It crippled a pipeline, ruined Fourth of July weekends for more than 1,000 businesses and left America’s food supply chain asking, “Where’s the beef?”
And that’s just in the last few months.
As we emerge from one pandemic, it seems we are in the midst of another. Ransomware attacks—extortion efforts by cybercriminals—are growing bolder and escalating rapidly. And anyone with a computer or device with access to the Internet is a potential victim.
In simple English, Ransomware is a type of malicious software that gains access to files or systems and blocks user access to the files or systems. It holds everything hostage using encryption until the victim pays a ransom—in cryptocurrency—in exchange for a decryption key.
In the meantime, it wreaks havoc for a business or industry, impacting supply chains, customers, phone systems, you name it. In the case of one regional car dealership, it even prevented them from pumping gas.
How can you protect yourself or your business from becoming easy ransomware prey? Experts in the industry share helpful pointers, but first a cautionary tale.
No one is safe
One of the largest car dealerships in the south and west, owned by Bob Giles, is Giles Automotive, with locations in Lafayette and Opelousas, La., and El Paso, Texas. While most companies hit by a ransomware attack are reluctant to talk about it, Giles is now a crusader against the evil ransomware empires, most of which are located in Eastern Europe, Russia and China.
His story starts with a 2020 Thanksgiving weekend conversation he had with the owner of Stuller Settings, the largest U.S. jewelry manufacturer, also based in Lafayette.
“He mentioned that his company had been hit by ransomware. After I found out about that, I made it a point the following Monday to pull up my insurance policy to see how much cyber coverage we had. We had $1 million. I called in the president of my company to talk about what we could do to protect ourselves. The very next day, we got hit,” Giles says.
“Our computers were all locked up. All of our workstations—everything tied to our server, from the phone system to the software we use to dispense gas and oil at all dealership locations, including El Paso—all of it was infected and all files were encrypted. There was just a note on the computer. They told us who they were—Conti—and to contact them about paying ransom so we could get all our data back.”
Giles notes that although he had looked at his insurance policy just the day before, he could no longer get to it, as it, too, was encrypted. He called his agent, who put him in touch with a company called Arete, which specializes in helping companies that get hit with ransomware.
“They held our hand through the process. And our insurance company also hired an attorney to work on our behalf.”
Giles’ independent IT contractor brought in extra people to immediately replace the hard drives on more than 200 computers. Since the dealership operating software was stored in the cloud, it was not affected—only the data on the local servers was encrypted and they were able to get the workstations in their accounting and service departments up and running in a few days. However, they were unable to send or receive emails because their email server was encrypted.
“We are paperless and operate by email,” Giles explains. “It was like having one hand and one leg tied behind your back.”
Conti wanted $1 million in ransom, which Arete negotiated down and facilitated making the ransom payment in Bitcoin. Negotiations took 10 days. The decryption tool was provided, but Arete had to check it to make sure it was clean. Once that was ascertained, the tool was put on the server to decrypt the data.
“You never get 100% of the data back—usually only about 80%,” says Giles.
One thing that really upset Giles was that Conti sent him his company’s last financial statement.
“When they get in your system, one of the things they search for is your financial statement, so they can figure out what a company can afford to pay in ransom. They were very upfront. They didn’t want to put me out of business, but said they were going to get as much out of me as they could without bankrupting me.”
While Giles did not want to pay the ransom and personally believes the U.S. should have a law that companies cannot pay the ransom, he did it out of concern that the financial information of upwards of 15,000 customers who purchased vehicles from him prior to 2008—when he went paperless and put all financial information in the cloud—could be compromised.
“I could not take a chance they had those customer files. They could use the data to steal someone’s credit, and we had to protect that,” Giles says.
Letters were sent out to all customers, alerting them that their credit files had been obtained and offer them free credit monitoring for one or two years, depending on state law requirements regarding data breaches.
As late as June, Giles says residual issues from the attack linger, a lot of them psychological.
“It’s like someone going through your house and all your stuff—your closets,” he explains. “I’ve always been an up person, but every day was a big negative for a while.”
By the time it was over, Giles says his insurance provider ended up paying $750,000 in computer recovery costs and the ransom payment, which does not include the loss of business incurred from the attack.
He notes that a high percentage of companies that get hit don’t survive, especially if they don’t carry cyber insurance. Giles takes the tack that it can happen again. He’s now insured for $2 million, but the insurance premium skyrocketed.
“I paid $2,400 for $1 million in cyber coverage. When I increased it to $2 million, the premium was $23,000. A lot of the increase was because I had a claim,” he says. “But it also is going up because they are having so many more claims than ever before.”
Before the rise in ransomware attacks, cyber insurance was fairly profitable for insurance companies. But with attacks up 400% over the last year and extortion demands through the roof, it’s becoming much more costly, and premiums are climbing.
Nonetheless, cyber coverage has become an essential expense for many businesses. “Every business that has a website, any involvement with e-commerce or deals with personal information of others needs coverage,” says Tony Schmoll, a certified insurance counselor with Sonoma-based North Bay Insurance Brokers. “And these days, that’s just about everyone.”
Schmoll says coverage should include both first- and third-party coverage. “First-party should include coverage for fund transfer fraud, loss of business income, breach response costs, cyber extortion and crisis management/reputation repair, at a minimum,” he explains. “For the third party, I would want coverage for network information security liability, multimedia wrongful acts (infringement, defamation, piracy, etc.) and penalties/fines for PCI (Payment Card Industry) compliance violations.”
The amount of insurance a business should carry “varies by size and type of the business,” Schmoll says. (He recommends an online tool. Visit eriskhub.com/mini-dbcc.) This allows one to enter pertinent information about their business and get an estimate of what a claim might cost. “It’s also important to remember that many policies have one limit that is shared between various types of losses that can occur.”
Schmoll’s firm primarily sells cyber insurance through a carrier named Coalition Inc., headquartered in San Francisco.
Catherine Lyle, head of claims for Coalition, notes that the industry is hardening, and insurance carriers are becoming more selective in their exposure to risk at the same time that companies are realizing the need for cyber insurance. “Across the board, there’s not an entity or industry that is safe from a cyber event—from nonprofits to pipelines. It’s in the news. Everyone is talking about it,” she says. “For the first time in my life, everyone in my extended family, including my mother, understands what I do,” she laughs.
Not only are insurers seeing an increase in ransomware attacks, but they are also seeing an uptick in funds transfer fraud. Lyle believes multiple events are responsible for the increased activity, beginning with COVID-19.
The pandemic impact
When the pandemic shuttered businesses early last year, suddenly many brick-and-mortar-only entities had no choice but to move to an online space. “They did this by using technology that was untested or shouldn’t be used because it leaves doors and windows open for hackers,” Lyle says. “Hackers would get into their systems, drop ransomware, get in someone’s email, figure out how much they [the businesses] could pay for the ransom, or figure out the way the payment system works within that company and then insert themselves into conversations and ask for funds to be transferred to a separate bank account. The beauty of this is that its immediate monetization for threat actors,” she said. “Before, they used to have to sell the material—the data they stole. Now they just lock it and make you pay to get it back, or they trick you to have you transfer the funds to a separate account.”
Coalition policies are “pay on behalf” versus “reimbursement.” This means a small mom-and-pop operation that gets hit doesn’t have to take out a loan to pay the ransom and wait to be reimbursed. Coalition steps into the shoes of the insured after a ransomware attack. It has an internal company [Coalition Incident Response] that does the response work and forensics. Coalition then works with the insured, negotiator, counsel and carrier.
Part and parcel of the Coalition insurance policy is a monitoring service it provides to all it’s insured.
“We scan all of the companies we insure 24/7 and we alert them when we see a threat. For example, the recent Kaseya attack. We were able to identify which of our insureds used Kaseya services. We reached out to the insured to tell them how to act and how to prevent an attack. In addition, our security does threat hunting where we go out and we are looking for bad actors,” Lyle says. There are ways Coalition can tell if there has been a data dump or ransomware is about to be launched on a client. It will reach out to the insured and proactively provide information to hopefully stop the attack from happening.
“Essentially, we’re acting like a threat actor ourselves. If we scan and see a hole or door or window left open in a network, we let them know. We want them to be in the fight to solve cyber risk with us,” Lyle explains. “It’s a holistic, proactive approach to insuring.” Hence the name Coalition.
Coalition was founded by two tech guys who got into insurance and was joined by insurance people who got into tech. Lyle says it gives them a unique position to help solve the cybercrime issues.
“We can’t have a situation where we just keep paying [the ransoms] and no one is ever getting better, no one ever getting stronger. And our point is to help protect and prevent, but when an event does occur to then insure.”
No legal recourse
If your company gets hit by a ransomware attack, there is no legal recourse you can take.
“And that’s the whole point,” says Warren L. Dranit, who focuses on intellectual property and technology with the law firm of Spaulding McCullough & Tansil LLP in Santa Rosa. “You pay the ransom in cryptocurrency, and you can’t follow the funds through normal bank channels.”
However, in some cases, the FBI was able to claw back some ransom payments (or portions thereof), but only by speedily initiating recovery efforts. In most cases, once it’s gone, it’s gone.
“One of the things to keep in mind is that ransomware is a business,” says Dranit. “Some of them even have ‘help desks’ for you to pay your ransom. Many are in Russia, and Russia turns a blind eye unless the hackers attack a Russian-based business. If you did this in the U.S., the government would shut you down and arrest you.”
While no company or industry is safe, some industries are particularly vulnerable to ransomware attacks. According to CDNetworks, one of the world’s largest Contact Delivery Networks, the five industries most targeted are small- and medium-sized businesses, healthcare institutions, government agencies, energy companies and higher education facilities.
Industry experts say 60% of small- and medium-sized businesses will fail within six months as a result of a cyber-attack, which includes anything from phishing scams to malware attacks. At particular risk are financial services.
Health organizations are extremely vulnerable to ransomware. According to CDNetworks, the industry suffered at least one breach a day last year, affecting more than 27 million patient records. One victim was Sonoma Valley Hospital, which was hit in October last year as part of a broader attack on several hospitals throughout the U.S. SVH believes the records of as many as 67,000 patients could have been impacted, according to a report on its website. It was able to swiftly react and did not pay a ransom. The hospital declined to comment on the experience, but on its website CEO Kelly Mather called the incident “one of the most significant emergency events in our hospital’s history.”
Government agencies are targeted because they are a “treasure trove of confidential information, including fingerprints, Social Security numbers and more,” according to CDNetworks.
When it comes to the energy industry, hackers can cause widespread power outages, which undermines critical security and defense infrastructure and endangers millions of citizens. The most recent high-profile energy hack was against Colonial Pipeline, which paid more than $5 million in ransom to get the pipeline operating again last May. A portion of the ransom was later recovered.
Higher education is another target because of all the information stored in registration offices. According to CDNetworks, universities experienced the highest number of cyber-attacks over the last decade, with nearly 600 breaches affecting more than 13 million records.
Taking a proactive approach
Experts believe the most important protection is a solid IT network, built carefully to make sure all portals are secure and hackers have no access points. Most companies cannot afford an internal IT team to run their networks, so contracting with reputable IT providers is the first critical step to protection. After his experience, Giles took a proactive approach and made changes at his office.
“With all that in place, you need to remember that you’re never going to be able to stop them [ransomware attack attempts],” says Dranit. Giles agrees, noting that despite all they have done, they “assume it will happen again.”
“What it really boils down to is making sure employees and staff have good digital hygiene,” says Dranit.
This means establishing a culture about how to behave on the internet. Teach employees to be wary; make sure they are comfortable if they see something odd or suspicious and can ask for advice before clicking through.
“It’s hard to be careful, especially when you are busy and have work to do,” says Dranit. But in the end, being careful is what saves the day.
“Always be on the front end of it,” he advises. “Look for technical solutions and also establishing a culture that says it’s okay to be unsure—and to ask for assistance when you are unsure.”
Every industry has its slang. Here are common terms often used in ransomware attacks and funds transfer fraud. They are also routinely used by experts in the industry.
Black hat: A person who hacks into a computer system with malicious or criminal intent
White hat: Ethical hackers who use their skills to expose loopholes in security measures for organizations and companies before black hats exploit them.
Clawback: The ability to recover cryptocurrency funds from ransom payments. U.S. Government officials were able to recover $2.3 million of the $5 million ransom paid by Colonial Pipeline earlier this year by clawback from a cyber wallet that held the funds.
Money Mule: People who receive and transfer money from victims of fraud. Many are unaware they are involved in fraudulent activity.
Phishing: A technique that tricks users into revealing sensitive information, such as passwords, Social Security numbers, etc. Phishers pose as trustworthy entities, enticing victims to click through Email links to win prizes, for example.
Spearphishing: When the phisher has specific information about a person or company and uses that information in an email to encourage click-through on links.
Spoofing: Altering the header of an Email to make it look legitimate. Similar to phishing.
Malware: A software program designed by hackers to hijack computer systems or steal sensitive information from a device.
Bot: A software robot that runs automated tasks (scripts) over the Internet. Many search engines employ bots—also called spiders—to scan websites and index them for purpose of ranking them according to returns on search queries. But when bots are used by hackers, they can be programmed to perform malicious tasks, as well as introduce malware into systems.
RAT: Remote Access Tool or Remote Access Trojan. A form of malware that even unskilled hackers can easily use. Once installed, a RAT gives the hacker complete control of the system. RATs can be used for legitimate reasons, like letting one access their home computer from a remote location. However, it’s largely used for illegitimate reasons.
The Origins of Ransomware
While ransomware has been in the headlines frequently in recent years, it’s not really a new thing. And it has a very colorful history.
The first official ransomware attack was in 1989, distributed on 20,000 floppy disks (remember those?) masquerading as AIDS education software from a fake company called PC Cyborg Corporation. They were mailed out in Britain by Joseph L. Popp, Jr., an evolutionary biologist with a Ph.D. from Harvard.
The disk included a program that was supposed to measure a person’s risk of contracting AIDS based on their responses to an interactive survey. But it also carried a virus that encrypted a victim’s files after they had rebooted their computer a certain number of times.
The virus became known as the “AIDS” Trojan. The ransom demand was in the form of an analog note that instructed users to turn on their printers. When they did, the printers issued a demand for a “licensing fee” of $189 to be paid by sending money to a P.O. box in Panama. Only then would decryption software be sent to the victim.
Many of the victims were delegates to the World Health Organization’s international AIDS conference in Stockholm in 1988. Realizing their hard drives were compromised, some scientists pre-emptively deleted data. One AIDS organization in Italy reportedly lost 10 years of work. The disks were not mailed to the United States.
No one knows why Popp did it, but his lawyers got him off by claiming he was in the grip of a manic episode when he acted. After being extradited to London to face trial, Popp exhibited bizarre behaviors. He wore condoms on his nose, put a cardboard box over his head and reportedly put hair curlers in his beard in an effort to thwart the perceived threat of radiation. In 1991, Judge Geoffrey Rivlin declared him unfit for trial.
He returned to the United States a free man. Later, along with his daughter, he created the Dr. Joseph L. Popp Jr. Butterfly Conservatory – a must-see attraction next time you’re in Oneonta, NY.
After Bob Giles, owner of Giles Automotive with locations in Lafayette and Opelousas, La., and El Paso, Texas, experienced a ransomware attack last year, he understood how important it is to be proactive. He offers the following pointers.
Limit what data is on servers and computers and only maintain information that would not warrant a ransom payment. (That means avoid including credit card numbers, account numbers, etc.)
Eliminate remote desktop portals (RDPs) from all systems.
Do quarterly scans of open-facing public ports. Ensure any port open is still necessary.
Institute a password policy with eight-plus characters, including characters with a capital letter, numbers and a special character that changes every 90 days.
Utilize an endpoint protection program (EDP) to replace standard antivirus software. An EDP will detect most hacker tools and activities, along with viruses and malware.
Monitor and limit website browsing to company-related matters.
Isolate the backup system from the domain and change the offsite backup process.
Remove local administrator rights from all domain users from all workstations. A hacker getting local administrator rights means “game over.”