According to a recent report by Malwarebytes, an anti-malware software company, a whopping 39 percent of the 540 companies from the United States, Canada, Germany and the United Kingdom surveyed in June 2016 suffered some form of ransomware attack in the prior 12 months.
These attacks were most common in healthcare-related industries, but significant impact was also noted in the financial services, banking and insurance industries. Of the 165 U.S.-based companies participating, 85 percent reported being subject to some form of cyber-attack and 50 percent specifically encountered a ransomware incident. As these statistics make clear, the odds are that sooner or later, if your company has data it needs to access in order to operate (what company doesn’t?), your operations will be impacted by this pervasive form of malware.
What is Ransomware?
Ransomware is a unique type of malware that seeks not to steal data from a computer system, but rather, sets out to block users from accessing information stored in their systems. Any business that utilizes computers to store data that is essential to day-to-day operations is vulnerable to a malware attack. In the case of a ransomware attack, it does not matter that a business does not store any personal financial information or health data on its systems—all that matters is computers are needed to keep things up and running. Ransomware attacks do not discriminate based on company size, and small companies have found themselves targeted by cyber criminals.
Ransomware can be unintentionally and unknowingly downloaded when visiting malicious or infected/compromised websites. It can also get into a system through other malware inserted onto a single user’s computer or, more commonly, downloaded by an unwitting user opening an attachment to spam email. Each one of these routes of attack relies on lack of discipline by curious computer users and highlights the need for organizations to educate employees to understand the need to exercise care in visiting websites and opening suspicious email attachments, or avoiding anything that just does not seem right.
There are generally two types of ransomware: one locks a system’s computer screens, and the other seeks out and ties up files that are likely to be important such as documents, databases and spreadsheets. In either case, all known attacks have been accompanied by a demand for payment, usually in electronic currency such as bitcoins. TrendMicro, an IT security company, has published an excellent history of the evolution of this threat as it migrated from Russia to a matter of global concern.
A brief review of the recent attacks illustrates the pervasive and insidious nature of the ransomware threat:
Rokenbok Education: This seven-employee, not-for-profit maker of educational toys was the target of a ransomware attack at the start of the 2015 December holiday season; this is a critical time for any retailer’s success. While it is unclear how the malware entered the company’s computer system, just as holiday orders were coming in, the company discovered that it was unable to access any of its database files. Confronted with a demand for payment in bitcoin, the company instead opted to cease operations for four days while the company rebuilt its key data systems. Incredibly, Rokenbok had been hit by a different form of malware attack, a denial of service, earlier in the year.
Hollywood Presbyterian Medical Center: In mid-February 2016, administrators at this 434-bed medical center discovered they had lost access to parts of the facility’s computer system. Patient records, billing information and all other data was locked down by the attack. Initial reports indicated the hackers responsible demanded 9,000 bitcoin (about $3,000,000). After 10 days of being forced to operate by writing down patient orders, having limited access to patient notes and communicating via fax, hospital administrators agreed to make a payment of 40 bitcoin ($17,000) to regain control of their operating systems. It remains unclear whether the hospital alerted authorities prior to agreeing to make the ransom payment.
Richmond (Virginia) Region Tourism: One morning in May 2016, employees at this regional tourism office received a seemingly innocuous email with an attachment from Amazon.com. Several employees immediately deleted the message. One person who had coincidentally placed an order with Amazon the day before opened the attachment and opened the door to the office’s computer system to a serious malware attack. Within 30 minutes, every file on the system was locked. Every attempt to access the system only caused a ransom message to appear on the user’s screen. Typical of this kind of attack, the message started off with a relatively modest demand for payment along with a promise to erase the entire system if the ransom demand was not met prior to a countdown clock expiring. The ransom demand increased as the clock came closer to running out. Rather than pay, Richmond Region Tourism called in a computer security firm that worked to isolate the attack and assisted in restoration of the locked files from a backup system. The total cost of this attack was estimated at $2,500.
Law Firm Attacks: Solo practitioner Paul Goodson and the Redlands, California firm of Ziprick and Cramer LLP were recently attacked by ransomware that deprived them of access to client files. Goodson attempted to pay the very modest $300 ransom demanded of him but failed to do so within the 36-hour time limit set by the ransomware, which then deleted all of his files. The Ziprick firm declined to pay the ransom, alerted authorities and notified clients of the security breach. Fortunately for the firm, minimal data was lost due to its maintenance of a robust backup system for all files.
Plainfield, New Jersey: On March 21, 2016, The Washington Post reported the City of Plainfield had been the latest municipality hit with ransomware, as three servers containing a variety of memoranda, city newsletters and official files were rendered inaccessible. The hackers responsible demanded 650 euro, payable in bitcoin, to release the files. When law enforcement was notified, the hackers disappeared and the city was left to muddle on without access to these files. Similar attacks have been launched against Ilion, New York and the Melrose Massachusetts police department, the latter paying slightly under $500 in bitcoin to regain access to its systems.
Gaming Apps: Proof that no target is too small for cyber criminals, internet technology security firms have confirmed the existence of ransomware posing as a Pokemon Go related app. This new version of a well-known form of malware inserts itself into a user’s phone, encrypts all data stored therein and presents a demand for payment of .1 bitcoin (about $57). One variation of this virus also creates a backdoor into a phone’s windows operating system. Internet security experts have not determined why this is being done.
Protect Yourself and Your Company
To date, while some ransom demands have been shockingly large, actual payments accepted to release locked-up systems have been relatively modest. There is, however, no guarantee this will remain the case—in fact, the FBI’s Internet Crime Complaint Center indicates that in 2015 it received nearly 2,500 reports of ransomware attacks in which victims paid in excess of $24,000,000 to secure access to their own data. The $57 demand to cell phone users, however, should serve as a prominent reminder that these cyber criminals will attack any target, large or small.
In fact, small businesses often make the easiest targets for this kind of attack. They often believe they lack the resources to establish a robust cyber-security protocol. The ultimate cost of the failure to do so can, however, be devastating. A single attack has the potential to put a small business out of operation for a long period of time, perhaps causing fatal damage to its operations. Compounding the problem is that many such businesses do not have highly skilled IT personnel on staff, meaning the initial response to a ransomeware (or any kind of cyber) attack is often handled by someone without the expertise to deal with the situation effectively.
The real key is to ensure staff is trained in basic internet security precautions. This includes not opening emails from unknown sources, not bringing unauthorized memory sticks into the business, not clicking on links to unknown websites and use of strong and unique passwords for both personal and business accounts and devices. Training and reminding staff of these very basic precautions can greatly reduce a company’s risk of learning about ransomware and bitcoin the hard way.
Looking for more on how data privacy and digital security will affect your business? Join us for the Digital Transformation and the Need for Data Security panel discussion on Thursday, Oct. 6, at SupplySide West 2016.
Marc Ullman is of counsel to the law firm Rivkin Radler LLP. Ullman represents clients in matters relating to all aspects of FDA and Drug Enforcement Administration matters, regulatory issues, FTC proceedings and litigation.