This article is adapted from Disruption by Design: The Escalating Ransomware Threat, a TechSurveillance report released in September 2016 by the Cyber Security Work Group in NRECA’s Business & Technology Strategies unit. The full report was written by Eric Cody, a consultant who has worked with NRECA, statewide co-op associations, and individual electric co-ops for more than 15 years.
A cyber attack that freezes businesses and individuals out of their own computers has increased its assault on corporate America and prompted warnings from U.S. law enforcement.
Cyber criminals use so-called “ransomware” to enter and spread through a home computer or a business’s network, preventing access to data and threatening to lock files away forever unless a ransom is paid.
Electric co-ops are not immune from this evolving threat, warns Eric Cody in a new report from NRECA’s Business and Technology Strategies (BTS) unit. If anything, he says, utilities may be among the potential targets of such crimes, and some have already been attacked.
Ransomware finds its way into a business’s computer network through seemingly harmless attachments or clickable links in e-mails. When an unsuspecting employee opens the bogus PDF or clicks on the hyperlink, it allows an insidious program to creep onto the user’s device and potentially spread through the organization’s network, encrypting files or blocking access to them for network users across the business.
Users then receive a notice that their data has been encrypted and a demand for payment, often in bitcoin, for the decryption key along with a ransom deadline. The message is disturbing:
“Your personal files are encrypted!” a headline says at the top of a red field filling the victim’s computer screen. A deadline clock in one corner amps up the anxiety by counting down the hours, minutes, and seconds the perpetrator has given the victim to consider the damage of losing his or her files and to pay up.
“To decrypt the files, you need to obtain the private key.” That key is located “on a secret server on the Internet” that will be destroyed when time runs out on the countdown clock. “After that, nobody and never [sic] will be able to restore files.”
That message, sent to an individual computer user three years ago, demanded $300. But cyber criminals using ransomware have grown more greedy since then. Last winter, a California hospital paid $17,000 in bitcoin to regain access to its files.
“It’s about money, plain and simple,” says Cynthia Hsu, BTS cyber security program manager. “Ransomware is profitable, and that financial motive is driving criminals to create more sophisticated versions that continue to get better at invading your network.”
Ransomware attacks have also grown in number. By one estimate, a single form of ransomware known as “Locky” attempts to gain entry to 90,000 computers every day. Another type, “CryptoWall,” has reportedly cost U.S. victims in excess of $325 million. And a computer threat consultant found that the percentage of computers among its clients reporting ransomware on their drives surged from less than 15 percent in February 2016 to more than 70 percent the next month.
“Ransomware has been around for a few years,” the FBI’s cyber division stated in April, but these kinds of attacks started to climb in 2015. “And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016.”
Why the Worry?
Cody points to three key factors that can leave co-ops vulnerable to ransomware attacks:
Limited information technology (IT) staff and resources to address the threat and respond to ransomware incidents.
Lack of ready access to the advanced IT expertise and highly trained cyber security personnel or services required to build and maintain a segmented computer network and layered defenses to block attacks.
Large quantities of corporate files, operations applications, and members’ personal and financial information, all of which a co-op relies on to do business. Co-ops are hardly the only potential targets of this form of cyber crime, Cody adds. “Almost 50 percent of U.S. businesses surveyed in June 2016 reported a ransomware incident within the past 12 months,” he says.
The fallout from inaccessible business data files can range from lost productivity and down time—which can last for days—to recovery costs, negative publicity, legal expenses from lawsuits and possible findings of negligence, costs for credit monitoring services for employees and members whose data may have been compromised, and even harm to employee productivity and morale as security policies are tightened in the attack’s aftermath.
And that catalog of injuries doesn’t include the straight dollar cost of paying a ransom.
To Pay Or Not To Pay
There is a fair amount of uncertainty and conflicting advice around whether to pay the data ransom. In effect, it’s paying a reward for criminal behavior.
The FBI advises against paying, in part because it may not work anyway.
“Paying a ransom doesn’t guarantee an organization that it will get its data back,” says James Trainor, assistant director of the bureau’s cyber division. “We’ve seen cases where organizations never got a decryption key after having paid the ransom.”
What’s more, ransom payments are all too likely to simply make the problem worse. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” Trainor says. “And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Cody makes the same arguments in his NRECA report, noting that after paying, some ransomware victims have reported “they have been told more money would be needed to recover access to their files.”
In the end, Cody says, whether to pay the ransom “will be a business decision.” But other actions can be considered ahead of time to reduce vulnerability to ransomware.
Building the Defense
In the report, Cody doesn’t attempt “to describe in technical detail the steps electric cooperatives can take” to prevent or recover from a ransomware attack. Not only would such details give valuable information to cyber crooks, but any discussion of firewalls and patches would likely be obsolete before the ink dried on the final report.
However, Cody says, his research led to “a number of steps electric co-ops can consider taking immediately without major expense to mitigate the risks.” The steps that are possible, reasonable, and appropriate may vary from co-op to co-op:
Staff and board education. Cody recommends a campaign “to maintain a high level of awareness for all computer users, including managers and board members, of the threat and how their personal actions can either facilitate or thwart attacks.” Policies and procedures should also be developed to hold the co-op’s computer network users accountable for complying with cyber security efforts.
Tighter data access and modification policies. “Minimize or eliminate user privileges to access and modify files that are not required for a specific user’s job,” Cody says, and review user privileges, access, and permissions once a month. “Limiting user permissions can limit the ability of ransomware to spread.”
Periodic backups of critical business data. Backup should be performed on all data storage devices, and the backup information should be held in a separate storage device physically disconnected from the network when not in use. “The frequency of backups should depend on how often the data and files change, and how critical the data and files are to business operations.”
Rigorous recovery tests. Co-op managers need to know how quickly and safely they can restore files from backup if they’re lost or taken hostage by computer criminals.
Stress to management their status as individual potential targets. Cody says “managers and department heads … are specific and often personalized targets of ransomware due to the importance of their personal work files and their authority level over network assets.”
Name and train a cyber security chief. A co-op should “identify a key person to be responsible for cyber security and invest in their training and authority to implement cyber security best practices.”
Insulate the main corporate network from operational functions. “Maintain physical separation between the main corporate network and SCADA/operational system networks,” Cody recommends. “And ensure that operators of mission-critical systems use computers, networks, and accounts that are separate from the computers, networks, and accounts that are used to interact with the Internet or enterprise systems.”
Hsu notes that NRECA will soon launch a program aimed at helping small and mid-sized co-ops implement cyber security protections. Dubbed RC3, shorthand for Rural Cooperative Cyber Security Capabilities Program, the initiative will offer resources for co-ops to protect themselves from ransomware attacks and help them minimize damage should an attack occur.
Cody adds that many free resources exist for co-op IT professionals to consult when planning and implementing ransomware countermeasures.
He concludes his report with a warning for co-op managers:
“Ransomware is a mainstream issue that could threaten the smooth functioning of the electric service business. Failure to confront this threat, to take prudent and reasonable steps to thwart attacks, and, in the worst-case scenario, to ensure rapid recovery when a network is penetrated will expose the cooperative and potentially its members to significant and avoidable repercussions.”