Article by Stacey Freed
From the Sept/Oct 2016 Net Assets
One click was all it took. Last August, an administrative assistant at Southfield Christian School in Southfield, Michigan, received an email that read, “Here’s the invoice you requested. Just click on the link below to open it.” The assistant didn’t check who sent the message (it turned out that no one in the organization knew the sender). She opened it and went about the rest of her day. It was a Friday, and when she left for the weekend, she didn’t shut down her computer.
“She had no idea she had opened a virus which encrypted all her data and everything else she had access to,” said Ron Hintz, the school’s business manager. By Monday morning many employees could not access their files. “Before the first bell rang, IT had figured out what happened and turned off [the administrative assistant’s] computer. That stopped the process but the encryption had already occurred.”
Besides being confronted with paralyzed computers, the IT department also discovered a ransom note attached to the original document. The extortionists, as Hintz called the attackers, demanded a ransom of one Bitcoin, a form of cashless currency that doesn’t have legal status as a currency in most of the world. It can be made to wind its way through cyberspace, touching down in so many places (called “mixing services”) before reaching its final destination that it is untraceable.
Southfield Christian School had fallen victim to ransomware, a form of malware (see glossary, below) that has grown more common in the past few years. According to PhishMe, an anti-phishing vendor, as of March, 93 percent of all phishing emails contained encryption ransomware. Once opened, the virus spreads through your computer, encrypting your data as it goes. The wider the access of the end user, the more files infected. To access files again, you are told you must pay a fee.
Ransomware is more in vogue now than other malware because there is a lot of stolen data already on the dark web and not enough buyers, said Paul Nikhinson, data breach response manager at Beazley, a specialty line insurance carrier. “If you’re a hacker with the skill set of building ransomware, you have a new economic model. ‘I’m not stealing your data; I’m encrypting it and selling it back to you.’ There’s a built-in buyer.”
Dark web: A term used to describe the Internet’s “dark net,” which can be accessed with specific software. It usually refers to the web’s black market that offers illegal services. The dark web is part of the “deep web,” areas not searched by search engines.
Data breach: When confidential information has been seen or stolen by someone not authorized to do so. A ransomware attack might not be considered a breach if your system is just encrypted by a system interloper.
Keylogging: Typically done covertly, it’s when a software system captures key strokes. It’s one way hackers can steal passwords.
Malware: A general term for any kind of invasive software — spyware, ransomware, scareware, worms, Trojan horses.
Patch: A glitch in a software system that’s been fixed. Hackers look for the unpatched areas to exploit.
Phishing: Spam sent by hackers looking for victims. Spearphishing is when that spam targets a specific person or group.
Ransomware: A form of malware in which the attacker essentially kidnaps your data, encrypts it so you can’t access it and then demands payment for the software to decrypt the data so you have access again. Examples include Locky, TeslaCrypt and CryptoWall.
Tag-along: Additional, unrequested software that is installed when downloading software you do want to use. It is often infected with a virus. For example, a shopping application that “tags along” with a legitimately installed toolbar.
Tor: Software (derived from acronym “the Onion Router”) used to conceal a user’s location and usage, making it difficult to trace activity back to the user. Tor sends information to various relay stations, wiping its tracks along the way.
Zero day: A brand new exploitable vulnerability that no one has seen before. This is why it’s important to report incidents and help law enforcement keep track of new developments.
Companies like Kaspersky are working on decryption tools, but these efforts are usually virus-specific, and there are new viruses all the time. As Bob Olsen, chief executive officer at COMPASS Cyber Security, said, “The bad people are working 24/7, and computers don’t have to sleep.”
Whether you pay the ransom depends on several factors including your school’s risk tolerance and how well you can weather the data loss. The FBI advises against paying ransoms, but, said a spokesperson, “It comes down to an individual business’s decision.”
Olsen agrees. “We recommend you don’t pay the ransom, but if you have no backups, you may have to,” he said. “It’s a challenge. There’s no way to confirm the hacker isn’t still in your [system]. You’re acting in good faith, but you’re trusting someone who doesn’t conform to societal norms.” On the one hand, if attackers didn’t return files upon receiving ransom, no one would pay. On the flip side, a victim’s willingness to pay tells the attackers they might be more successful later in demanding a larger ransom.
Paying may also put you on a list of people who are willing to pay — a list that gets circulated on the dark web. “If I’m a bad guy and I have a list of 1,000 users that clicked on a phishing email, I can sell that list,” Olsen said.
In the case of Southfield Christian School, IT staff called the local police a day after they figured out that there had been a ransomware attack. Since the school’s backups had been compromised, “we were advised to pay the ransom,” Hintz said. They then had to act quickly. Ransomware threats come with a deadline; if you don’t pay within a certain amount of time, the price goes up. “It took our IT guys some time to find a place to buy Bitcoin.” But they discovered an ATM-like machine in a pizza place 15 miles from the school. That day, Bitcoin was trading at $442 plus a 10 percent transaction fee.
Upon receiving the Bitcoin, the attackers sent the decryption software. Southfield Christian’s files took two-and-a-half days to decrypt.
The number and type of ransomware attacks continue to grow; there’s big money to be made in a relatively easy way. Overall, according to statistics from Symantec, an average of 1,000 ransomware attacks occurred every day in 2015, an increase of 35 percent from the year before. Recently large ransomware attacks struck the New York Times, BBC, NFL and Hollywood Presbyterian Medical Center, which paid $17,000 to the attackers. Something called the Cryptowall virus alone reportedly netted more than $18 million from victims between 2014 and 2015.
These big cases make headlines, but around the world smaller entities face ransomware attacks daily.
While most isolated ransomware attacks are attached to small dollar amounts — a report by the fellows of the Institute for Critical Infrastructure Technology says the average ransom was about $300 in 2015 — any malicious malware attack, regardless of whether it outright steals or encrypts your data, can easily run into thousands of dollars. For instance, a school might have to commission a network forensic investigation. Police may remove compromised computers for evidence; at the very least they should be taken out of commission and cleaned thoroughly before being put back to use. Can your school afford to replace, or even lose temporary use of, 20 or more computers?
There may also be legal costs involving a data breach. “There are 47 states with their own state laws requiring that an organization notify individuals who have been affected by [a malware] incident,” Nikhinson said. It can be costly to comply with those notification requirements and mitigating subsequent public relations issues.
Schools may be particularly vulnerable to various types of malware, in part because of the nature of their mission. “In that space you have an open, sharing culture,” Nikhinson said. “The bad guys are smart but lazy. If my goal is to get socials [security numbers], and I have a choice to go after a school or a bank, I’d go after school districts that are woefully unprepared for the skills I bring.”
Moreover, “Schools are a big target because they have valuable data,” like children’s social security numbers, he added. “Kids don’t usually have a credit file to monitor. If someone bought a car with [an adult’s] information, [the adult would] be alerted to it, but with kids, identity theft can go undetected until they turn 18.”
How can schools avoid the potential headaches associated with ransomware? “It’s one of the big things that keep tech directors up at night,” said Alex Podchaski, director of technology at Oak Knoll School of the Holy Child in Summit, New Jersey. “There’s no simple way to protect against it.” Ransomware can come in as an attachment from someone you know or don’t know, or even when you respond to an advertisement for something you want.
Cyberliability insurance is an option: Cheryl McDowell, vice president of the education practice group at Bolton & Company, an insurance and risk management firm, said cyberliability insurance has only been available for the past five or six years but is quickly becoming mainstream. “More businesses and schools are recognizing it’s a true exposure.”
Even so, cyberliability insurance may be small comfort in the event of a ransomware attack. While Southfield Christian has $2 million in cyberliability insurance, it didn’t need to use it after the breach, Hintz said, since there were no breaches of personal identifying information and the ransom was relatively small. No files belonging to parents or students were harmed, and the school didn’t have to contact anyone outside its internal organization.
The school did take quick action in other ways. For instance, immediately after the attack it notified staff and sent examples of ransomware emails with a list of what to look out for. Southfield Christian also changed its backup protocols. Daily backups are now done in the cloud instead of on-site, and there are now two rotations of off-site backups. “If for some reason we lose connection to the cloud backup server and something happens to our internal server, we would still have a redundant off-site backup, albeit one week old,” said Hintz.
Skip backups at your peril. I wouldn’t want to lose any work to malware of any kind — worms, viruses, ransomware, whatever. My recommendation is do daily backups.
Joe StoddardManagement consultant
Those backups are critical. “If you have good backups of your files and databases, [the attackers] can encrypt all they want — there’s nothing for them to hold hostage,” said Joe Stoddard, a management consultant to small and medium-sized businesses. “Skip backups at your peril. I wouldn’t want to lose any work to malware of any kind — worms, viruses, ransomware, whatever. My recommendation is do daily backups.” Use a combination of cloud backup for long-term archives and external hard drives for convenience, “but remember that you’re not really ‘backed up’ unless a copy of your files is stored off-site in a secure location.”
Schools should also educate and train faculty and staff. Podchaski offers teachers in-service cybersecurity discussions. Michael Chimes, director of academic technology at Gill St. Bernard’s School in Gladstone, New Jersey, wrote a blog post he shared with everyone in the school’s community after a ransomware incident. Then he shared the story at an all-school meeting and gave a short course on how to be safe on the internet. Jennifer Lamkins, director of technology at Lakeside School in Seattle, suggests that schools check out Inspired eLearning, which provides toolkits and posters to use as reminders for employees.
“Security depends on technology, process and people,” said Paul Nikhinson of Beazley, one of the first insurance carriers to develop a breach response and insurance product policy.
Train and educate. Users are the weakest link in any security system. Try a mock phishing exercise; cybersecurity companies like COMPASS do these as part of their audits. COMPASS CEO Bob Olsen says that the Verizon 2015 Data Breach Investigations Report showed that 24 percent of employees would click the mock link; a year later 30 percent did. “Once you see who’s clicking the link you can focus your training resources,” Olsen says.
Commit to better backups. Develop a good system so that in case of a malware virus — or any other disruption — you can recover most or all of your data.
Adopt role-based control. Limit employees’ system access to what they need for their specific jobs.
Use strong passwords. It’s generally recommended people create passwords that have at least eight characters, upper- and lower-case letters and special characters.
Have a plan. “Just about everyone has a business continuity plan if there’s an earthquake; they know how to keep things running,” Nikhinson says. “Far fewer have an IRP [Incidence Response Plan] for this issue. [Malware damage] may start as an IT issue but can become a public relations issue, legal issue, communications issue and ultimately a finance issue.”
Stoddard said to avoid only telling employees not to open email or attachments from strangers. “By itself that’s bad advice, since the worst malware can look like it’s coming from the people in your address book.” Users need to learn to check email addresses and also web URLs. “Roll your mouse over the URL: www.wellsfargo.com is a legitimate address. www.wellsfargo.com.ru is something from Russia — a huge red flag.” He also suggests enabling the visibility of file extensions on Windows computers. “File icons can be spoofed by hackers — you need to be able to confirm that attachment is really a word document (.doc, .docx) or a spreadsheet (.xls, .xlsx) and so forth. And remember that even an image file can contain embedded malware that could open a ‘back door’ allowing your computer to be taken over by others.”
If you’re attacked, contact law enforcement, local police as well as the FBI. Report incidents at the FBI’s IC3 or Internet Crime Complaint Center. Even if it’s not a devastating incident, keeping track of the virus strains helps the FBI go after the criminals.
Unfortunately, it’s highly likely you will be attacked at some point. “Assume with 100 percent veracity that you will be breached if you haven’t already,” Nikhinson said. For that reason, he advises looking into having an independent security firm audit your system. “They’ll let you know what you’re doing well and can suggest where to spend your money.”
In fact, you may even be attacked more than once. Hintz is satisfied with the way the incident was handled and the changes Southfield Christian has made to the school’s computer security protocols. “I hope we’ll be ready when it happens again,” he said, “since I know it will.”
Sign in to leave a comment
Get Net Assets NOW
NBOA's free twice-monthly newsletter
1400 I Street, NW, Suite 675Washington, DC 20005www.nboa.org