On October 22, 2021, Kogod dean John Delaney interviewed professor and director of the Kogod Cybersecurity Governance Center, Heng Xu, and FBI assistant special agent in charge and cybersecurity investigator Brett Leatherman.
This Kogod Connections webinar focused on ransomware—a particularly salient topic during National Cybersecurity Awareness Month.
The webinar began with Professor Xu defining ransomware as a type of malicious software. Generally, ransomware is an attack designed to gain access to confidential data. Attackers threaten to share this information unless the owner of the information pays a fee. An attack can begin with a simple link, an email attachment, or a virus. Often, ransomware starts on one device where the malware is installed, then spreads to other devices on the network connected to an external server that the attacker controls.
Xu explained the first-ever ransomware attack in 1989 when attackers went after AIDS researchers. The malware was distributed via floppy disks and embedded into a questionnaire designed for AIDS researchers to determine patients’ risk of contracting the virus. The floppy disks with the malware were distributed to 90 different countries and caused the contents of the computers they were inserted into to scramble. The attackers would only unscramble the contents of the devices in return for a fee.
Dean Delaney posed several questions to both Leatherman and Xu, such as: Who is targeted for ransomware attacks? Should you pay a ransom fee? How do these attacks affect victims and the public? What should you do if you do experience a ransomware attack? How can you prevent an attack?
Individuals often overlook the threat of ransomware–aren’t ransomware attacks only targeting huge companies? Why would individuals working from home and small to medium-sized business owners need to worry about such a thing? “When this happens to large companies, it makes headlines because it impacts so many people. When an individual or small business owner sees these things on the news, they think they can ignore this. This is no way to operate in today’s environment,” explains Leatherman. “Most of the events that the FBI responds to and are aware of are happening among small to medium businesses. They just don’t command the headlines that the other places command.”
The bottom line is, if you hold data that is important to you or anybody else, it has value. It is also easier for attackers to target a small company.
Ransomware attacks have been on the rise since 2020. Xu explains that this is partially due to the blurred lines between work and home devices. With more people working from home, people may be opening secure documents on shared devices. What happens if a child unknowingly clicks on a malicious link and the entire device becomes compromised?
Ransomware attacks are also on the rise because they have become so lucrative for hackers. They wouldn’t keep targeting people and companies if they weren’t compensated. When Dean Delaney asked if people should pay the ransom fees to get their data back, Leatherman said that the FBI advises people not to pay. “There is no guarantee that you will get your data back even if you pay the fee. You also likely won’t find out how they gained access because you’ll pay, and you won’t have a root cause analysis, so the criminal will come back again."
Paying ransom fees also funds criminal enterprises. “If a hospital is hacked and they pay the million dollars to get the data back, in theory, the criminal could use that same million dollars to come back and suicide bomb the same hospital–you could be funding terrorism,” warns Leatherman.
Fear and time pressure manipulate victims into paying fees. “If we fall into this, the ransomware market will continue to grow, and collectively it will be harder to stop it,” says Leatherman. It’s easy to want to pay to get data back when it impacts people on such a broad spectrum. For example, hospitals tend to settle quickly because they need access to data to see what medications were given to patients and when. DC residents also experienced the consequences of a ransomware attack earlier this year when the Colonial Pipeline was hacked, and we had to wait in line at the few operating gas stations since many had run out of fuel.
Xu, a privacy researcher, warns that everyone has to expect that a ransomware attack will happen to them. Nothing is 100 percent secure on the internet, no matter how great your defense systems are.
If you are targeted, there are a few things you need to do. “Find someone with experience, such as law enforcement, and consult them. Then think about response and recovery from a business perspective. What assets were impacted? Once identifying the leakage point, immediately isolate it so the malware doesn’t spread through the network. If you can’t disconnect the impacted devices from the network, power them down. Prioritize which things are most important for recovery–what data needs to be back up in minutes, hours, and days,” says Xu. “Document everything about damages and the investigation process. This plan should be part of your business’s routine risk management assessment.”
Several things can be done to make it more challenging for an attacker to breach your devices and easier for you to mitigate any potential fallout in advance.
“Multi-factor authentication systems are being used at AU now to keep data more secure, and you can do this on an individual level too. You should also back up your data–even to protect yourself if you lose a device,” says Xu.
“Air gap your back-ups so those can’t be accessed by attackers, and also keep an older back-up separate and encrypted,” adds Leatherman.
“Sandboxing creates virtual boundaries around personal and business applications on phones. This can keep important data isolated now that work and home life has become more blurred,” adds Xu.
Companies shouldn’t rely on IT professionals alone to keep their organizations safe. Executives, the board, and anyone involved with risk management should play a key role in cybersecurity. “Mid-level managers can’t be expected to make decisions for privacy and security without support and education,” says Leatherman.
Leatherman is hopeful that new regulations will be put in place to make cryptocurrency–the chosen form of payment for these crimes–more secure. After 9/11, the Patriot Act was put into place to enhance law enforcement and strengthen money-laundering prevention to deter and punish terrorists. Leatherman thinks we will see regulations like the “Know Your Customer” laws under the Patriot Act emerge as cryptocurrencies mature.