You come into your office, juggling your gym bag and a cup of hot coffee, and boot up your laptop to an ominous red and black screen that announces:
“All your files and documents have been encrypted!”
Congratulations, you’ve been hacked.
Last week the New York Times published an article highlighting the rise in ransomware attacks: incidents in which hackers lock down entire computer networks and demand payments to let users recover their data and regain control of their systems. The author cites data documenting a 41 percent increase in ransomware attacks from 2018 to 2019, for a total of over 205,000 reported attacks last year. The average ransom payment jumped to over $190 thousand. And, as the article notes, these numbers probably underrepresent the true costs of such attacks, as organization often don’t want to publicize that they have been hacked.
To that point, I know of at least three museums that have been the targets of ransomware attacks, but so far none have been willing to go on the record about their experiences. Evidently ransomware is the digital equivalent of STDs—but the stigma of (unwarranted) shame attached being a victim is misplaced and counterproductive. By sharing information, museums can become better able to defend themselves and recover from such attacks.
Meanwhile, I’ve compiled some facts on ransomware drawing on free web resources for training and response. Each of the sources excerpted below provide a variety of advice and resources. Take the time to explore them and bookmark useful information—hopefully before an attack takes place!
What is ransomware?
“Ransomware is a type of malware that blocks access to a system, device, or file until a ransom is paid. This is achieved when the ransomware encrypts files on the infected system (crypto ransomware), threatens to erase files (wiper ransomware), or blocks system access (locker ransomware) for the victim. The ransom amount and contact information for the cyber threat actor (CTA) is typically included in a ransom note that appears on the victim’s screen after their files are locked or encrypted. Sometimes the CTA only includes contact information in the note and will likely attempt to negotiate the ransom amount once they are contacted.” (Source: A Security Primer—Ransomware, Cybersecurity.org)
How does ransomware infect computers?
“Here are some of the ways computers and mobile devices can be infected:
- Links in emails or messages in social networks — In this type of attack, the victim clicks a malicious link in an email attachment or a message on a social networking site.
- Pay per install — This popular method attacks computers that are already part of a botnet (a group of infected computers under the control of criminals called botmasters), further infecting them with additional malware. Bot herders, criminals who look for security vulnerabilities, are paid to find these opportunities.
- Drive-by downloads — This form of ransomware is installed when a victim clicks on a compromised website. McAfee Labs researchers have seen an increase in drive-by downloads. In particular, users of some streaming video portals have been hit.”
(Source: McAfee. See also their 2017 white paper Understanding Ransomware and Strategies to Defeat It.)
Is my museum at risk?
Yes. Hackers are targeting a wide variety of businesses, large and small, as well as individual users. Dozens of cities have been hit by ransomware attacks—and if your museum is part of a municipality, your data may be compromised as well. Keep in mind that university museums inherit the risk of their parent organizations, too. (Last year Regis and Stevens Universities suffered devastating attacks.)
How can I prevent ransomware attacks?
- “Update and patch your computer. Ensure your applications and operating systems (OSs) have been updated with the latest patches. Vulnerable applications and OSs are the target of most ransomware attacks
- Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organization’s helpdesk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling or a different domain (e.g., .com instead of .net).
- Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
- Keep your personal information safe. Check a website’s security to ensure the information you submit is encrypted before you provide it.
- Verify email senders. If you are unsure whether or not an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email. If possible, use a previous (legitimate) email to ensure the contact information you have for the sender is authentic before you contact them.
- Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website. You may also want to sign up for CISA product notifications, which will alert you when a new Alert, Analysis Report, Bulletin, Current Activity, or Tip has been published.
- Use and maintain preventative software programs. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic.”
(Source: U.S. Department of Homeland Security, National Cyber Awareness System, Protecting Against Ransomware.)
Are there training programs that can help prevent successful attacks?
Yes. The Alliance uses KnowBe4 for its security awareness training. There are a number of similar programs like AwareGO and Mimecast. All programs follow a similar framework, reoccurring short video training sessions mixed in with periodic assessments. Administrators can use the results to gauge the organization’s risk and impact of training program. Costs are based on the number of users enrolled in the program and start as low as a couple dollars per month. Since threats are evolving it is important to view this training as on-going and not a one-time rubber stamp.
I’ve been attacked by ransomware—what’s the first thing I should do?
The BackBlaze Blog recommends that your first step should be to isolate the infection:
“The first thing to do when a computer is suspected of being infected is to isolate it from other computers and storage devices. Disconnect it from the network (both wired and Wi-Fi) and from any external storage devices. Cryptoworms actively seek out connections and other computers, so you want to prevent that happening. You also don’t want the ransomware communicating across the network with its command and control center.
Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.”
Your museum’s IT department or security office may have a procedure in place to respond to ransomware attacks. This may include shutting down and isolating other devices that may have been connected to the infected computer and ensuring that your backup data (you have backup data, right?) is offline and secured.
Where can we get help with responding to a ransomware attack?
Many firms offer to help with recovery of data after a ransomware attack. Be cautious if you decide to engage such a firm—an investigation by Pro Publica revealed that some companies that promise to recover encrypted data simply pay the hackers and pass the charge on to the victim. I have not found a credible, independent review of reputable recovery services. Let me know if you have any source to share.
Should we pay the ransom?
Opinions vary, but many cybersecurity experts (including Lee Mathews, writing for Forbes) argue that you should never pay a ransomware ransom. For one thing, as Mathews points out, only 19% of ransomware targets who pay the ransom actually get their data back. The NYT article I cite at the beginning of this article makes the case that paying ransoms will fuel more attacks, by “giving attackers more confidence that they will get paid.”
Can we recover our data without paying a ransom?
Maybe. Even as hackers create new ransomware programs, programmers race to create encryption programs to free locked data. You can work with a forensics and data recovery program to try to recover what you can. That said, your best recovery strategy is to have a good backup system.
Should we report the attack?
The Department of Homeland Security asks that you report ransomware attacks immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.
Skip over related stories to continue reading article