Ransomware attacks on businesses in Arkansas are on the rise, the FBI and IT professionals say, though embarrassment at security breaches means concrete numbers are hard to obtain.
The FBI knows “for a fact” that the amount lost and the number of victims in Arkansas is higher because not all businesses report cybercrimes, said Connor Hagan, the public affairs officer for the FBI office in Little Rock. “And those numbers have continued to rise a lot due in part to the pandemic,” he said.
The loss to a business can be profound. One cybersecurity expert in Arkansas saw a case in which a ransomware attack essentially shut down a business for more than a week.
“If somebody gets into a system and ransoms that system, then that business comes to a screeching halt,” said Mark Hodges, chief growth officer at Edafio Technology Partners of North Little Rock, an IT consulting firm. “Just imagine your business just having to shut its doors and can’t take appointments, can’t bill, can’t do anything for over a week.”
Ransomware attacks hold a business’ computer system hostage by encrypting its files. A criminal then demands payment to release the data.
In 2020, the latest figures available from the FBI, there were 21 victims of ransomware in Arkansas with a loss of $150,000. In 2019, the entire loss from ransomware was $28,200. Other cybercrimes were also costly. In 2020, there were 87 victims of scams related to business email or email account compromises for total losses of $9.7 million in Arkansas. In 2019, the loss in Arkansas from that crime was $16 million. (See How to Avoid Business Email Compromise Scams.)
Hagan said determining the true cost of cybercrime attacks is difficult because businesses are reluctant to report the crimes, fearing embarrassment or alienating customers by acknowledging a security breach.
Ted Clouser, president and CEO of PCA Technology Solutions Inc. of Little Rock, which offers cybersecurity services, said criminals requesting the ransom have done their research and will ask for an amount the company can afford. “If they come after a $2 billion organization, they can ask for a million,” he said. “This is an entire operation that’s run like a business, and they do it very well.”
Hagan said the choice to pay a ransom is “entirely a business decision.” But the FBI urges businesses not to pay because there’s no guarantee that all the data will be returned once the ransom is paid. And paying the ransom emboldens the cybercriminals, he said.
Prevention Is the Key
While it’s easy to spot a scam in which the criminal impersonates an overseas prince who has recovered millions of dollars and wants to share it for a small fee, those scams are over.
“Criminals are pretty savvy. They’re there to get the money,” said the FBI’s Hagan. “They’re there to get the information and the money, but they’re going to use whatever techniques they can.”
Criminals have become more devious in how they break into a company’s computer network, said Dale Thompson, an associate professor in the Department of Computer Science & Computer Engineering at the University of Arkansas.
A scammer might send an email requesting the user to update a piece of software, he said. Or a scammer might reword emails to slip them through a company’s spam filters.
The cybersecurity firm BreachBits of Washington, D.C., opened an office in Little Rock last year, said Foster Davis, a Little Rock native who co-founded the company with John Lundgren. Both are military cyberwarfare veterans. BreachBits’ services include safely launching cyberattacks against a firm to tell it where the weaknesses are.
“One of our philosophies is that the best way to defend yourself is to test yourself,” Davis said. “If the hacker does it, we do it.”
It will also provide the company with what it calls a BreachRisk Score, which indicates the risk that a hacker could break into a company. A lower score means a lower risk.
To prevent ransomware attacks, a company should maintain offline backups and verify that they are there, the FBI’s Hagan said. A lot of businesses say they have backups, but those may be ineffective. “Well, if those backups are connected to your system, and that system is hit by ransomware attacks, the backups are worthless,” he said.
And restoring information from a backup system isn’t always secure. “The issue there is you have no idea when [the ransomware] got into your system,” said Hodges, of Edafio. “So you may be restoring a backup to the same ransomware.”
Ransomware typically has been in a computer system about 220 days before the business realizes it, he said. And it takes about 80 days to repair the damage done from the cyberattack. The cost to a business could be significant, Hodges said, especially if the company is in an industry that levies fines or penalties for customer information being released.
Another way to prevent a cyberattack is to make sure people use different passwords on different systems, Hodges said. Multifactor authentication helps eliminate threats. “The ideal version is using an authenticator application that generates a code,” Hodges said. Using two-factor authentication is not perfect because criminals can hack a cellphone and intercept the code intended to verify the account.
“A good multifactor authentication is a critical piece,” he said. But he found some companies are reluctant to use it, fearing that the users of the system will think it’s inconvenient. “Well, I get it, but you have to secure your business,” Hodges said.
FBI Special Agent Meredith Harrington urges businesses to report cybercrimes as soon as possible, which they can do at the FBI’s Internet Crime Complaint Center, IC3.gov. The faster the crime is reported, the better chance the FBI has to recover the money. But Harrington said it’s difficult for the FBI to recover stolen money once it’s gone.
The FBI’s Hagan said if the criminals are overseas, or if they’re using cryptocurrency, it’s difficult to claw back the stolen money.
He encourages Arkansas businesses to give the FBI’s Little Rock office a call at (501) 221-9100 and ask to speak to a cyber agent to arrange for an agent to come and speak to a company about ways that it can protect itself.