No one is immune to ransomware attacks. Companies, organizations, and governments of all sizes have fallen victim to ransomware recently and have paid out handsome sums of money to have their data and operations restored. The prospect of being hit with a ransomware attack is terrifying. Avoiding an attack must be a group effort between the organization, its employees, and their IT professionals.
What is Ransomware?
According to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, “Ransomware is a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs on information technology systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.”
A ransomware attack is different from a normal data breach, where criminals steal personal information to sell or exploit. Instead of just stealing information, during a ransomware attack hackers will encrypt data rendering it useless to the victim organization. To have the data restored, victims must pay varying amounts of money, sometimes more than once. Ransomware is a crime of opportunity and volume. The criminals do their research, target specific types of businesses, and exploit the weakest links.
Ransomware is not one-size-fits-all. This can lead to added stress and legal trouble depending on the complexity of the attack. Smart hackers will target backups first, making it much more difficult for businesses to restore data and much more likely that the criminals will get paid. Ransomware could be deployed on a network weeks, months, or years ahead of time to slowly infect and encrypt as much as possible to ensure no data can be restored. Some attackers use double encryption or layered encryption. They will fist encrypt files, and then encrypt the files again to make them near impossible to decrypt. Another method attackers will use to make sure data cannot be unencrypted is side-by-side encryption. Some files will be encrypted by method “A” and some by method “B” making them more difficult to unencrypt.
If this was not enough, there can be different layers to an attack. During double-extortion events, criminals will steal the data, encrypt it, then threaten to leak it unless the ransom is paid. Alternatively, they will require a first ransom to unencrypt the files and a second ransom to prevent a leak of sensitive data. During triple-extortion events, criminals will steal the data, encrypt it, and demand a ransom to unlock it. They follow up with threats to leak the data if a second ransom is not paid. What makes triple-extortion events particularly dangerous is that criminals will then go after the individuals whose data was stolen. For a small business, this might be vendors or employees; for a borough or municipality, this might be residents. The attackers will then threaten to leak individual data if the individual does not pay a ransom. This leads to a higher likelihood of post-ransomware lawsuits to add to the overall cost of the ransomware attack. If borough residents, vendors or employees are targeted by these criminals, it is not far fetched to think the victims would sue to recoup the cost.
Some businesses and most municipalities will collect enough sensitive data that a triple-extortion event is a real possibility. But, even without collecting what one might think of as more traditional personally identifiable information (PII) like social security numbers, driver’s license numbers, bank accounts and the like, other sensitive information, upcoming litigation, or police information that should not be leaked could be stolen and held ransom.
Local Municipality Ransomware Attacks
Ransomware attacks are not limited to large, rich corporations. Small governments can fall victim to ransomware criminals. In April of 2020, all the Borough of Duncannon’s electronic files, data, and emails were encrypted in a ransomware attack. Even though the borough employed an IT company to perform backups, several of the IT company’s servers were compromised during the attack making the backups unusable. Borough officials were operating under false assumptions that their IT company had provided adequate security to prevent this type of a breach. Duncannon Borough ended up paying $43,000 to hackers to have the data restored.
Many boroughs work closely with or provide police services to their residents. The sensitive data collected by police departments, large or small, can be an enticing target for criminals. The Metropolitan Police Department in Washington, DC was hit with a ransomware attack reported in early 2021. The hackers claimed to have stolen a treasure trove of sensitive data and threatened to publish the material after ransom negotiations fell apart. Some of the stolen data included informant material, which very obviously put the public in danger.
Borough officials should not be lulled into a false sense of security. Just because a borough employs an IT company and has data backups does not prevent ransomware attacks. After the Duncannon attack, the IT company decided to “beef up the security” for the borough. But this was decidedly too little too late. Boroughs and IT companies alike must act before something happens. Not all the responsibility should fall on outside parties. Borough officials, employees, and even volunteers where applicable should be educated on cyber security awareness and best practices when working with sensitive data and on borough networks.
Criminals Reporting Their Own Attacks
In November of 2023, a cyber attacker decided that their victim took too long to reply and pay the ransom. So, the attacker filled out a form on the SEC’s website reporting the breach! Yes, you read that right. The criminals reported their own work. Of course, they did not disclose that they did the crime. However, they did explain that their victim was subject to a security breach and did not report it in a timely manner.
Public companies are subject to the rules of the Securities Exchange Act of 1934 amendments enacted September 5, 2023. The 186 page document outlines the proposed amendments, reporting guidelines, and risk management strategies, among other items. “Specifically, we are revising proposed Instruction 2 to Item 1.05 of Form 8-K to direct the registrant to include in its Item 1.05 Form 8-K a statement identifying any information called for in Item 1.05(a) that is not determined or is unavailable at the time of the required filing and then file an amendment to its Form 8-K containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.”
For more on this attack and how the ransomware actors exploited their victims, see the original article on bleepingcomputer.com.
Protection from Ransomware Attacks
Budget is certainly an overwhelmingly large consideration when deciding how to deal with cyber threats within a small business or government such as a borough. However, the cost of insurance, education, and safety precautions will likely be far less than the cost of a ransom, disruption of service, and legal actions that follow a cyber-attack. Implementing fundamental controls to keep ransomware at bay is always worth the cost.
Some ransomware prevention methods should be handled by IT professionals, but here are a few easy-to-implement safeguards.
Cyber Insurance
Cyber insurance is becoming very necessary as most municipalities rely on the internet to function. As it stands now, considering all the recent attacks, insurance limits are going down, rates are going up, and insurance companies are demanding more controls in place by the insured to prevent attacks. The cyber insurance policy that is appropriate for one municipality may not be right for another. There is no “basic” policy. It is best to check with your legal counsel to figure out what is necessary for your business.
Greg Gunn, President and CEO of Gunn Mowery in Lemoyne, stresses the importance of cyber insurance to prospective and existing clients. “Cyber Insurance is readily available and obtainable by most local governments. It covers both first-party damage to your own system and third-party damage to the property and information of others. It does cover data breach, which was the big issue several years ago, and ransomware, which is the big issue now. The big questions are always what limit you need and what limit you can afford.”
Insurance companies are trying to reduce their risk, which is driving cyber insurance premiums up. Premiums are even higher where companies and governments fail to implement protective measures to avoid ransomware attacks. According to Gunn, “With the recent outburst of ransomware attacks, carriers are paying out higher and higher sums and that is causing rate increases and the pull back of large limits in some cases. But you really need a broker that has expertise with cyber because there are many nuances with carriers, coverage forms, exclusions, and warranties.”
Obtaining any insurance policy can be a tiresome process. Insurance companies have increased their questionnaires to ensure that the insured parties are taking steps to mitigate the risks of online attacks. Cyber insurance will likely continue to evolve in the coming years. Insurance companies around the world have considered banning payouts for ransom reimbursement, as they are just too lucrative for criminals. French insurance company, AXA, was the first to ban these types of payments. It will be interesting to see if other global companies follow suit.
Backups
Backing up data does not mean you will avoid a ransom payment. However, having redundant backups can help with data restoration. It is important to keep off-site, off-network backups and to check their integrity regularly. If your business does not have an in-house IT department, it might be wise to partner with a local IT firm to set up backups and check that they are viable.
Network security
Network security is an important tool in preventing a ransomware attack. These attacks often start when an employee inadvertently allows access to the network where criminals slowly infect files until the municipality must shut down and/or pay a ransom. Two-factor authentication (2FA) can slow or stop a potential attack. Strong passwords should be employed even when using 2FA.
Only give employees access to what they need. Sensitive data should not be accessible to everyone.
Hardware and software should be patched on a regular basis. It can be annoying to update hardware and software on a regular basis. But the manufacturers push these updates to patch known vulnerabilities. Make sure your company’s systems and equipment are protected by the latest patches.
All devices connected to the internet should have up-to-date anti-virus and anti-malware software installed.
Education
Employees should be trained regularly on cyber security issues and mitigation. Some insurance companies are starting to offer “free” cyber security awareness training when a cyber insurance policy is purchased. There are also a few great free options available online. CyberSafe Work offers free security awareness posters each month. If it fits into the budget, it might be worthwhile to purchase cyber security training via a service like KnowBe4, SkillShare, or Udemy.
Finally, part of educating staff includes having a policy in place and ensuring that all employees, officials, and volunteers are aware of this policy. Establish the rules of engagement for using the internet on company-issued devices, what to do if a breach is expected, and what should be done if you are attacked. Your legal counsel and IT professionals should be involved in creating a cyber security policy.
Outsourcing
Understandably, not all companies have the budget for in-house IT professionals. There are plenty of great IT and security firms with which one can partner to make sure that their hardware, software, and network is set up as securely as possible. It is important to properly vet the company prior to hiring them. It is also important to remember that the onus should not fall solely on the IT company to protect your business. Smart cyber practices should be employed daily by all staff to help mitigate the risk of doing business online.
One way to help keep cyber security awareness in the minds of all staff is through a newsletter provided by your IT company. Not only is it good to know that your business is partnering with a company who stays current on threats and vulnerabilities but also takes an interest in education its clients.
The future of Ransomware regulations
There has been a push for the government to put legislation in place to prevent these types of attacks, or at the very least make paying ransoms illegal. OFAC does have rules in place making it illegal to pay a ransom to cyber criminals. The problem lies in the fact that the companies and governments held hostage cannot afford to have their very livelihood erased. Currently, enforcing national and state-based cyber security laws is expensive and time consuming for both the government and the businesses involved.
The problem with prosecuting cyber criminals is that attribution for ransomware attacks is incredibly difficult. Often, the nation states in which these criminals reside do not allow for extradition to the United States. It is highly unlikely that we can go get them and bring them to the US for trial.
Another question that arises in the process of investigating ransomware attacks is if the evidence would even be admissible in court.
Final Thoughts
No one really wants to fund organized crime. But on the other hand, municipalities have very real financial obligations. Paying a cyber criminal’s ransom is just easier and less costly than the alternatives. Business owners, staff, and local governments alike should take a good look at the cyber security policies in place to mitigate the risk of a ransomware attack so as not to end up in a situation where paying off criminals seems like the only option to keep the business up and running. These policies could include cyber insurance, redundant backups, strong software and hardware protections, limited access to data and networks, employee education, and more. As always, check with your solicitor before implementing any policies or purchasing a cyber insurance policy.
