STOCKTON — When it comes to ransomware, one of the most insidious cybersecurity threats out there, Verve Networks CEO Jeff Gilbert says two things are true: most small businesses think they won’t be a target, and all of them are vulnerable.
“What’s frightening is that most small and medium clients don’t think that they are vulnerable. They are. It happens all the time,” Gilbert said.
Ransomware is a malware attack on either a personal computer or a network that encrypts files and then tries to get the victim to pay a ransom to have them unlocked. As many as half the small or medium-sized businesses in the United States are victimized by a malware attack in a year, Gilbert said.
David Darmstandler, CEO of DataPath in Modesto, said his company is called in on local ransomware attacks about once a month.
“We’ve been a part of some major ones where they’ve taken down very large companies with ransoms of 10 to $20,000,” he said. “But it’s not just that you pay the ransom; you need to confirm that you can get back up and going.”
Gilbert says it’s also possible that attackers have stolen information in addition to extorting victims. He said he’s seen cases where malware has forged email from a company’s CFO and sent it to an accounts payable employee telling them to cut a check.
Modesto-based CPA group, Grimbleby Coleman, was attacked in May 2015. An employee noticed she couldn’t get into a file, and IT manager Merinda Bratton saw a message in an html file that said the company was the victim of a Cryptowall ransomware attack.
“As soon as I saw that, I immediately shut everything down,” Bratton said.
She figured out which computer was infected and took it off the network. The IT department tried to reproduce the error to determine how the malware got in. They believe the employee had been caught in what is called a “man in the middle” attack.
“She went to a website and put in her user name and password, and it didn’t quite respond correctly,” Bratton said. “Then when she put it in again, it started to work normally. It was within 15 minutes that we noticed the file having trouble.”
Grimbleby Coleman was fortunate. No customer information was compromised, and the company had been backing up its files, so it wasn’t tempted to pay the ransom. However, the company unable to operate the rest of the day while the files were restored.
“Our biggest thing was the downtime because you lose money when you’re down,” Bratton said.
To pay or not to pay
The question of whether to pay the ransom is one of the thorniest in cybersecurity. The dilemma occurs when the encrypted files are the only copies the company has. Its decision is then based on how long it can operate without those files.
Officially, the FBI advises against paying ransom, but it also acknowledges a company’s predicament.
“While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers,” it says on its website.
When individuals and businesses do pay ransom, it can range from $500 to five figures.
Darmstandler said in every case he’s been involved with, the decryption key worked after ransom was paid.
“I haven’t seen a situation where the keys didn’t work once you paid,” he said. “But the big thing is you have to confirm that, so you have to have them unencrypt a few files before you pay the entire ransom just to have them prove that they can do it.”
In fact, Darmstandler said the cybercriminals launching ransomware attacks seem to regard themselves as legitimate businesses.
“They have an account manager,” he said. “If it’s a big deal, you have a front person you’re dealing with almost on the sales end or something.”
According to University of the Pacific associate professor of electrical and computer engineering Jeffrey Shafer, ransomware is big business, and that’s the main reason it’s growing so fast. One group includes developers who create the malware. They sell it to other groups who deploy it.
“They’ve managed to make this whole business ecosystem … with a division of labor and different groups specializing in different areas, and I think that makes it easy to grow this,” Shafer said.
In fact, cybersecurity has grown so much that Pacific will begin offering a master’s program in the fall on the Stockton campus. Even without marketing, there is already a list of 40 or so students and community members who are interested in the program.
Should you report it?
There is no hard information on the exact number of ransomware attacks, however, because businesses and individuals often don’t report them to law enforcement.
That is often because they don’t know who to call, they think their loss doesn’t deserve law enforcement attention, they blame themselves for carelessness or they don’t want to damage their business’s reputation.
The FBI urges victims to report the attacks, even if they paid the ransom.
“Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases,” the FBI says on its website.
Experts agree that the best way to avoid having to pay ransom is to back up data.
“If you have good backups, it’s a day of downtime to recover,” Gilbert said. “If you don’t have good backups, you’re kind of out of luck.”
He also recommends multiple layers of virus and malware protection to reduce the chances of an attack.
After their attack, Grimbleby Coleman hired DataPath to improve security and monitoring. Bratton has also increased employee training to prevent another attack.