Less than two years ago, not many people outside of the information technology (IT) business had heard of ransomware.
However, for many people who live in Maryland (and beyond), that changed on March 28 when it was widely reported that Columbia-based MedStar, which operates 10 hospitals in Maryland and in Washington, D.C., was victimized by hackers who had taken that route. As of press time, the company had issued statements without saying exactly what happened (see below), though news of the hack spurred many businesspeople to learn more about the trend, which isn’t as new as they might think.
“It’s been around since September 2014,” said Dave Kile, vice president with Ease Technologies, also of Columbia. “What makes it specific is how it functions and what it does, once it hooks into a given system.”
Ransomware commonly installs when the user opens an e-mail and clicks on an attachment. “If you don’t click on the attachment, nothing should happen,” Kile said, noting that it is often hidden in an email attachment that appears to be sent from a trustworthy organization and directs the user to click on an attachment by a certain time of day.
“The [hackers’] approaches are not personal in nature, but they attempt to get the recipient to take action,” he said. “And though the ransomware downloads, it may lay in wait for hours or even a few days before the attack begins and the demand of money to free the user’s system is made.”
The targets ransomware attacks are normally businesses, and the amount of money hackers demand varies; there are not only a variety of gangs involved, but there “are many variants of ransomware in the IT world today,” said Kile, though adding that “it was only one until about 18 months ago.
“The FBI is telling businesses and professionals in the tech industry not to pay the hackers, because there is no reason to know that the issue will be resolved if the money is paid. Still, the hackers are making millions of dollars,” he said. “One company in California paid them $17,000 to regain access, for instance.”
Lisa Yeo, assistant professor of information systems at Loyola University Maryland, observed that “MedStar said [the issue] was a virus, but companies don’t usually call the FBI unless it’s something like ransomware,” she said. “I won’t be surprised if [MedStar] comes out in the future and says that’s what it was,” as Hollywood Presbyterian Medical Center, in Los Angeles, did.
In general, Yeo said that there “absolutely seems to have been a big uptick in the last six months. It seems to have started out with small places and individuals, and moved up to bigger places, like hospitals.”
And while there is no loss of data with ransomware, it results in much-needed information being unavailable to the people who need it. “The victims,” who include not only hospital employees, but their vendors and patients and their families, “don’t want to hear that a loved one’s information is locked up when a family member is being treated. That sensitive health care info is often needed on the spur of the moment.”
Yeo said this trend “will be hard to stop with technical means. These types of problems arise when things slip through our nets, as things invariably do. Information technology professionals need to look at their workforce and think how to teach them to be part of a defense system.
“What often happens is the establishment of a security awareness program by the IT department or the business,” she said. “They will have to ramp up a leadership-driven security culture, with considerable input from the IT department.”
Keep Up to Date
Fred Smith, information security officer at the University of Maryland, Baltimore, reiterated that the trend started out small, “when the hackers figured out that they pretty much have people at their mercy when they do this. When you encrypt pretty much everything on a person or a company’s hard drive, USB, external hard drives, Dropbox or cloud services, and any network shares — that’s a big one — the infection travels laterally. They often target leadership, since hackers know they have the keys to the kingdom.”
But Smith also said that there “are many steps that can be taken to limit your exposure. They include keeping your operating system patches up to date, along with anti-virus software, firmware and any other applications.
“Typically, when vulnerability is announced, the IT community hears about it before the public and it can advise their networks regarding what needs to be patched. When it happens, it happens pretty quick,” he said. “Central patch management is critical, as it allows the network administrators to make updates quickly and put up the best defense against hacking, as soon as possible.”
After that, it comes down to user awareness.
“People need to pay attention to phishing emails that may appear to be from someone they know,” he said. “We tell people that if it doesn’t look business-related to delete it. The hackers are stealing graphics from university web pages for instance, to make these phishing emails look real.
“The big thing we tell people to do,” he said, “is to use the hover technique and look at where the link will take you; in our case, if it does not say “umaryland.edu,” we tell people not to click it.
“As long as you don’t click these links,” Smith said, “you’re good.”
On the Horizon
While that’s good to know, it doesn’t sound like the trend will slow down soon.
“We’re going to hear about the larger businesses that are impacted by this [issue], but it’s also happening to small- and medium-sized businesses nationwide,” said Matthew Anderson, partner with McFarlin Insurance, Columbia, adding that the information that’s frozen can be anything: classified to health information to home and email addresses, as well as other personal information.
“‘Personally identifiable information’ is the key phrase that we often hear in regard to this topic,” Anderson said.
The hackers don’t target a mom ’n pop shop “and ask for $5 million, because they know they can’t pay it. So, they ask for less and intend to disrupt their business,” he said, “and if they don’t have the right precautions in place, they might swallow hard and pay it — but hackers will attack a major company for $5 million.”
One way to brace for a possible ransomware attack is to make it part of any insurance package, or maybe even a package that is designed specifically for this issue.
Premiums vary, depending on the size of the business and what type of information is passing though customer’s hands. “As threats occur with more frequency, more specific products are coming available that concern data breaches, as well as coverage being rolled into regular packages,” said Anderson. “The FBI says not to pay the ransom, and know that there are coverages available that do just that.”
As for what’s on the horizon, Kile also thinks ransomware hacks will continue. “You can have all of the virus protection you want, but this stuff is designed to go around it,” he said. “As long as people keep clicking on the wrong emails, the trend will continue.”
That’s partially because it’s based almost more on emotions than brains. “The MedStar hack started at one location and spread to others within their system,” Kile said. “MedStar has a lot of smart people in their IT department, but someone over there still clicked on something, anyway.”
“It not going to stop,” Smith said. “They’re getting trickier and trickier, but we’re still in reactive mode.”