As the FBI warned, ransomware has proven to be a formidable threat costing businesses over $1 billion in 2016, averaging 4,000 attacks per day. Ransomware forces victims to choose between losing access to their files or paying a fee that can range between hundreds and thousands of dollars. Ransomware has already made headlines in the first quarter of 2017.
This Year’s Horror Stories
In March, an attack locked Pennsylvania Democratic state senators out of their files. The attack stymied their network access for a week. The leader of the Senate Democrats indicated the files were able to be recovered using backups and noted that they had not paid the ransom.
Metropolitan Urology Group suffered a data breach as a result of a ransomware attack. Though the company’s computers were infected in November 2016, the company learned of the attack in January this year. The PHI of over 17,500 patients was exposed to the hackers.
An Arkansas water company was hit in February and chose to re-install files from a server backup rather than pay the ransom. The attack encrypted 90,000 files on the server in under two minutes.
Cockrell Hill Police Department in Texas lost eight years of evidence after a ransomware attack was triggered by someone clicking on a phishing email. The $4,000 ransom wasn’t paid. Digital video files and documents were lost, including evidence in ongoing court cases.
An Austrian hotel was the target of a ransomware attack that took over controls to the door locks of the guest rooms until the $1,800 ransom was paid.
A Richmond, Indiana housing agency lost one month of data after a ransomware attack in February.
A Terrible Evolution
Ransomware is rapidly evolving with 60 new types of ransomware distributed last year. Ransomware kits are sold to make it easy for newbies to enter the game. Instead of simply encrypting data, some ransomware now also copy the files making data breaches more of a risk. One new strain permanently encrypts files with no way to recover them.
Combating Ransomware: Backup + Train
There still is no silver bullet to stop ransomware. Frequent backups and user training are proving to be the best defense against ransomware.
As the cases of the Pennsylvania Senate Democrats and the Arkansas water company have shown, having a recent backup of files puts victims in a better position to not pay the ransom. There is still a loss in terms of time it takes an organization to fully restore files — the Pennsylvania Democrats lost weeks and the Arkansas Water Company were using handwritten work orders and receipts for several days. Nonetheless, an organization can at least reinstall files from a backup with little loss of data.
Organizations need to be careful with backups to ensure the ransomware has not infiltrated the backup files as well. The Cockrell Police Department could not rely on their backups because the ransomware had compromised their data long before they realized they had been attacked. They had been backing up defective files for weeks. Police Chief Stephen Barlag said, “Our automatic backup started after the infection, so it just backed up infected files.”
Most ransomware is deployed via phishing emails (59% according to some studies). Ensuring employees are aware of the dangers of clicking on unfamiliar or suspicious emails and attachments is one of the most effective tools in preventing an attack. While a strong antivirus infrastructure will keep some ransomware at bay, one recent survey indicated that 53% of organizations that were struck by a ransomware attack in the past year had strong security measures in place. Organizations that deployed security tools combined with frequent training and simulations had the lowest percentage of ransomware attacks (21%).
In the rapidly changing climate of ransomware, companies whose employees have been trained to be discerning and know to report suspicious emails to the IT department will have the advantage over the hackers.
Related Previous Posts
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.
Some of Our Training Courses Include:
- 5 Key Points for Data Security
- Avoiding Phishers, Hackers and Social Engineers
- Data Security Training Program
- Social Engineering
- Humans are the Biggest Data Security Risk
- Social Engineering: Spies and Sabotage
- Spot the Risks: Privacy and Cybersecurity Game
- Vignette — Ransomware Attack
Also check out our Phishing Simulator.