It is perhaps the worst tech-related incident I can imagine happening to a business: all of the files on your company’s computers have been encrypted and you receive a message demanding payment for the key to decrypt them. It’s called ransomware.
When dealing with ransomware, a company doesn’t have a lot of options. The first is to wipe all the affected systems and restore them from backup (note, sophisticated ransomware attempts to encrypt any backups it can access, rendering them useless). The second choice is to pay up. The University of Utah alone paid nearly $500,000 to prevent student and employee data from being sold online.
According to SchWi-Fi Systems: “In a properly implemented [ransomware] attack, recovering the files without the decryption key is an intractable problem.” Many businesses have no option but to pay the ransom. The good news is that 98 percent of the time, the ransomers make good on providing the needed key, probably because it’s good to know you can trust them (sorta).
Ransomware is a large enough problem that you can buy insurance to cover it, so your out-of-pocket expense is limited to your deductible. For the insurer, the ransom may be the cheapest option. The alternative is to pay for the cost of restoring your systems and interruption of your business, which leads—say some critics—to the spread of ransomware demands, an increase in the size of such demands and a consequent rise in the cost of insurance.
It’s important to distinguish that there are two broad categories of ransomware victims: the first is an individual or perhaps a very small business, with no real IT department. Typically, attacks on individuals and very small businesses come about because someone accesses an infected file from a seemingly-legit (phishing) email. Once the file is opened, the malware it contains encrypts all the files on the computer. Attempting to open a now-encrypted file displays a message with the ransom demand, typically a few hundred dollars.
Are you likely to fall for a phishing email in your inbox? Here are links to a couple of (legitimate) online tests: phishingquiz.withgoogle.com and sonicwall.com/phishing-iq-test. I scored a perfect 8-for-8 on the first test but only 5-for-7 on the second: one false positive (I thought a legitimate email was a phish), and one false negative. (I thought a phish was legit: potentially catastrophic.)
When I worked for Cryptic Studios (about 120 employees), we experienced a successful phishing attack on our network. To help prevent future occurrences, Cryptic used an outside service, KnowBe4 (KnowBe4.com), to send phishing emails to company employees. Those who fell for the emails had to take a refresher course on how to identify such emails. (I was not alone.) Many security companies offer this service, and many have a free offering to garner sales leads.
The second type of victim is a larger business, because, as the infamous bank robber Willie Sutton once said, “That’s where the money is.” (Larger companies have both money and insurance.) Here, ransom demands may be tens or hundreds of thousands. Although phishing attacks still are used, an attacker frequently gains access to a large company network by compromising the Remote Desktop Protocol (RDP) offered by Microsoft operating systems, which allows a user remote access to their computer on the company network (a “remote desktop”).
RDP is a common attack vector for all sorts of Windows malware campaigns, and it often exploits Internet-facing servers with weak or previously compromised passwords. Once inside your network, attackers can expand their control and download sensitive data, prior to encrypting files and demanding a ransom.
Not using Windows at your company? Although Windows is the largest opportunity for ransomware criminals, ransomware that targets Linux and macOS also exists, so my advice below still applies.
How to avoid an attack
How can you avoid becoming a victim of a ransomware attack? The Cybersecurity and Infrastructure Security Agency (CISA) provides its Ransomware Guide, which can be downloaded from cisa.gov/publication/ransomware-guide. It contains two parts: best prevention practices, and (should you fail to follow them) a response checklist. Your tax dollars paid for this excellent guide, so take advantage of it.
Basically, you must make sure cyber criminals can’t get into your system to begin with. First, train employees to be wary of files and URLs (phishing), then reduce the number of points at which your network can be accessed from the Internet. And finally, make sure those points are behind a firewall (which you monitor for trouble), kept up to date with security patches and protected by strong passwords. (Ideally, those are stored in a password manager.)
And if, despite your best efforts, it still goes wrong, secure backups of your systems that have been tested (i.e. you have actually done restores from them recently) and a response plan are the only alternatives to coughing up ransom money.
