Your Money or Your File

Telecom & Tech

Combatting ransomware threats

By Tracy Barbour

ansomware is the top cybersecurity threat to businesses today—and it is expanding at an alarming rate. In 2020, Alaska reported a record number of complaints about ransomware and other cybercrimes to the FBI’s Internet Crime Complaint Center (IC3). On a per-person basis, Alaska recently ranked as one of the country’s least secure states, according to Todd Clark, president of DenaliTEK and Cybersecure Alaska. “Per capita, Alaska had more cybercrimes reported in both 2018 and 2019 than any other state in America,” he says. “Alaska was 4th least secure in both 2020 and 2021.”

Todd Clark
DenaliTEX | Cybersecure Alaska
Alaska Business Archives

“Alaska is home to many military bases, energy companies, and government agencies,” says David W. Monroe, a cybersecurity consultant with Computer Task Group (CTG), which provides digital transformation solutions. “These industries and organizations have always been prime targets for ransomware attacks. Recently, news agencies in Alaska have been reporting on an increase in attacks on educational institutions as well.”

In the past few years, cyberattacks in Alaska have trespassed a variety of entities: Ravn Alaska, the formerly-named Alaska Department of Health and Social Services, the Alaska Court System, the Matanuska-Susitna Borough, and the city of Valdez. As a preemptive move, the Alaska Division of Banking and Securities recently urged financial institutions and industries to monitor current events in Ukraine and Europe. “Events could pose significant cybersecurity risks for the US financial sector,” the alert said.

Ransomware is an insidiously debilitating form of malware. Once installed, the software encrypts all the files it can find on a machine, along with any shared networks and devices. Then it locks users out of devices or blocks access to files until they pay a ransom or meet some other demand in exchange for decryption. “One of the most common methods of attack is to exploit the human factor through malicious phishing emails with infected attachments or links to malicious sites,” Monroe says. “These can include not only executable files but common file types, including MS Office files such as .doc and .dot that are easily opened with popular desktop applications.”

A ransomware infection can wreak havoc on victims, causing extensive business interruption losses, legal expenses, and reputational damage. The average cost of a ransomware breach was $4.62 million in 2021, according to IBM’s “Cost of a Data Breach 2021” report. That figure does not include the ransom payment, which represents only 15 percent of the total cost of an attack.

“By 2025, cybercriminals are expected to take home over $10 trillion,” says Keri Parsons, security culture and engagement manager at GCI. “These are not your teenage hackers hanging out in mom’s basement, rocking a dark hoodie, and drinking excessive amounts of energy drinks. Today’s adversaries are organized criminals, operating with nation-state backing and their own ‘call centers’ of employees. Many are becoming household names, like CONTI or REvil, but that isn’t their ultimate goal. Ideally, they want to make as much money as quickly as possible.”

Severity of the Threat

The pervasive nature of the ransomware problem affects all types of companies, sectors, and industries. In 2021, fourteen of the country’s sixteen critical infrastructure sectors had at least one member that fell victim to a ransomware attack, based on IC3 reporting. The most frequently victimized sectors were healthcare and public health, financial services, and information technology.

The changing nature of data storage exposes organizations to ransom attacks, according to Parsons. “So many organizations are moving to digital storage and processes, whether on their own servers or in the cloud,” she says. “Gone are the days of file cabinets stacked twenty deep in a basement somewhere—only susceptible to fire or loss—and your biggest concern was digging out the right information on time.”

With ransomware, that potential risk comes from all angles. Parsons explains: “Did you properly back up your data? Is it redundant? What happens if it is disclosed to anyone and everyone in the world? Can your business function and continue to operate without access to it for a week? A month? A year? How can you verify the accuracy and completeness of it once it is returned? Or, worst-case scenario, you never get the data back. Ever. Every organization needs to consider these real threats brought on by ransomware.”

Keri Parsons
GCI

“I think too many small business owners and key decision makers abdicate 100 percent of cybersecurity to the IT department and IT provider. So much of the prevention needs to make it into the business plan and be discussed at a high level.”

Todd Clark
President
DenaliTEK and Cybersecure Alaska

Ransomware is also such a major threat because it is so successful. According to Cybersecurity Ventures, ransomware damages were more than $10 billion in 2021—more than 57 times the number in 2015—and expected to reach $265 billion annually by 2031. “Cybersecurity Ventures also noted that over 50 percent of attacks are successful to some degree and that, unfortunately, 45 percent of ransomware victims paid the ransom, showing a successful rate of return,” Monroe says.

Virtually all ransomware attacks today are “double-extortion” scams that demand a ransom to unlock data and return exfiltrated or stolen data, according to IBM Security X-Force’s 2022 Threat Intelligence Index. Ransomware perpetrators used to launch malware and collect the ransom payment, and that would be the end of the attack, Clark says. Now they are apt to steal personally identifiable information and other data—to commit additional extortion later—and then ransom the system for an immediate payoff. However, so many companies today are prepared with backups and can avoid paying a ransom that cybercriminals are threatening to publicly expose the stolen data on the internet.

That’s exactly what happened with Australian health insurance provider Medibank. Unidentified hackers stole the health records of millions of Medibank customers in October and then released them on the dark web in November after the company refused to pay the ransom. The disclosed data also included personal information such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers, and passport numbers.

As another trend, there has also been an increase in attackers targeting service providers with ransomware, according to Cindy Christopher, director of managed IT product and sales for Alaska Communications. “Let’s say it’s a smart home device, which disables the service for end-user customers,” she explains. “The attackers contact the service provider’s customers saying, ‘We’ll restore your service if the provider pays the ransom.’ This type of attack is extremely devastating to your business reputation and would be hard to recover from.”

As a positive trend, Clark Logan, vice president of the nonprofit ArcticShield, is seeing a growing sense of urgency to spread the word—both in Alaska and nationally—about ransomware. “To give some insight, ransomware as a whole has been around since 1989, and only now in 2022 are we seeing this larger uptick in response and preparedness,” he says.

Detection, Prevention, and Recovery

The mere idea of ransomware can be terrifying for businesses, especially given its complexity and potential negative impact. But the risk is manageable, Clark says. “The tech crowd has the prevention techniques covered pretty well, but what they can’t do is get key decision makers to take care of the responsibilities they have in regard to cybersecurity,” he says. “I think too many small business owners and key decision makers abdicate 100 percent of cybersecurity to the IT department and IT provider. So much of the prevention needs to make it into the business plan and be discussed at a high level.”

Clark launched Cybersecure Alaska to enhance cybersecurity awareness among business decision makers. The nonprofit organization is also working with lawmakers to foster some type of “safe harbor” legislation—as a growing number of other states have done—that would protect Alaska businesses that implement a cybersecurity plan. “Cybersecure Alaska envisions Alaska becoming the most cybersecure business community in America by 2026,” he says.

ArcticShield, which has a similar vision, also strives to help Alaska organizations circumvent cyberattacks. “ArcticShield aims to build and foster a thriving cyber-community where varied professionals from all backgrounds (technical and non-technical), as well as businesses of all sizes, can come together in unity to prevent and recover from not only the myriad of ransomware attacks but the entire gamut of cyber-related threats to the greater goal of educating and bolstering critical infrastructure,” Logan says. “We ourselves can run a thorough analysis of your infrastructure as a business owner in a simulated attack and report on where you have vulnerabilities while coaching/advising on best practices to help pave a path to success.”

Clark Logan
ArcticShield

From Logan’s perspective, the best practice for ransomware prevention is user training. Companies should train their employees to look for “bad” email links in the headers or misinformation in the email or signature, to lock their computer when it’s not in use, and to use a password manager application so they can use complex passwords without having to remember them.

If ransomware does strike, Logan says, the best strategy for victims is not to pay the ransom. Instead, they should follow these basic steps:

Step 1: Turn off the network device/modem immediately and power down computers.

Step 2: Contact their IT professional if one is available; otherwise, do the next step.

Step 3: Identify the domain controller and all attacked machines one by one and revert to the “gold” backup image. If no backup is available, reinstall the operating system.

“These are not your teenage hackers hanging out in mom’s basement, rocking a dark hoodie, and drinking excessive amounts of energy drinks. Today’s adversaries are organized criminals, operating with nation-state backing and their own ‘call centers’ of employees.”

Keri Parsons
Security Culture and Engagement Manager
GCI

It takes an average of twenty-two days to recover from a ransomware attack, according to global cybersecurity solutions provider Sophos. Businesses can take steps prior to a breach that can greatly improve their response, says Christopher. For example, companies should have an incident response plan that outlines response and recovery steps, and the executive leadership or business owner should understand the details of the plan.

Organizations should also think about business continuity. “Recovering from an attack can be a lengthy process,” Christopher says. “Your plan should outline how you’ll continue to conduct business and serve your customers or community during this time.”

“So many organizations are moving to digital storage and processes, whether on their own servers or in the cloud… Gone are the days of file cabinets stacked twenty deep in a basement somewhere—only susceptible to fire or loss—and your biggest concern was digging out the right information on time.”

Keri Parsons
Security Culture and Engagement Manager
GCI

After a breach, the first step is to identify affected systems and immediately isolate them. “After this initial step, you should consult with your incident response team and start walking through the steps of your plan,” Christopher says. “Depending on your industry, you may need to inform regulatory agencies within a required period of time. Ransomware is a crime, and you may need to consult law enforcement.”

Parsons agrees. She encourages companies to check with their legal team to see when and what they can share following a security breach. They should get in the mindset that law enforcement and the FBI are real assets when it comes to a ransomware attack. And, if they haven’t already done so, they should set up their data for offline backups. “And then don’t just leave it there,” she says. “Practice and test the restoral process to guarantee you can recover your systems when the time comes. So many organizations skip this step and discover at the worst possible moment that their data is somehow inaccessible.”

Cindy Christopher
Alaska Communications

Aside from all the technical tactics, Clark advocates getting cyber insurance and paying close attention to the coverage requirements. Insurance companies have been losing money on cyber insurance, and claims-related denials are going up. “Get the right level of cyber insurance and make darn sure you are meeting every requirement of that policy to get coverage,” he says.

Enhancing Cybersecurity Expertise

The growing complexity and risk of ransomware makes it more critical for businesses to enhance their cybersecurity knowledge and/or seek help from an outside expert. Companies like DenaliTEK, CTG, GCI, and Alaska Communications offer a wide range of cybersecurity solutions. Free technical assistance is also available from nonprofits like ArcticShield and Cybersecure Alaska as well as government agencies. For example, the National Cybersecurity Alliance (NCA) and CISA co-led Cybersecurity Awareness Month in October to provide information to help individuals and organizations stay safe online.

Also in October, the US Small Business Administration (SBA) held its first-ever Small Business Cyber Summit, which featured cybersecurity experts sharing best practices and practical defensive tools. During the virtual event, Microsoft Vice Chair and President Brad Smith urged people to employ multi-factor authentication, software updates, and cloud-based security solutions. He also advised business owners to rely on a local IT partner, instead of trying to tackle all the requirements of cybersecurity on their own.

Christopher concurs. “Your business needs an expert who does this for a living, and it’s not always feasible for small businesses to hire and maintain internal IT staff,” she says. “That’s why many benefit from working with a trusted partner who can put together a solution that meets your needs and budget.”

When selecting a provider, companies should look for a partner who understands their business and industry. “The more invested your partner is in your business, the better the outcome,” Christopher says. “In addition to being a trusted partner for security services, we recommend a third-party security audit at least once per year. Audits are a very important and worthwhile investment.”

Logan reminds all business owners that, as the decision makers, the responsibility for cybersecurity—thus the risk—ultimately falls upon them, not their third-party cybersecurity service provider. “As such, train yourselves and invest in your own knowledge.”

To enhance their knowledge, business owners and others can access free ransomware resources from the CISA (cisa.gov and stopransomware.gov), US Small Business Administration (sba.gov), and Global Cyber Alliance (globalcyberalliance.org).

Back to Full Issue

Table of Contents