The Risk of Ransomware
Companies ignoring the threat of ransomware are making the same mistakes as countries who ignored the threat of pandemics
Ransomware attacks are on the rise all over the world, and the victims include small companies in places close to home, like Pune and Bangalore. And yet, companies continue to ignore repeated warnings from experts, just as countries ignored repeated warnings of a possible global pandemic. In this post, I explain what a ransomware attack is, why you should worry, and what you need to do about it. The last part of the article contains recommendations by security expert Rohit Srivastwa on what is the cybersecurity equivalent of masking up and social distancing.
Although most of this article appears to be targeting small businesses, everything here is applicable to everyone. Ransomware can attack anywhere, including your personal computers, so you have to take the same precautions on your home devices.
(Edit: Earlier I had a video clip here but Rohit points out that was from 2019, so I’ve replaced it with a different tweet.)
There was a severe gas in the US last week. Why did this happen and what does it have to do with ransomware?
Hackers attacked the computers of Colonial Pipeline, the largest pipeline system for refined oil products in the US. This resulted in the shutdown of their pipelines for 5 days, resulting in fuel shortages all along the US east coast.
Colonial Pipeline paid the hackers about $5 million (75 bitcoin) within hours of the attack, but it still took the systems 5 more days to recover.
Within days of this attack, the Irish Health Service had to be shut down because of a ransomware attack.
What is Ransomware?
(If you already know what ransomware is, you can skip to the later sections.)
A ransomware attack is a type of cyberattack in which hackers install a malicious program on a company’s computer. Then the program encrypts all the data on that computer rendering the system unusable. It also spreads like a virus to other computers on the network and does the same on all of them. To recover the data and get the system working again, the user is asked to pay a ransom to the hackers’ bitcoin address. After receiving the payment, the hackers send a decryption key that can be used to restore the original data from the encrypted files.
If the ransom isn’t paid, the files remain encrypted, and the system remains unusable. In some cases, the ransomware program also uploads sensitive data (credit cards, health records, photos) to the hacker’s cloud storage, which can then be further misused. And modern cryptography is strong and secure enough that there is no chance to decrypt the encrypted files without the decryption key.
How does the ransomware get into the company’s network? It requires just one computer to have its software out-of-date, or one employee to click on a bad link or download a bad program. And once one computer is infected, the ransomware spreads to the rest of the network like a virus. The security settings in most companies are built like an eclair—a hard shell but a soft interior. Getting inside the company is the hard part, but after that, nothing prevents it from quickly spreading to a majority of the computers. (And in the case of many companies, the security practices are so lax that even getting inside is not hard at all.)
As a result, a ransomware attack brings an entire company to a grinding halt. The hackers are smart enough to ask for amounts small amounts, so companies often prefer paying the ransom instead of suffering a complete productivity loss. And, in most cases, the hackers actually give the decryption key. According to this report, 27% of the attacked companies pay the ransom and 95% of those get their data back decrypted. 56% of the attacked companies ignore the ransom demand and restore data from backups.
Why Are Ransomware Attacks Increasing?
Ransomware attacks have been around since 1989, but they have become increasingly important in the last few years.
One simple reason for this is the rise of cryptocurrencies. Previously, it was difficult for hackers to get online ransom payments without being traceable by law-enforcement authorities. But bitcoin has changed all that. Now hackers anywhere in the world can get paid by a company anywhere else in the world with bitcoin. And in spite of the transaction happening publicly, there is little anyone can do to prevent the hackers from using the money, as long as the amounts are small.
Due to this, not only is ransomware becoming a big business, but now we even have platforms providing Ransomware-as-a-Service to third-party hackers. The Colonial Pipeline attack was enabled by a RaaS service called DarkSide, which has managed to extract $90 million from 47 victims so far.
Learning from the Pandemic
Zeynep Tufecki has a great article “Battlestar Galactica Lessons from Ransomware to the Pandemic” where she points out the similarities in the threats—and organizations’ responses to the threats—in case of ransomware attacks and the pandemic.
Experts warn us of the dangers, but we continue to ignore them:
Just like with the pandemic, the alarm has been ringing about digital security for decades, but we are just hitting snooze instead of waking up and dealing with the threat.
Every year, the threat grows worse because everything is more networked, more tightly coupled, and hence more vulnerable to cascades:
Plus, of course, just like the pandemic, the root of the digital vulnerability is a connected network with coupled vulnerabilities: the biological viruses can travel when we do (and before the pandemic, we did, more than ever), and malware and the software viruses can travel through interconnected networks (which are now everywhere, as software eats the world). Coupled essentially means when one thing goes wrong at one level, it usually ends up dragging other things with it. It’s well understood that tightly-coupled systems are prone to cascading failures, where one failure essentially triggers an avalanche
Shouldn’t we learn from the pandemic, and for once, take precautions against what can be an existential threat? Simple precautions and behavior changes now can save us from big losses later
Should You Be Worried?
Yes. Usually, when there is news like this, most people assume that these kinds of attacks happen only to big companies with big budgets (बड़े बड़े कंपनियों की बड़ी बड़ी बातें). But having personally seen a ransomware attack completely disable a small Pune company, I knew that this is a dangerous misconception.
To confirm, I decided to check with Rohit Srivastwa, a cybersecurity expert with 20+ years of experience in the software and IT industry. He is also actively involved in advising companies, government bodies, law enforcement, and military agencies. He has recently written a book “My Data, My Privacy, My Choice”, on personal data security and privacy for techies as well as non-techies.
Here is a brief Q&A with Rohit about ransomware:
Q: There is an impression that ransomware attacks happen only in big companies. Is this true?
RS: In fact, the reverse might be true. In the last 2-3 years, I have personally seen and managed more ransomware attacks in smaller companies. Small here means those with about 10-100 computers. For example, firms of chartered accountants (CAs) or architects, small manufacturing units, small web/app development companies, etc. Badi companies have bade budgets and they prepare themselves better.
Q: For the companies in the previous questions, what kind of impact does the attack have on the company?
RS: I know companies who have lost all their data. I know companies who tried paying the ransom and still did not get their data back. I know companies whose backups were also infected. But I also know companies who had strong backup and restoration processes, so they could recover from the attack swiftly with minimal disruption. I know companies that are on the verge of going out of business because no data is left to work on.
How To Protect Yourself
Q: What are some simple precautions a company can take to reduce the chances of a ransomware attack?
Rohit recommends: Here are some of the basics
Backup, backup, and backup (and test restores): Have a process of keeping multiple copies of backup and some stored offline. Make sure there is a periodic restoration check. Delete an old backup only after testing that the new backup is perfectly fine.
Patch: Make sure there is minimal delay in updating all the software to their latest versions.
Beyond antivirus: It is 2021 and your regular antivirus may not suffice. Opt for EDR solutions. Some of them don't cost much more than your Anti-Virus solution.
Network Hygiene: In smaller companies, work-from-home has resulted in a lot of sudden decisions without a full analysis of the resulting security issues. A prominent source of ransomware has been companies simply opening up Remote Desktop on the firewall for people to work from home. There are safe ways to do that, but you need to talk to someone who knows and can guide you. Also, companies need to make that the security protection systems at the office are extended to machines at home. The perimeter has dissolved, so you need to replan security accordingly.
Conclusion
As Zeynep says:
This is a bit like the pandemic had been for me before 2020: we knew a major threat was afoot, and that our infrastructure had been lacking. We had SARS in 2003, we had the Ebola crisis in 2014-2016, and we had the HIV/AIDS catastrophe starting with the 1980s. Did we move to fix it all? We did not. So here we are again.
Ransomware is a big and profitable business that will target your company one day, and that can be devastating. Better take some simple precautions now.
Subscribe and Share
Please share this post with others who might find it interesting
If you came to this page via a link someone sent you, you can subscribe to get the latest updates via email.
What are the laws around ransomware attacks? Are our cyber crime related laws, behind the times? Do we have the state capacity to go after the criminals making these ransom demands?
"...on what is the cybersecurity equivalent of masking up and social distancing." Is defence the only way to protect one's/companies' data?