Ransomware: the digital plague infecting the world

The most recognizable extortionists used to wear Popeye biceps and carry lead pipes as convincers. Nowadays, they hide behind hard drives.

Tulsa attorney Grayson Barnes can relate.

He entered his office one day to find that hackers had taken the firm’s files hostage. Barnes could obtain the key to unlock the encryption but it would cost him.

$500.

“It’s a pretty good business plan if you don’t mind stealing from people,” Barnes says. “I’m sure they’re somewhere in India or the Sudan. I don’t think any local law enforcement really has any interest in trying to prosecute someone where they can’t do anything about it.”

The company was in the process of converting its system to a new backup, he says.

“It was a short window when they could have encrypted the files, and it happened to be the time that they did,” says Barnes, whose firm forked over the money. “Generally, we back up every evening. But it wasn’t just a day’s work product. It was the entire firm’s history.”

Barnes was victim of the malware variant called ransomware, which is infecting the nation’s businesses and consumers at an alarming rate.

The FBI reports that CryptoWall and its ransomware cousins have been actively used to target U.S. victims since April 2014. Between then and June 2015, the FBI’s Internet Crime Complaint Center received 992 CryptoWall-related complaints, with victims reporting total losses of at least $18 million.

According to Intermedia’s 2016 Crypto-Ransomware Study, 89 percent of businesses victimized by ransomware had 10 employees or more, and 60 percent had at least 100 employees. In addition, Intermedia says that 52 percent of experts report that the wipe-and-restore process necessitated by the malware lasts at least two days, amounting to downtime that companies can ill afford.

“The individuals who do these types of attacks are well aware of the pressure points and pain points, economic-wise,” says Dr. John Hale, a cybersecurity expert at the University of Tulsa. “They know what they can extract, how much they can extract.

“They prey upon two things: an organization’s reliance on information systems and two, the common situation, where an organization is a little bit behind on backup procedures and policies to prevent these types of things. It really is easy pickings for the bad guys.”

Crypto ransomware is designed to encrypt data stored on the computer, making the data useless unless the user obtains the key to decrypt it. A message details the ransom, which is typically paid in digital currencies such as bitcoin. Locker ransomware locks the computer or device’s interface — save for the ability to interact with the hacker — and demands money to restore it.

“Typically, your bad guys or subjects are going to be overseas most likely,” says Chad Knapp, a special agent at the FBI office in Oklahoma City. “… As criminals, they are in the upper echelon of sophistication.

“They are developing malware that is good at covering its tracks. They are setting up what we call a command and control system that literally stretches across the globe.”

Although the FBI in Oklahoma City has not worked a ransomware case, it has assisted other offices, he says.

“They know where to hit because they are doing their reconnaissance,” says Knapp, adding that he knows of hackers who have asked for sums up to $50,000 nationally and $10,000 in the state. “And the ransoms are higher.”

In February, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to a hacker who assumed control of the hospital’s computer systems and demanded payment to restore them. It forced staffers and physicians to use fax machines and paper charts for 10 days. That same month, administrators at the Horry County school district in South Carolina forked over $8,500 in bitcoin to remove a ransomware virus that had affected its servers.

Closer to home, Moore High School was hamstrung by ransomware in September. A hacker shut down its computer system in the entire district, preventing access to any files and asking for money.

“It could have been a dollar; it could have been $30,000,” says Moore Public Schools Director of Technology Jun Kim, who couldn’t recall the ransom request. “It could have been $3 million. I wouldn’t have paid it.”

The district wiped its system and had good backup, Kim says. The school also consulted with a vendor, which did a full scan and analysis of the system to look for vulnerabilities.

“We made some minor adjustments because our team already had good protocols in place,” he says. “But even with all the software patches and everything you can do, there are going to be some of those things that pop up. If national banks and government agencies can’t block them, I don’t know how much more a school district can do.”

Hale, who holds the Tandy Endowed Chair in bioinformatics and computational biology at TU, says prevention and education are the consumer’s best friends when fighting ransomware.

He recommends performing air-gapped backups, a security measure that involves isolating a computer or network and preventing it from establishing an external connection. He also urges vigilance when clicking on a link or an attachment.

“Be suspicious,” Hale says.

But he warns that ransomware has staying power — the first public case was in 1989 — and is likely to linger.

“The idea has been around a while,” he said. “I suspect organized crime is finding it to be low-hanging fruit. It’s one thing to try to attack Citibank, where the defenses are there and they have mature information and a security program and so forth. Maybe someone would try to do that and get several billion dollars out of a traditional hack attack.

“Or I could attack 20,000 individuals or small companies who I know don’t have security in place and don’t have backup procedures, and I could $500 each from them and I could come up with a pretty good payday without worrying about either getting caught or lack of success. We’re seeing it as a definite up trend. What’s interesting is that it’s crossing multiple sectors now. The way our cars are computerized, the next ransomware attack may be in that area. …‘You want to start your car? Pay me $300.’ We’re headed that way.”