By BECKY GILLETTE
Ransomware can not only leave a business paralyzed with no access to its computer system, it can be extremely costly. The amount of ransom demanded has been on the rise over the past year, according to information provided by the Mississippi Attorney General Cyber Crime Center. Documented complaints in Mississippi range anywhere from $2,000 to $21,000 in Mississippi. Outside of Mississippi, victims have been demanded to pay as high as $500,000.
According to the Center: “Over the past two years, we have seen attacks on the private sector, big business and small business to include casinos, church organizations, web design and data related companies, hospitals, real estate agencies, and private citizens.
“There have also been numerous documented attacks on government agencies to include police departments, sheriff departments, state agencies, and county and city agencies.”
Ben Sims, vice president of operations, Fuse Cloud, said ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, and then demanding a ransom in order to regain access.
“Criminals have used high pressure techniques to get victims to pay the ransom — often several thousands of dollars — in order to regain access to file systems,” Sims said. “This is becoming a bigger problem. Cybercriminals are constantly improving ransomware’s hostage-taking tactics with the use of increasingly sophisticated encryption technologies.”
Normally the cybercriminals work from a foreign country like India, and payments are made with non-traceable cash systems like Bitcoin. That makes it difficult for law enforcement to pursue ransomware cases.
In addition to being deployed by someone clicking on a fraudulent link in an email or downloading from a website, ransomware criminals also get access to a computer system software vulnerability.
According to the Cyber Crime Center: “The most recent attacks have seen the use of software vulnerability, specifically through remote desk top in windows where the default port is exploited and weak passwords are attacked and brokenl This method of ransomware deployment is most troubling due to the fact the criminal actors are inside the system undetected. The criminal actors can access the system to mine data before deploying the ransomware and erase any trace of their foot prints. A successful deployment of the ransomware renders the victim helpless to the ransom demands.”
What should be done to prevent becoming a victim of ransomware?
“First of all, educate your users on how to detect phishing campaigns, suspicious websites, and other scams,” Sims said. “And above all else, exercise common sense. If it seems suspect, it probably is. Outside of education of users, it is a multiple layer approach from protecting your individual IT systems and Internet connections via both hardware and software tools to secure your network.”
Mississippi State University Chief Information Officer Tom Ritter said ransomware has become all too common.
“Many users may see what looks like an innocuous email attachment, but it is really a threat,’ Ritter said. “One of the best ways for a system to be protected is to have security aware users who are skeptics about emails that contains attachments or links to unknown sources.”
Ritter said that security awareness must be an important part of corporate culture. It can be difficult when a company has a large number of users because one weak link can bring down the entire system. It is important to take the time to train users how to detect phishing campaigns, suspicious websites, and other scams.
“And above all else, exercise common sense,” Ritter said. “If it seems suspect, it probably is. Outside of education, it is a multiple layer approach from protecting your individual IT systems and Internet connections via both hardware and software tools to secure your network.”
Staff should review their data backup strategy.
“MSU has seen instances of ransomware that have encrypted user data, and our solution was to restore from our previous day’s backup,” Ritter said.
In some cases, the backup systems are also infected by ransomware, so it is preferable to have an offsite backup system.
TEC Director of Network Operations Brent Fisher said as a preventive measure, businesses should implement a cybersecurity plan. They should back up data regularly, verify the integrity of those backups and test the restoration process to ensure it is working.
Fisher said they should also conduct an annual penetration test and vulnerability assessment and finally, secure all backups.
“It is crucial to implement a data security plan and train your staff to adhere to the measures as set forth,” Fisher said.
The Cyber Crime Center says to avoid victimization by ransomware, vigilance in spam e-mail awareness, passing on known attack methods and identified spam e-mails, changing passwords, hardening passwords, and the upgrading and patching of software is essential. The best way to defeat a ransomware attack is to regularly backup data and the backup must not be attached to the system.
According to the Center: “Many victims have suffered the loss of their backup due to the backup being connected to the system at the time of the attack. This is most common with victims who utilize cloud back up. If the system can access the backup readily, so can the ransomware. Onsite hardware backups are best but must be maintained separately from the active system.
“The infected system, should be wiped or sanitized to remove the ransomware before accessing the backup. Internet Technicians should monitor connection logs for suspicious IP addresses. Particularly any computer within the network calling out or trying to connect to outside servers. This is an indication of an active exploit kit attempting to download a package containing the virus or ransomware. Disable services not needed for business operations. Only allow access to those who need access to do their jobs. Principle of least privilege.”
The Center also advises when a ransomware attack has occurred, the victim should disconnect any infected computer from the system. The victim should report the intrusion to law enforcement immediately for the recovery of any possible evidence.
If the victim wipes the infected system or begins a back-up process to restore, all evidence of the attack will be overwritten.
The Cyber Crime Center can also assist with situation by identifying the ransomware variant. In some cases, there are known keys that will unlock older versions of ransomware.
Additional tips from the center:
» Stay vigilant — log files and change management systems can give you early warning of a breach.
» Make people your first line of defense — train staff to spot the warning signs.
» Keep data on a “need to know” basis — only employees that need access to systems to do their jobs should have it.
» Patch promptly — this could guard against many attacks.
» Encrypt sensitive data — make your data next to useless if it is stolen.
» Use two-factor authentication — this can limit the damage that can be done with lost or stolen credentials.
» Don’t forget physical security— not all data theft happens online.
BEFORE YOU GO…
… we’d like to ask for your support. More people are reading the Mississippi Business Journal than ever before, but advertising revenues for all conventional media are falling fast. Unlike many, we do not use a pay wall, because we want to continue providing Mississippi’s most comprehensive business news each and every day. But that takes time, money and hard work. We do it because it is important to us … and equally important to you, if you value the flow of trustworthy news and information which have always kept America strong and free for more than 200 years.
If those who read our content will help fund it, we can continue to bring you the very best in news and information. Please consider joining us as a valued member, or if you prefer, make a one-time contribution.Click for more info