The headlines last February were dominated by the ransomware attack on Hollywood Presbyterian Hospital. After losing the use of their internal IT system and operations, senior management made the decision to pay a negotiated ransom of $17,000. At the time, a ransom of that size seemed shocking.
The Cost of Ransomware Hits the Million-Dollar Mark
Today however it is pocket change. South Korean web hosting company Nayana was the victim of a ransomware attack called Erebus on June 10. Though originally designed for the Windows operating system, Erebus was recently modified to target Linux web servers as well. Though it is still not clear how the malware infected the system, none of the 153 Linux servers that comprise the web-hosting infrastructure were properly patched. With their business completely shut down, management came to the negotiating table to iron out a deal with the hackers. The final agreed price was $1 million, sizably less than the original asking price of $4.4 million. The ransom is being paid in three installments; each installment decrypts a batch of their servers.
Ransom payments for businesses are often in the $10,000 to $25,000 range, the gang behind this attack demanded 550 Bitcoin to unlock the encryption – approximately $1.62 million. On June 14, Nayana reported it had negotiated a ransom payment of 397.6 Bitcoin – approximately $1.01 million, making this the largest ransomware ransom payment ever reported.
You read that right, over $1 million, and it may have been avoided with proper patching.
The Anatomy of a Ransomware Attack
A month later, a Canadian firm was hit with ransomware as well and they should consider themselves lucky as they were only forced to pay $425 thousand. Senior management had no choice in paying, as the attack was able to encrypt all of the company backups. A forensic team investigating the aftermath of the attack believe the attackers knew exactly where the database servers and backups were contained. The malware was launched via a phishing attack targeting six senior company executives. The emails were supposedly from a courier company concerning outstanding invoices that were attached as PDFs. Two executives fell for the ploy and the malicious payload contained in the attachments went to quick work. Of course, if the company had followed the 3-2-1 backup strategy of 3 copies of all data, residing on 2 formats with one copy offsite, the extortion payment may have been avoided.
To Pay or Not to Pay
With ransoms of such epic amounts today, the logical advice may be simply not pay the ransom. That was the mindset of the Erie County Medical Center in New York that fell victim to a ransomware attack this past April that took down 6,000 computers. The initial attack was levied at a hospital web server that was left completely exposed. Once the attackers gained remote access to the server, they began launching a credential stuffing attack to gain access to the system. The compromised account that got them in was only protected by a default password. The attackers then logged onto the system and began encrypting everything in a way that complicated the ability to restore the data.
$10 million later…
The cybercriminals demanded $30,000 for the decryption of the center’s data. Paying for ransom was never an option for senior management. Three months and $10 million later, the center may have been better off paying it. According to a HIPAA news source, about half of that amount went to computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time. In addition, the hospital has doled out $250K each month since to upgrade technology and improve employee education on cybersecurity.
The decision to pay ransom demands for decryption keys is a complicated issue. From a cost and productivity perspective, it can prove less costly. On the other hand, there is no guarantee that the hackers will respond once the ransom is paid and some argue that ransomware victims are then simply targeted repeatedly thereafter, as hackers know that the organization is willing to pay. According to a study by Symantec in April of this year, 64% of American victims say they would pay the ransom compared to 34% internationally.
The amount of money involved in these attacks is alarming. A single attack now has the potential to put a company out of business. The most upsetting thing for these victims however has to be the fact that all three attacks may have been prevented by simple security measures.
Ransomware Protection – Simple Security Measures
- Back up - regularly back up your files. No backup strategy is 100% foolproof, but following the 3-2-1 method is the strongest approach possible. This is what the 3-2-1 Backup approach is all about.
- Don’t enable macros - Often attacks sent through email attempt to convince the user to “enable macros” in order to launch an attack. System administrator is recommended to implement a policy so that employees can’t enable macros on their own.
- Do not open unsolicited email attachments - If you are using a anti-spam security solution like SpamTitan, malware loaded files will be automatically quarantined before they reach your computer. Regardless, all users should follow the simple rule of not opening unexpected attachments or emails from unknown senders.
- Patch, patch, patch - Patching your systems and applications regularly is crucial. IT teams must build redundancy into the infrastructure, where one system can be down for patching while a another system handles the load during that time.
- Ensure your employees are security aware - While most organizations provide employees with an employee handbook a security guidebook is just as important. This guide should include advice on email hygiene, company password policies, BYOD policy and information on what threats they need to be aware of and where to go for help if needed.
- Segment the company network - Cybercriminals love open, unsegmented networks. Once inside an unsegmented network, criminal can access every corner of that network to steal your sensitive data. Network segmentation can significantly reduce system attack surfaces.
Are you an IT professional that wants to ensure sensitive data and devices are protected? Talk to a specialist, email us at firstname.lastname@example.org with any questions.