A very scary thing happened last month in California.
An entity – perhaps a team in Turkey, though their claim of responsibility can’t be verified – took control of the computer system at Hollywood Presbyterian Medical Center. They encrypted the files for a week and only decrypted them after $17,000 worth of bitcoins were paid, according to International Business Times.
Ransomware – encrypting data in a target system and only releasing it when a bounty is paid – is particularly frightening because there seems to be little that can stop it. InfoSecurity, which says that 42 percent of security breaches in the U.K. last year were ransomware, says that the best way to combat this type of problem is to not get it in the first place. That suggests, of course, that options are limited once that plan fails. The story by Michael Hill offers advice which focuses on general security best practices (ensure that users are involved in security; control Internet use in the office; tailor security to the business; monitor continuously and keep policies current).
Realistically, though, the odds are that ransomware will be a problem at some point. Somewhat facetiously, writer Michael Hill offers five steps that can help. It’s tongue in cheek: He tells readers to backup data often and religiously in several different ways. The key: Make sure that things that are vital are duplicated. That, of course, will enable the company to tell the crackers to take a hike.
Rajiv Gupta, the co-founder and CEO of Skyhigh Networks, addresses ransomware in a commentary at re/code published just before news of the hospital incident broke. He wrote the size and scale of recent attacks “reflect a new audacity” by the crackers. He mentions attacks on British telecom firm TalkTalk, the Bank of Greece and Invest Bank in the United Arab Emirates. The story says that despite the obvious dangers, a global study found that only 6 percent of people sitting on bank boards have a technical background.
Perhaps the scariest element of Gupta’s report and others is that the FBI in some cases recommends paying the criminals. The short version: There is no way to catch these people, and not paying is futile. That sign of impotency suggests that the crackers have a significant advantage.
The fact that Hollywood Presbyterian paid up suggests that executives took the advice and saw that there was no other option. David Navetta and Alex Trautman from Norton Rose Fulbright write that ransomware has been around for a long time. It has become more popular because of the advent of Bitcoins, which offers crackers’ a safe way of collecting the loot.
Navetta and Trautman offer five suggestions, which are more or less like Hills. One, unfortunately, echoes Gupta’s. Paying off, however, must be followed by a deep forensic investigation:
“However, there is a flipside risk that “unethical” extortionists may later access the system by the same means of their initial attack (or sometimes new backdoors they have installed) and repeat the attack. As such, victims should endeavor to ascertain the attack vector, cut it off, and remediate other vulnerabilities that could lead to similar attacks going forward.”
The final suggestion is fascinating: A big fear is that crackers, once paid, will not decrypt or will go after the target again. If that happens, a company should do all it can to discredit the attacker. This, the piece says, “may take the form of online reviews, or strategically placed messages on the dark web and in other forums.”
Ransomware is a frightening thing for a few reasons. Perhaps scariest is that even law enforcement often doesn’t see a way out.