Your money or your files: the growing threat of ransomware

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

The first wave of emotions, victims say, is a combination of panic and powerlessness. They click and reclick on files on their desktops – agendas for a weekend Christian camp, payroll data for hundreds of teachers or medical information for veterans – to no avail. Someone, or something, has converted the files to foreign MP3 files or an encrypted RSA format. And, next to these unopenable files, the victims get a ransom note in a text file or HTML file: “Help_Decrypt_Your_Files".

“All your files are protected by a strong encryption with RSA-4096 [military-grade encryption],” reads one note shared by a victim. “So there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!, and restore your data the easy way. If you have really valuable data, you better not waste your time.”

In February, the Hollywood Presbyterian Medical Center in Los Angeles made national news after it was the victim of ransomware, a virus that blocks owners from accessing their files. For weeks, the hospital had to shuttle its patients to nearby facilities. But hackers aren’t going after only big targets: in the past few months, school districts in South Carolina and Minnesota, hospitals in Kentucky and Georgia, and a church in Oregon have been paralysed for days, and many experts believe there are far more ransomware attacks that have gone unreported.

Institutions have resorted to using handwritten forms as they try to retrieve data that is locked by military-grade encryption. In many cases, the victims cough up hundreds or thousands of pounds in untraceable, open-source crypto-currency for the key that will allow them access to their own information.

Some cyber-security experts call the attacks an epidemic. Both the US and Canadian governments issued a rare joint alert in March warning businesses of ransomware. In 2015, affected Americans paid about $325m (£225m) due to ransomware attacks; in 2016, cyber-security analysts estimate, it will be much higher. “Ransomware is dangerous because anyone can [use] it and target anyone,” says James Scott, a senior fellow at the Institute of Critical Infrastructure Technology.

While the culprits come from all over the world, ransomware attacks are mainly co-ordinated by highly organised mercenary hackers based in Russia and other Eastern European countries, prompting some to hark back to Cold War-era concerns. “This is World War III,” says Clint Crigger, a cyber-security manager for SVA Consulting, though he insists he is not an alarmist.

Firewalls or antivirus programs do a terrible job detecting ransomware, but those are not the cause of the epidemic. Instead, many experts say, it lies with the people’s carelessness in clicking on phishing emails and infected advertisements. Two-thirds of ransomware cases stem from phishing emails, according to cyber-security research company Lavasoft.

Rookie hackers, known as script kiddies, can easily scrape together a fake email from a senior hospital doctor or school superintendent laced with ransomware viruses using social engineering. A common method is mass-collecting email addresses from the company’s domain name, identifying the top executives of the company using LinkedIn or Facebook, creating a fake email address under one of those executives’ names and sending a ransomware-laced email to a lower-level employee with a subject line reading “invoice” or something else that looks as if it demands attention.

Another variant is sending a phishing email under the name of your postman. One ransomware attack at a Georgia Veterans Affairs hospital began with an employee clicking on a fake US Postal Service email, paralysing the hospital for three days.

David Eppelsheimer, the pastor of the Community of Christ Church in Hillsboro, Oregon, can speak from experience. He found all his PowerPoint files mysteriously converted to the MP3 format on 18 February, and got a curt ransom note asking for 1.3 bitcoins (about £400). “I felt helpless, and it felt surreal,” he says.

After two days of frantically trying to obtain Bitcoins in shady-looking online markets, Eppelsheimer paid the hackers about £400 to obtain the encryption key to open the files. He said it took several weeks to retrieve and open hundreds of his personal files, one by one.

Several cyber-security experts say that paying ransom should be considered only in the worst-case scenarios, when one has no back-ups or lines of defence in place – much like Eppelsheimer. Paying ransom allows the hackers to carry on their ransomware activities. “If you pay the ransom, what you are saying is, you have been caught with your pants around your ankles,” Crigger says.

Charles Hucks feels like he had no choice. As the executive director of technology at the Horry County School District in South Carolina, he became a victim of ransomware. For a few weeks earlier this year, his county’s networks were frozen, bringing the daily routines of 42,000 students and thousands more staff and teachers to a halt. Despite having ready back-ups and a full-time information technology staff working 20 hours daily to get the data back, Hucks and the school district still had to pay 22 bitcoins (£6,900) to the hackers for the key as a “business decision.”

But experts say institutions and people aren’t helpless against ransomware. The best thing to do is to back up data frequently, on a cloud storage platform, with cold storage or on an external hard drive. Scott also advocates training employees about “cyber hygiene,” comparing not clicking on malvertisements to washing one’s hands before working in a restaurant or hospital. “Loose clicks sinks ships,” Crigger says.

If a company or server is breached, the recommended procedure is to cut off all servers from public access to prevent the virus from spreading and then have IT professionals comb every folder and network for infections. Scott says institutions need to be vigilant about ransomware viruses acting as diversions as the hackers launch an attack elsewhere in the network, perhaps downloading a company’s personal data to sell on the black market. One way to detect it, Scott says, is to monitor for abnormal spikes in downloads and other activities in unaffected networks during attacks.

But even some cyber-security experts seem to have a fatalistic view. Ransomware viruses are constantly evolving, with some able to self-mutate around anti-virus programs and security controls.

Without a massive overhaul in cyber-security infrastructure and an understanding of cyber hygiene, institutions such as small hospitals will remain easy targets. But Scott worries that even more critical and outdated systems that control dams or nuclear silos built during the Cold War with minimal upgrades can be similarly hacked.

For victims such as Eppelsheimer, it can be hard to deal with a faceless attack that can seem very personal. “My outlook is: love my neighbour, even if he steals from me,” Eppelsheimer says. “But I was angry [when it happened]. It felt like a faceless, nameless evil from the other side of the world descended on me and my church.”

© Newsweek