Cybersecurity expert Mike Jackson delivered a presentation on ransomware at Northeastern State University on Friday, Oct. 29, when he discussed how the malware works and what organizations can do to avoid becoming a victim.
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decrypting the files. Jackson, cybersecurity adviser for the Cybersecurity Information Security Agency, said ransomware has become one of the largest emerging threats to the nation’s critical infrastructure, which are sectors of commercial and governmental entities that are essential for day-to-day operations.
“Ransomware is not new; it’s been around and it’s, like other threats, a form of malware,” he said. “It’s not intended to do good, it’s not intended to support the communication objectives of an organization. It’s there to attack them, and like any other malware [or] any other threat that comes within an organization, it’s important that we’re able to understand the steps that we need to take to defend or prepare ourselves for the defense of these threats that exist.”
There have been multiple ransomware attacks in 2021, including attacks against the Colonial Pipeline, Steamship Authority of Massachusetts, JBS, and the Washington D.C. Metropolitan Police Department.
In the attack against Colonial Pipeline, for example, a group of cybercriminals targeted the firm's billing system and internal business network to create widespread gas shortages in multiple states. The company eventually decided to pay the group $4.4 million in bitcoin in order to avoid any more disruptions.
Jackson said ransomware attacks are becoming more destructive and impactful in nature and scope.
“They are no longer just seeking to gain monetary value,” he said. “Some of these cyber criminals are seeking to disrupt our way of doing business – our way of living – through attacking the critical infrastructure.”
Entities should take into consideration the risk management and cyber hygiene practices of third parties or managed service providers, which are relied on to meet the organization’s mission. Jackson said a lot of smaller organizations will transfer their data resources to MSPs.
“The thought process with that is that if they don’t have the capabilities in house, they will be able to find that capability through some managed service provider, and unbeknownst to those organizations, the managed service provider is actually extending what we call boundary risk,” he said. “So they are not alleviating the risk; they are extending the risk. So you still have to manage your processes in house, and you also have to manage the processes that you receive from this Managed Service Provider.”
Among the most-targeted critical infrastructure sectors are government facilities, because they have personal and identifying information, such as Social Security numbers, that the public are required to give them. Cybercriminals can then use that information to execute attacks on other areas of infrastructure. Public health care is currently the most-targeted area.
“Protected health information is actually more valuable than credit card data,” he said. “It’s one of the few types of data that exist that can be exploited without the user every being impacted. An organization can sell a lot of health information to a cybercriminal and they can actually execute claims against that health care information.”
One recent instance of ransomware occurred when a health organization was attacked. The criminals threatened to release sensitive health information if the organization did not pay. When it refused to cough up the money, the group of bad actors started leaking out information, which could lead to fines for the organization from health regulatory boards for not protecting the information.
In some situations, an entity can be double extorted. Cyber groups will render an organization useless by encrypting certain files and making them inaccessible. The organization may then pay the ransom to receive access to the files again.
“Then, they will attempt to release certain files and have them pay for keeping the files from being released,” Jackson said. “So they’ve given them access to the files, so they got their money’s worth for that, but now they’re coming back to the piggy bank and saying, ‘I need a few more bitcoin or crypto coins to keep me from actually leaking some of this private information into cyberspace.’”
Jackson said everyone is susceptible to being tricked. He said being able to instantly identify and respond to such online attacks is extremely important. He also said training users to have good cyber hygiene is also important.
People should use strong passwords for their various online accounts. Users should avoid common numeric patterns and single-word dictionary words as passwords. Instead, people should consider forming a sentence about something that’s easy to remember, and replace elements of the phrase with a combination of letters, numbers and special characters.
Phishing is another route for criminals to execute a ransomware attack. Posing as an official institution, such as a bank, online store or subscription service, scammers will send users an email or text message, claiming there is something wrong with the account. They will attach a link that when clicked sends users to a website that looks legitimate, and are then able to acquire someone’s passwords and information, even if the person does not click the submit button. In such cases, people should never follow the links. Instead, it’s best that user go through the institution’s website separately to determine if anything is wrong with their account.
To learn more about ransomware attacks, visit cisa.gov/ransomware.