Computer crimes using “ransomware,” malware that encrypts files then demands payment to unlock them, are growing in number and sophistication and are increasingly being seen in Arkansas. Even people who don’t have the technical expertise to create this type of malware can buy it online.
In addition, lucrative targets, especially hospitals and other health care facilities that are subject to hefty fines for being breached, are ample targets, and hackers don’t need to invest much effort or money to reap huge dividends, local experts say.
“It’s a whole industry. It’s a targeted way to make money,” said Ted Clouser, executive vice president of PC Assistance in Little Rock. “There is no one that is safe.It doesn’t matter how large or small you are — and in some cases, small businesses, unfortunately, are more at risk because they can’t or often don’t put the investment in on the front end to take these proactive measures.”
Recent incidents in the state highlight the problem. Both ARcare of Augusta and the Carroll County Sheriff’s Office in Berryville were victims of ransomware attacks in December. The sheriff’s office paid about $2,400 in digital bitcoin currency to recover its data.
Incidents of ransomware have been growing by several hundred percent per quarter, and that trend is expected to continue for at least the next year or two, according to an August report by Osterman Research Inc. of Black Diamond, Washington.
The average ransom demand is also growing. It more than doubled from 2015 to 2016, to $679, according to a July report by Symantec Corp. of Mountain View, California.
Hackers using ransomware collected nearly $209 million in the first three months of 2016 and it was on pace to be a billion-dollar enterprise last year, CNN reported in April.
The emergence of ransomware-as-a-service is one reason it’s so easy to pull off these attacks, according to Blake Townsend, a “certified ethical hacker” — his real title — for PC Assistance.
It works like this: Criminals who may not have the technical expertise to create their own malware sign up for it online, pay for it in a portal that looks just like PayPal and surrender 30 percent of the ransoms they collect.
“It’s run like a real business,” Townsend said. “It’s going to continue to evolve, and the rate it’s evolved at is fascinating. It’s very profitable.”
That’s especially true for the health care industry. Ransomware cuts off the quick access to patient records that’s needed to provide time-sensitive care, and victims — hospitals, ambulatory surgical centers, urgent care clinics, etc. — will often pay what is demanded to avoid deaths and lawsuits.
Ransom isn’t all they stand to pay either. They can be fined $100 to $50,000 per record compromised, up to a maximum $1.5 million, by the Office of Civil Rights, which enforces regulations of the Health Insurance Portability & Accountability Act, according to Meredith Davison, a marketing representative for Kirkham Systems of Fort Smith, an information technology and computer services company.
Tom Kirkham, the company’s CEO and founder, said hacked health care entities had been getting off with just a warning. Now, he said, they need to be as compliant as possible with HIPAA cybersecurity regulations because more compliance means a lower fine.
Think Before Clicking
Businesses can avoid falling victim to ransomware attacks by employing technical measures and by teaching employees to identify emails containing the most common delivery system for the malware: a link or attachment. Think before you click has become the mantra of cybersecurity.
One of the first steps that health care providers and other potential targets should take is to train employees to identify emails containing links or attachments carrying ransomware, Kirkham said. That’s especially important now that the task is not as easy as it used to be, he said.
Kirkham said hackers are using social engineering — a security term for the process of gathering information through online research of a company or individual— to better craft emails that appear to be from a familiar source.
Misspelled words, bad punctuation and poor design once made these emails stick out like a sore thumb, he said, but today’s hackers have access to good designers and people fluent in many languages through businesses like ransomware-as-a-service.
Training employees doesn’t do much good, however, if businesses fail to take technical steps to prevent an attack.
Those steps include continually updating software, keeping antivirus and antimalware protection in place and having firewalls that block unauthorized access but allow for outbound communication, said Clouser, of PC Assistance.
Companies should limit administrative privileges to a few accounts and consistently run vulnerability assessments to identify inherent weaknesses in software and have those fixed, said Aaron Gamewell, president, CEO and managing partner of SBS CyberSecurity in Madison, South Dakota.
He said other basic protocols all cybersecurity firms recommend and support include the following:
- Regularly backing up data and verifying the integrity of those backups.
- Making sure backups are not connected to the computers and networks they are backing up by storing them in the cloud or physically storing them offline. (There is, however, a caveat to storing backups in the cloud. If the backups are automatically stored in real time, they may still be susceptible to ransomware.)
- Downloading software only from trustworthy sites.
- Ensuring anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
- Disabling shortcuts called macro scripts from files transmitted via email. This can be done by setting up programs to warn a computer user about their existence and disable them until the user clicks an onscreen banner. Most macros are safe, but hackers can build them to do more than they’re intended to, like taking over a user’s computer.
- Using Office Viewer software to open Microsoft Office files transmitted via email instead of using full Office Suite applications.
- Implementing software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers and compression/decompression programs (including those located in the AppData/LocalAppData folder).
When downloading software, the integrity of the software should be verified through a digital signature before execution whenever possible, Gamewell advised, explaining that when software is created by the developer, the developer can sign the software code to brand it as genuine. A computer should warn users of an invalid signature, or users can review whether the person or company expected to sign it did so.
Even with these preventive measures in place, ransomware can still infect a company’s system, as it did when ARcare was attacked in December.
But because ARcare had taken precautions, the clinic didn’t have to pay a ransom or cease operations. “It was more of a nuisance than it was an ‘Oh, my God, the sky is falling,” Chief Information Officer Greg Wolverton said.
A user reported and the clinic’s technical operations team noticed some files had been encrypted, but backups were in place. Servers were shut down and the backed-up files were loaded onto new servers.
The ransomware got in through a vendor’s access point and wasn’t in an email or ad. It was deployed when a hacker entered username and password combinations until one worked, a time-consuming technique called “brute force.”
ARcare has since established a new policy that requires vendors to secure their own connection to the clinic’s system or have the clinic establish that connection in the form of a virtual private network, an encrypted tunnel between the vendor’s computer and the clinic’s computer. Off-site employees were already required to use a type of VPN.
“If you’ve got good backups, and you’ve got procedures in place, then there’s nothing to recover from,” Wolverton said. “It becomes a day-to-day business for you to do that. That doesn’t mean we don’t need to continually learn these new threats.”
If ransomware does get into a business’ system, the firm should disconnect the infected computer from the rest of the network but not power it off. That could keep the rest of the network and other computers from being infected, according to Gamewell, a former executive with the Arkansas Bankers Association.
He also suggests calling in an information technology services firm and said companies can also hire a firm to consistently monitor cybersecurity threats.
Before hiring a managed services firm as a long-term solution, Gamewell advised businesses to take a good look at the practices and qualifications of the managed services firm, to conduct an annual cybersecurity audit of their own companies and to require annual audits of the firm hired.