In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.”
This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”
Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.
Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.
Because in today’s world, data=$$$$$.
All the bad actors
Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware.
These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.
As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.
Ransomware — the internet’s highwayman
Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments.
Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.
Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion.
There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.
Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.
Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand.
The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.
Double extortion ransomware
Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.
This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.
Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.
Protect yourself against highway robbery
The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses.
Note: Keep Solar Winds in the back of your mind. We’ll come back to it.
Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up.
Train your employees
There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.
The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:
- What phishing emails look like
- Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
- How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
- What can happen if they download unapproved/not whitelisted software and/or apps
- When it’s appropriate to give a program administrative permissions
Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards.
The important thing in establishing a privacy culture is consistency and clarity from the top down.
Backup your data
Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout.
Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.).
One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.
One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”
Use robust security software
I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong.
You need a comprehensive, behavior-based security solution. Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.
By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.
Re-evaluate your permissions structure
Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago.
There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks.
Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.
Have a recovery plan
You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.”
Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.
Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should:
- Identify the personnel needed to manage a breach
- Include detailed documentation on your network infrastructure
- Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
- Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
- Set clear recovery time objectives (RTO) and recovery point objectives (RPO)
You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change.
The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.
Back to SolarWinds
Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations?
They used employees across all levels of each organization.
Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.
SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.
Things to remember in a stickup
Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:
- Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
- Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
- Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc.
- Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it.
- Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
- Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data.
Stand and deliver…yourself
When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.
And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices.
We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.