Every 40 seconds in 2016 a business fell victim to a successful ransomware attack on its IT system, according to a recent report in CyberCrime magazine. In 2019, it’s happening every 14 seconds. And in 2021? It’s expected to be every 11 seconds.
Those numbers are not surprising to Kentucky’s computer security experts. They report seeing a rash of incursions into company networks by cybercriminals who infiltrate, lay in wait, then rob a company of all the encryption keys to its data. Not content to simply destroy or wipe out files, these data thieves can completely shut down a company’s digital operations until a ransom is paid, usually in untraceable bitcoin or cash transfer. The phrase “ransomware” refers to the hacker’s coding or malware that they’ve used to coordinate the attack.
“When it comes to ransomware, I can’t overemphasize the threat,” said Tucker Oldham, director of technical account management for Advanced Business Solutions, a firm based in Louisville that offers IT security services. “It’s a threat that has moved from IT to top-of-mind in every company boardroom. I’ve had more conversations with C-suite leaders about ransomware than any other subject, (all of them) combined. And that’s as it should be. Because even companies who think they haven’t been breached by ransomware, probably have been. They just don’t know it yet.”
Oldham said ransomware hackers generally infiltrate a system and spend weeks if not months gathering information, finding encryption keys and gathering permissions data. When they finally strike, a company without the proper plan in place to deal with it may have no choice but to pay the ransom – or spend tens of thousands of dollars to rebuild and repatriate their systems, or both.
According to the Cybersecurity Research Body, ransomware attack costs are expected to rise to $11.5 billion this year. In fact, a recent study of 2,700 IT leaders by security software company Sophos revealed that the average cost of a ransomware attack was $133,000, with 54% of those surveyed saying they’d been hit by attacks last year.
- IT’S FREE | Sign up for The Lane Report email business newsletter. Receive breaking Kentucky business news and updates daily. Click here to sign up
“We generally recommend that companies don’t pay the ransom,” said Gui Cozzi, cybersecurity practice leader at Kentucky-based Dean Dorton, a CPA accounting firm with an IT security/tech consulting division located in Raleigh, N.C., as well as Lexington and Louisville. “And generally, you don’t have to if you have a plan in place to recover data. But sometimes, companies have no choice if they find themselves in a situation where they have no cyber insurance or the criminal’s lock on their system is so complete they have no way back in.”
How ransomware can sneak up
“Ransomware hackers are professionals. They go into an office every day, and their job is to find ways to break into American networks,” said Jim Kramer, partner and information tech team lead at MCM CPAs & Advisors, a business consulting and accounting firm with offices in Louisville, Lexington, Jeffersonville, Indianapolis and Cincinnati. “Usually powered by organized crime or foreign governments, they’re attacking companies large and small. And bad actors have nothing but time. They’re sifting through tens of thousands of emails, looking for just the right way to attack.”
Experts interviewed for this article named several types of tools criminals use to gain access to your systems, including in-person attacks, firewall/patching breaches, social engineering/email incursions, and more.
Face-to-face, on-site dirty tricks: Hackers will spend a great deal of time getting to know a company’s habits, office hours and hierarchies to gain access to a company’s network. And they’re not afraid to try brazen ways to get through your company’s security protocols.
“Companies need to look at their physical plant, and also their processes,” Kramer said. “For instance, as part of the security testing we often do with companies, we’ll send someone dressed like they’re with the cable company to the company’s front desk. We’ll say the head of IT sent us and ask to be sent to the computer/server room. It’s surprising how many times we get in, no questions asked.”
Kramer relayed the story of a client who experienced a ransomware attack through a simple bowl of free thumb drives. When the company moved into a new building, someone impersonating the building’s real estate management company came by, setting out the free logoed thumb drives as a “gift” to “celebrate their new offices.” The thumb drives, of course, were full of hidden codes that allowed the criminals to gain access to the system, and they were plugged in and downloaded by dozens of employees.
Email/social engineering incursions: All interviewees for this story mentioned email phishing attacks as a key method criminals use to find a way past your firewalls. While most employees are smart enough not to open attachments from people they don’t know, hackers have found a way around that with a little patience and stealth, Oldham said.
After lurking for weeks in the system, they watch email patterns, download employee lists, and take note of the design of official company communications. When the time is right, they send out a message to all employees from the CEO, with an attachment.
“We do this one as a simulation all the time in our testing and training programs,” Oldham said. “It’s not unusual to see a 60% open rate.”
This kind of attack doesn’t even have to be done through the company’s email systems to be catastrophically effective. Oldham recounted the story of a client who received an email that one of its vendors had changed its banking information. The “vendor” said the $40,000 payment the client company owed needed to be sent to a new bank account. As the client had a valid bill from the vendor for that amount, they weren’t overly suspicious. Instead of picking up the phone and calling the vendor directly, they simply emailed the hacker back asking if the request was real. The hacker, of course, said yes.
“This was an example where one small bit of diligence could have averted the problem. As it was, the money was sent overseas, never to be seen again,” Oldham said.
Failure to patch: With thousands of attacks being launched against popular business software every day, new security issues come up on a daily basis. The companies that make software publish lists of patches and problems, so IT managers know when to install the changes. The problem is, they’ve also given a list of security holes to the hackers.
“Patches have to be installed immediately. Even a delay of a few hours could be enough for an attack to break through,” said Andy Nuxoll, director of information security at SIS, an IT security consulting firm based in Lexington with offices in Louisville as well as West Virginia, Ohio, Indiana and Michigan. “If a patch isn’t done well or fast enough, the consequences can be significant.”
Weak passwords: Firms that don’t have good protocols in place for password management are at risk as well, our experts said. Many allow weak passwords to go through – those that are too short or don’t contain numbers. Furthermore, employees often use the same password, over and over for different sign-ins, ensuring that if a hacker has one password, they can easily guess the others. Even worse, employees often store their passwords in spreadsheets or documents that can be easily found on their computers.
Meeting hackers head on: Our experts unanimously said the first step to improved security is having a security risk assessment done, no matter what the size of your company. “There are two ways to look at your security risks,” said Cozzi. “First, what regulations do I have to meet? Do I have to adhere to HIPAA, or marketing regulations regarding the handling of customer data? Testing to see how well those regulations are being met is step one. Then, you need to look at what services you offer, and how they are exposed to the internet. How does data flow in the company? Where is the data stored? The answers to these questions will have a lot to do with how you shape your security processes in the future.”
Part of that assessment is testing to find gaps in training and using that knowledge to craft security training that is required for any employee with a company-issued computer. This might include imposters trying to gain physical access to your plant. Or it might include phishing attacks, attacks on your software, your cloud servers, kiosks and more. Training courses can be online or in person, but they should include concrete examples of what can happen when procedures aren’t followed.
“There is a type of security expert called a certified ethical hacker, and we have them on staff,” Kramer said. “We run tests and see how long it takes them to break into your system and find its weaknesses. It’s often not as long as you think.”
Firewalls and anti-virus software: Firewalls to protect against unauthorized users and anti-virus software to scan your system used to be the key tools companies used to protect themselves. And they’re still crucial, according to experts. But the company that thinks it can “set it and forget it” is sadly mistaken, Nuxoll said. Firewalls need to be protected and patched.
“And when criminals see the firewalls, they simply change their tactics. They decide to go after your backup vendor, or your cloud storage or log-ins through mobile devices, or any weak point they think they can find,” Nuxoll said. “Making sure your anti-virus and firewall protections are state-of-the-art, patched promptly and up to date are key to keeping your company safe,” he said.
Backup your backup: Companies do well to have backup systems. The problem comes when they don’t configure them properly. Nuxoll recommends a backup system that’s highly segmented and stored offsite, as opposed to backup systems that are stored on the same server as your main system.
“Backups that are sectioned off under different protocols can often save you in the case of an attack. You might lose some of your data, but you’ll be able recover what counts, and rebuild from there,” he said.
Make permissions not so permissive: Sometimes, users can have too much access, or their access is gained too easily. “Two-factor verification should be used, especially when your employees are logging on from a strange computer or a mobile device,” Cozzi said. “Scammers are looking through your system to find what they can encrypt. When your employees have access to too many kinds of files and buckets of data on your system, that makes it easier for a scammer to get through your system in record time. Ask yourself, do they really need access to those areas? And make sure your employees only have access to what is necessary for their work,” he added.
Cybersecurity insurance: Whether companies purchase it as a standalone policy, or as a rider on an existing policy, our experts agree a good cybersecurity policy is not optional for companies of any size. A good policy will cover the cost of an unavoidable ransom as well as fees for data retrieval and rebuilding a damaged system. Considering that the average ransomware attack costs tens of thousands to mitigate, they agree it’s an investment you can’t afford not to make.
“The bottom line is, you have to protect your company,” Nuxoll said. “All the tips and strategies you can research will help. But it’s no substitute for vigilance. You have to constantly be evaluating. Check your systems, and your servers, and your software and your training. Check your patches. Revise everything down the line when new threats emerge. Constantly be on the lookout for your next weakness. Because believe me, hackers will be looking for those weaknesses, too. The secret to having good security is finding them before they do.”
Susan Gosselin is a correspondent for The Lane Report. She can be reached at [email protected]