This week, inSOC CIO Jeff Gulick talks about his biggest concern: ransomware, and why it is the most lucrative and dangerous cybercrime of our time.
While data breaches and theft of consumer information are dangerous and preventable, ransomware is the explosive trend because it is quick, easy money that could threaten the company for decades to come.
In a ransomware scenario, cybercriminals send emails with enticing weblinks to unsuspecting and untrained knowledge workers, contactors, and vendors (yes… vendors are even more susceptible) that lure them to click and download malware that detonates on a scheduled date and encrypts all the data on local drives and file shares the user has access to.
Too often, the company loses its ability to access its most critical documents and systems… critical customer information, sales and service records, employee payroll records and entrusted customer information. Losses from this kind of attack could result in significant data loss, significant downtime, and significant financial loss.
“It’s really hard to pull data off the systems,” Gulick says. “Ransom is the most effective way for cybercriminals to create revenue.”
That One Link
Phishing attacks have allowed cybercriminals to focus on small and mid-sized businesses who are ill prepared and willing to pay to recover their data.
“The most important thing that they need to know about ransomware is that it is typically delivered through emails that have malicious links or payloads,” Gulick said.
“It is also delivered through malicious websites that are accessed through click bait, which are those ads that you see on the sides of web pages. These malicious sites are trying to target someone’s interests, whether it be sexual content, political leanings, or weight loss, for example.”
All it takes is one employee or CEO who clicks on a malicious email or website, and the hacker can walk through the front door. They can wait it out or attack quickly. Most times they wait it out and detonate the ransomware at a later time, Gulick said.
Ransomware can impact large companies and small businesses equally, but the largest companies make the headlines. The publicly disclosed ransomware attacks at universities, and major companies such as Canon and Garmin are only a fraction of the real attacks. Most are able to avoid the public exposure, but this private exchange results in fewer companies preparing for the reality.
When a company is hacked, they have three options, according to Gulick:
- Pay Up. Gulick says that is the worst option. “It is never okay to pay the ransom. You pay the ransom and you are going to be put on a sucker list. And it’s the worst kind of sucker list, where they keep coming back for more. Gulick says you are a target forever because they know you will pay. “This is why is the FBI will not negotiate with hostage takers. Same principle.”
- Recover whatever data you can from backups without payment. Accept the data loss and move on. This isn’t perfect, by any means. The company will lose data and could lose customers.
- Start over. “Delete the encrypted files and write it off.” This is the nuclear option, because it results in a complete loss of data. But the company can move on.
“All of these options are bad,” Gulick said.
Gulick added that the most forward-thinking companies are finally taking ransomware seriously and working toward prevention. We will cover prevention strategies in the next issue.
In part 2, we look at the critical practices required to prevent ransomware attacks in the first place.