Summary: Ransomware is a cybersecurity threat that involves hackers demanding money for the return of locked files. The number of ransomware incidents has recently been increasing including an attack on the Colorado Department of Transportation. There are a number of defensive measures that can be used to protect against ransomware including updating software systems and planning a formal corporate response to hacking attempts.

Ransomware in the News

 

Imagine one day that an Eastern European criminal breaks into your office and absconds with a filing cabinet filled with important documents. Without those documents, your employees will be unable to run the company. You find a handwritten note on your desk demanding $50,000 in advance in unmarked bills for the return of the documents. You ponder your options: you could shut down the company for a couple of weeks while you train your employees to work without those documents. Or you can pay up and hope the thief hasn’t decided to burn the documents in the meantime.


In cybersecurity terms, this type of crime goes by the name of ransomware and it’s one of the fastest growing threats to cybersecurity. By one report, ransomware incidents in 2017 grew by 2500%. Ransomware is a type of malicious software that hackers use to lock (or encrypt) computer files so that the owner of the file can longer open it. Ransomware not only restricts access to important documents but can also cause the failure of software systems that rely on those locked files to operate.


When a ransomware incident occurs, the hackers will usually demand a ransom payment in return for a key to unlock (or decrypt) the files. Payment must be completed in advance and sent in a cryptocurrency like bitcoin that makes the transaction untraceable. Trust is required because the hackers may be promising a key that’s not in the possession or they could refuse to send the key after receiving payment. If the hackers are honest, they will send the key when they receive payment allowing files to be unlocked and systems quickly restored.


Ransomware at a Colorado agency with demands for bitcoin


Last month, the Colorado Department of Transportation was hit with a devastating ransomware incident that was implemented with a type of malware called SamSam. This year, the SamSam malware has been getting a lot of attention due to a number of high profile attacks. Earlier versions of SamSam date back to 2010 and attacked unpatched JBoss servers administrative consoles to give the hackers control of the server from which they could upload their ransomware. A wave of attacks in 2017 included compromised RDP servers.


The SamSam attack on the Colorado agency hit hard. The agency’s response was to shut down more than 2,000 employee computers while security officials investigated the attack. The software vendor McAfee provided a new software patch for the agency’s impacted Windows computers since their anti-virus product had failed to stop the initial ransomware attack.


Many internal systems were impacted such as human resources and payroll but critical road infrastructure was not affected. Employees began using personal devices for email and accessing shared documents through Google. Within a week, the agency had made steady progress toward recovery with 20 percent of the computers were back up and running.


Then disaster struck again. A new variant of malware had appeared and was re-infecting the computers that had been cleaned.


“The tools we have in place didn’t work," said an agency spokesperson. "It’s ahead of our tools.”


The hackers who are responsible for the attack have demanded bitcoin for the restoration of the files. However, Colorado has publicly announced that it does not plan to pay the hackers.


Since then the agency has been getting help from the FBI and the National Guard while several dozen state technology employees and an unknown number of agency workers are involved in the effort to restore systems. There’s little doubt that it’s going to take a large effort to recover their systems.


How to prepare for potential ransomware attacks

For companies who want to prepare themselves for the possibility of a ransomware attack, there are many ways to establish a strong defence and also set up processes for an active response if an incident does occur.


On the defensive side, it’s notable that most ransomware attacks have taken advantage of older software systems of Microsoft. One of the best defences against ransomware is to upgrade corporate software to the latest Microsoft versions of enterprise servers, network configurations, and Windows PC workstations. In the last few years, Microsoft has done an impressive job of creating a world class cybersecurity platform, but these latest features are only available to companies running recent versions of their software. It’s also worth considering moving to the Microsoft cloud, for example Azure ActiveDirectory instead of local ActiveDirectory, which allows the outsourcing of security to Microsoft directly.


It’s also important to establish a set of corporate processes that can be implemented immediately after a serious hacking incident. Such a responsive plan may include taking networks and computers offline to protect them from malware, bringing in outside experts to investigate and bring systems back online safely, and use of a communication infrastructure outside of the computer network to send critical information to employees, customers, and partners. In the case of ransomware, it’s also particularly important to have rapid processes for restoring computer systems from secure backups. The backup files need to be locked down and stored separately from other software systems so that the files aren’t vulnerable to a ransomware attack.


As evidenced by the experience of the Colorado Department of Transportation, investing in modern software systems and processes is the most effective way to lower the risk of serious disruptions from a hacking attempt.