a ransomware cyberattack.

A key question now arises often. Do you pay or not?

Recent studies and statistics

In the past year, nearly half of all U.S. businesses have experienced a ransomware attack, according to a report published in November by SentinelOne.

Kaspersky researchers say that 67 percent of companies affected by ransomware lost part of or all their data. Additionally, 25 percent of victims spent several weeks trying to restore access.

During the National Association of Counties (NACo) Legislative conference in February, a straw poll was conducted as part of the CIO forum.

Nearly 50 percent of the attending counties had been impacted directly by a ransomware attack. Counties of all sizes nationwide had their systems and data held for ransom.

These cyberattacks have led to losses of criminal evidence and 911 call logs not being maintained, and have forced county operations to revert to paper and ink for over a week.

Ransoms have been as small as a few hundred dollars to as high as tens of thousands of dollars, if not more. Because the ransomware currency of choice is Bitcoin (BTC), it’s often untraceable.

Reducing the ransomware risk

Now, what’s an organization to do?

Unlike personal security, you can’t just hire intimidating security guards to protect your network and data. But there are things you can do to reduce the probability of an attack. Additionally, if you’ve been impacted, there are steps you can take to expedite the recovery process.

Paying the ransom is not recommended, as it promotes the ransomware industry. If you pay, your organization could be targeted for future attacks, and there’s no guarantee your data will be restored. 

If devices or servers aren’t cleaned, you never know if the offending code was removed, repurposed, or is hibernating and waiting to strike.

Ransomware typically enters a network through a single user’s computer or phone. This often occurs when a targeted user simply clicks on a link. In fewer cases, it occurs when a user goes to a website that has been taken over by an attacker.

Once the ransomware code has been downloaded to a device, it will “phone home,” or send a message back to the server containing its controller (a piece of software that controls it). When that message is sent, you’ve lost control – it will either wait or start to encrypt your files.

In some cases, the code includes a “worm,” or a code that will go out and look for more computers to infect. This includes servers of all types.

Once a company or county has been infected, immediate steps should be taken.

First, if a user knows they did something, they should unplug the network connection or disable the Wi-Fi, and notify the IT department as soon as possible.

If infected, IT employees should look for signs of the ransomware spreading. Next, they should reimage or wipe the computer, reinstall the original software, and restore the data from a backup.

Don’t have a backup?

Have less fear – there’s software available that can sometimes help restore encrypted data. To help reduce the risk of suffering a potentially catastrophic attack, though, it’s critical to have multiple backups of your data.

If you don’t have two backups in addition to the version on your computer or device, you may be putting your data at risk. Of these two backups, one should be attached, or in the network, and one should be kept offline.

The offline version (not attached to the network) should be a revolving copy of the primary backup with multiple versions or dates, allowing you to restore your data to a point in time when your computer was clean of ransomware.

Additionally, it’s recommended to disable the automatic running of macros on your browser (autorun), including the Window’s scripting host (VBS). This simple step makes it harder for an attacker to automatically run scripts, or code, without permission through your browser.

The next item – which could easily be first or second in priority – is to keep all software and plugins up to date and all devices running the current security software. This means patch early, and patch often. If possible, utilize auto-patch features.

Users should also enable the “show hidden file extensions” function in Windows Explorer, so they know exactly what software will run – not what the attackers want them to think will run.

Cyber hygiene

Even if they haven’t been impacted by ransomware yet, it’s important for businesses and counties to assume they will be. If they’ve already been impacted, they should assume they’ll experience the trauma again.

While organizations continue to seek ways to help protect their vital data, the top priority should be training. All employees should be trained on “cyber hygiene” and safe internet behaviors.

Since most ransomware is the result of someone clicking a link, having a regular and reoccurring training on safer internet, app and email usage is highly recommended. This regular and reoccurring training should take place at least monthly, and small, single-point items should be distributed and changed weekly.

Changing behavior is difficult and time consuming, so technical leaders must be patient and persistent.

For more information on how you can help reduce your organization’s ransomware risk, visit the AT&T Cybersecurity services page.