Ransomware costs companies big bucks

Sam Stall • special to IBJ

Cybersecurity expert J.J. Thompson has been proofing computer systems against malicious attacks for decades. But he didn’t realize how far the ransomware threat had permeated Indiana until a couple of years ago, when he ate lunch in a tiny diner near Tipton.

“I was listening to farmers talk about ransomware,” he recalled. “You know something is a global problem when farmers in Tipton are sitting in a diner, eating tenderloins and talking about their fear of getting ransomware on their tractors.”

Ransomware is a specialized form of malware that often infects computers (including those on tractors) via email attachments. Click on the attachment, and software instantly encrypts the system’s data, making it impossible to access until the victim pays a ransom that can range from a few hundred dollars to north of a million.

If the victims pay, they typically receive a set of encryption keys allowing them to unlock their information.

“We’ll see continuing ransomware-like attacks, and they’re going to be made nastier and nastier,” said Thompson, founder of Indianapolis-based Rook Security and now senior director of managed threat response for Sophos, a United Kingdom-based security company that purchased Rook in 2017.

No one’s quite sure how often such incidents happen in Indiana, but all experts agree that the number of infiltrations and attempted infiltrations is rising.

In the winter of 2016, a Madison County attack locked up most of the county’s systems, forcing the police to revert to writing paper tickets until the city paid a ransom of $21,000. And this year, LaPorte County forked over $130,000 (about 10.5 bitcoin, the preferred medium for ransom payments) when its systems were infected.

According to Doug Rapp, president of the Cyber Leadership Alliance (a Hoosier not-for-profit that brings together state experts to, among a great many other things, promote cybersecurity), Indiana attacks are becoming not only more frequent, but more precisely targeted.

“We’re seeing a rise in two particular areas — government and health care,” Rapp said.

He said criminals know if they are able to lock up information protected under the Health Insurance Portability and Accountability Act of 1996 — known best as HIPAA — health providers are more likely to pay the ransom. That’s because they can face fines if the information is spilled onto the internet.

“And schools have a lot of personal information, particularly about minors, so that’s a lucrative target,” Rapp said.

Attackers who use ransomware range from lone wolves to well-organized international crime syndicates to rogue nations, he said.

“We used to joke about a certain country,” Rapp said. “When their government cybersecurity employees got off work, you could see an immediate rise in criminal enterprises. I won’t mention Russia’s name on that.”

While major corporations and large government agencies have taken detailed, elaborate steps to guard against the problem, smaller municipalities, companies and organizations are in something of a bind. Protecting such small groups against ransomware (or at least improving their chances of recovering from an attack) can be time-consuming and costly.

That might explain why so many attacks are now targeted at just such second- and third-tier targets. They can’t pay as much, but they’re also far, far more likely to have exploitable vulnerabilities such as primitive, ad hoc computer systems, tiny IT staffs, and a tendency not to install software patches promptly.

“There are criminal enterprises out there that are just trolling for vulnerabilities, and they don’t care if you’re a bank or a liquor store,” Rapp said. “They’re just looking for an unsecured internet connection. There’s no set of businesses that’s untouched.”

Many malware-infected institutions choose to pay ransoms, given that catching the people responsible, or even identifying them, is often next to impossible. Small businesses sometimes don’t even know to whom to report such incidents. And no one’s quite sure how many attacks happen in Indiana, because many victims are reluctant to acknowledge them.

“Nobody wants to highlight where these things have happened,” Rapp said. “People in general, across the board, don’t like to talk about breaches. It’s always been a problem when you try to collect information. People don’t like to share their vulnerabilities.”

But not everybody who’s experienced a ransomware attack keeps quiet. That certainly wasn’t the case for Hancock Regional Hospital, a 100-bed Greenfield facility that had all its files locked up by hackers in January 2018. Instead of lying low, Steve Long, president and CEO of Hancock Health, started blogging about it almost immediately.

“We made the decision early on to be very transparent because we felt our community deserved to know what happened,” Long said.

Since then, the hospital system has shared details of the incident during an appearance on “60 Minutes” and at some 30 meetings around the country.

“Everybody is concerned about reputational risk,” Long said. “That’s why they don’t say anything. But I can tell you that, in our local community, we have had overwhelmingly positive feedback about our transparency.”

The lesson Long shares with other CEOs is that, while preparation for an attack can blunt its consequences, it often can’t prevent it. After all, his hospital system wasn’t exactly wide open. It had run phishing tests on emails to make sure workers didn’t open dicey-looking files, hired a company to test the network for penetration threats, and used another firm to watch at all times for intrusions.

“We were pretty average to above-average prepared,” Long said. “We had everything in place that you would expect.”

All to no avail. The hackers uploaded the ransomware using credentials issued to a vendor, which were purchased on the dark web. The hospital’s antivirus system caught that first attack, but the invaders persisted.

“They changed the signature of the virus and it went right past our protection,” Long said. “Unfortunately, the company we were paying to monitor our network all the time didn’t catch it.”

The hospital’s computer system was completely frozen, and its staff thrown back into the Stone Age. Or at least, the 1950s.

“We had zero computers running, aside from patient-facing equipment like IV pumps and things like that,” Long said. “Everything else was shut off.”

Since there was no way to rapidly restore their systems without the encryption keys they were offered if they agreed to the ransom, the hospital opted to pay about $55,000 in Bitcoin to obtain them.

There’s little hope the perpetrators will ever face justice, even though the FBI was able to identify them.

“They were a couple of guys from Iran,” Long said. “The FBI has extradition warrants against them, so if they ever leave Iran and go to a country with an extradition agreement with the U.S., they will be captured and brought here.”

The hospital system now has even more stringent precautions in place. Long said he can watch his facility get (so far unsuccessfully) attacked multiple times each day by yet more ransomware.

Fred Cate, senior fellow at Indiana University’s Center for Applied Cybersecurity Research, said such threats are as pervasive in cyberspace as airborne bacteria is in the real world.

“If you buy a new computer, take it out of the box and plug it in, from the moment you access the internet, it will get its first malware attack in about seven seconds,” Cate said.

However, he (along with other experts) said smaller organizations can take some fairly straightforward steps to ward off an attack or, at the very least, mitigate its effects. For instance, apply software patches immediately, train employees not to open suspicious email attachments and remember that not everything in your system has to be connected. If, for instance, payroll is kept on an isolated system, it won’t go down if the main system is successfully attacked.

“We’ve gotten this notion that my refrigerator has to be able to turn on my lights and talk to my car,” Cate said. “That means a vulnerability in one of those is now shared with all of them.”

The best precaution is to regularly back up critical files and store them offline. That way, if your data is encrypted by ransomware, in theory all you have to do is reboot and download the stored information.

Ideally, everything should be backed up nightly, with the file physically stored in a vault. But that could be an onerous and expensive chore for small companies and government entities.

“For most school districts and utilities, that’s not the level at which they’re operating,” Cate said. “They might have one IT employee, not an army of people.”

The answer, he said, is to still do backups, but less frequently. That’s far, far better than nothing.

“If you can’t afford Grade A backups, have Grade B backups,” Cate said. “At my house, I back up twice a month. So if you compromise my data, the most I risk losing is two weeks. Don’t let the perfect be the enemy of the good.”•

Originally published in Indianapolis Business Journal.