Ransomware Scams Take Aim at Smaller Companies
MILWAUKEE – The so-called ransomware attack that shut down a Milwaukee company recently shows the ever-present risk that now threatens all organizations.
Small businesses that have less sophisticated systems to protect their computer networks from being hacked can be particularly vulnerable, according to cybersecurity experts. But every business or organization – large corporations, health systems, universities – is at risk.
“We all run the risk every time we cross the street of getting hit by a car – no matter how cautious we are,” said Thomas Kaczmarek, director of the Center for Cyber Security Awareness and Cyber Defense at Marquette University.
“You have to be beyond cautious. You have to be defensive, and organizations are trying to be defensive. But it costs time and money and resources to do that.”
Ransomware is a type of software, known as malware, that locks down parts of a computer system – or, in the worst case, the entire system – and denies access to the system or data until a ransom is paid. The FBI estimates that several thousand ransomware attacks occur each day.
“Cyber hacking has become a business,” Kaczmarek said.
People don’t even have to be technical experts to become cybercriminals: They can buy kits that provide the needed software.
“There are very low barriers of entry to the marketplace,” Kaczmarek said. He likened it to becoming a franchisee. If perpetrators succeed in penetrating a computer system, they can sell the access – the rights – to another party in exchange for what would be considered a finder’s fee in the business world.
The ransomware that hit the Milwaukee company – vcpi, which provides information technology services to nursing homes and rehabilitation facilities – is well-known: It’s called Ryuk. The attack was launched in the early hours of Nov. 17 and affected clients’ email, electronic records for administering medications and, in some cases, electronic health records.
The company, formerly Virtual Care Provider, estimates that 20% of its servers were affected. It has been focused on restoring its system and declined to comment.
Most ransomware attacks are not publicly disclosed. But the fact that businesses can buy cybersecurity insurance shows the risk they face.
“The more you look into this, the more it scares you,” said Khaled Sabha, who teaches courses on computer hacking and forensics at the University of Wisconsin-Milwaukee. “It could happen to any person, even to me,” he said. “You have to be vigilant all the time.”
Sabha and other experts stressed that the first line of defense is awareness.
An estimated 90% of successful attacks are from phishing, in which someone clicks on a Word document, PDF file or link that contains “scripting,” or executable code.
The problem is the email can be sent under a false address.
The computer science department at UW-Madison this year was the target of so-called spearfishing – a type of phishing designed for a specific person or organization – under the name of the former department chair, said Barton Miller, a computer science professor.
No one fell for it.
But few people are computer scientists – and all it takes is a lapse by one employee for a computer system to be breached. Once the system is penetrated, the virus has a beachhead of sorts. The Emotet virus, for example, originally was designed to steal information, Miller said. But around 2018, a new version appeared that could bring in other software, such as Ryuk malware, as well as get into email contacts. The malware then will look for vulnerabilities, such as updates that haven’t been done or flaws in how the system is configured.
Computer networks are designed with firewalls and other protections to stop a virus or malware from getting beyond a certain point. Tools also have been developed to identify potential weaknesses.
“One of the primary principles of cybersecurity is defense in depth,” Kaczmarek said. Only authorized people, for instance, should be allowed access to certain parts of the network.
That’s partly why cybersecurity experts stressed the importance of complex passwords.
Viruses now exist that can capture keystrokes and in the process get passwords, Kaczmarek said. But so-called brute force attacks that try possible combinations are the most common. Using an upper and lower case letter doubles the complexity. Numbers and special characters make passwords even more complex.
One problem is people often use the same password for different accounts. And passwords also can be picked up when people use unsecured Wi-Fi.
The biggest concern is compromised credentials, such as a simple password or a password used for a number of different sites or accounts, said Brett Rehm, vice president of technical services team at Epic Systems.
Health care organizations and insurers have become inviting targets for cybercriminals. In a two-month period this year, eight health systems, hospitals or medical clinics were hit with ransomware attacks that in some cases caused them to shut down temporarily, according to Becker’s Hospital Review.
The most important defense is ensuring that so-called patches are installed regularly, Rehm said. Most malware attacks could be prevented by installing the latest version of security software.
Epic’s customers are large health systems and physician practices that have sophisticated computer networks. Smaller health providers, businesses and organizations don’t have the same resources.
The National Institute of Standards and Technology has put out a framework that consists of standards, guidelines and best practices for cybersecurity. A coalition also has worked to raise awareness with its “Stop. Think. Connect Campaign.”
But even with that, organizations still are risk. For this reason, experts stress the importance of backing up their data – and regularly testing their backups.
Copyright 2020, USATODAY.com, USA TODAY, Guy Boulton