Ransomware attacks on government offices, civic agencies, and schools are on the rise, and include a January 19 attack on the St. Louis Public Library (SLPL). Ransomware is a form of malware that encrypts files on a computer or network. The individual or organization responsible for the attack then demands a ransom, generally paid to an anonymous Bitcoin account, to provide a key necessary to decrypt the files.
An average of more than 4,000 attacks per day occurred in 2016, representing a 300 percent increase compared to 2015, according to estimates in “How to Protect Your Networks from Ransomware,” an interagency technical guidance document issued by the U.S. Justice Department and U.S. security agencies. In September 2016, security ratings provider BitSight released a report from an analysis of nearly 20,000 companies and institutions, noting that the rate of ransomware attacks increased significantly for every industry examined during the 12 months prior, with the education sector facing the highest rate of attacks, and government organizations facing the second-highest.
In addition to SLPL, other attacks so far in 2017 include Licking County, OH; the library server system for Hardin County Schools, TN; Bingham County, ID; and the network of the Pennsylvania Senate Democratic Caucus.
SLPL’s attack came to a relatively positive conclusion. The library had backups for the files that were encrypted and refused to pay the ransom, according to an open letter to the community by SLPL executive director Waller McGuire. SLPL’s website, catalog, and downloadable materials were unaffected. After regaining control of the affected portions of the network, SLPL prioritized patron services. The library’s IT staff had the checkout system operational by January 20, the day after the attack, and had restored hundreds of public computers by January 21.
In the January 30 open letter to patrons, McGuire noted that “all St. Louis Public Library technology used by patrons has been restored to service…. Free printing for patrons was one of the last public services to be restored last week.”
For most patrons, the library seemed back to normal within a day or two of the attack, McGuire said, even as work continued behind the scenes to complete the restoration of the network.
“There were many 48-hour days and much exemplary work trying to quickly give the library back to our patrons,” McGuire wrote. “Staff here believe deeply in the mission of the library and I’m proud of them. Many of you have expressed concern and support, and we thank you for it.”
What to do
As the SLPL’s case illustrates, regularly scheduled backups are the best insurance against ransomware attacks. Individual users should regularly back up important files to a portable hard drive or flash drive that is not regularly connected to their system and/or a secure cloud-based backup system (not Dropbox).
Restoring those backups and recovering from an attack will cost an organization time and money, but the Federal Bureau of Investigation (FBI) and other security agencies note that there is no guarantee that an attacker will provide the decryption key to unlock an encrypted system if a ransom is paid. Some attackers, once paid, immediately request additional money. Others provide the key, but then target the organization again. Others simply disappear without providing the key.
And, “paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain,” according to the FBI’s September 2016 public service announcement regarding ransomware.
However, the agency does add that “it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.” In a fall 2016 attack on the government offices of Madison County, IN, affecting 600 workstations and 75 servers, the county’s cyber-insurance provider Travelers resolved the attack by paying the ransom, minus a deductible paid by the county, according the Herald-Bulletin. The amount was not disclosed, but the county is reported to have spent nearly $200,000 since the attack for off-site data storage, improved firewall protection, and a backup system for its courts.
The FBI is urging victims of ransomware attacks to report these crimes—regardless of the outcome—to a local FBI office and the Internet Crime Complaint Center at IC3.gov to help the agency understand the threat, monitor the spread of ransomware variants, justify the dedication of department resources to this issue, and ultimately combat the individuals and organizations responsible for creating the malware and launching attacks. Requested information includes: the date of infection, the ransomware variant, the victim or company information (industry type, business size, etc.), how the infection occurred, the requested ransom amount, the attacker’s bitcoin wallet address, the ransom amount paid (if any), overall losses caused by the attack including any ransom amount paid, and a victim impact statement.
Separately, the MalwareHunterTeam, a group of security experts led by ransomware researcher Michael Gillespie, hosts id-ransomware, a site that enables victims to upload a ransom note or an encrypted file to identify which Ransomware variant—from a group of almost 350 known types—is affecting their computer or network, and in some cases, whether a decryption key may have been published for that variant. With this method, the team also regularly discovers new variants and reports them via outlets such as the technical support and news site bleepingcomputer.com, which hosts FAQs, articles, and help guides on ransomware and other malware.
NoMoreRansom.org, an initiative of The European Cybercrime Centre (Europol EC3), the National High Tech Crime Unit of the Netherlands’ police, Intel Security, and Kaspersky Lab, also hosts more than three dozen decryption tools for common ransomware variants that have been cracked by security experts.
An affected library may also want to follow the lead of SLPL, and issue a statement to the local media and to patrons, reassuring the public that their data has not been compromised. Unlike many other forms of hacking directed at organizations, ransomware attacks to this point generally have not involved the theft of data or personal information—only encryption and, with several variants, the threat of indiscriminate file destruction if a ransom is not paid within a specific timeframe. In SLPL’s case, patron information was stored elsewhere and was completely unaffected by the attack, McGuire explained in the library’s statement.
“I want to repeat two assurances to the community,” McGuire wrote. “First, our main concern was investigating whether any personal information had been exposed by this attack. Because of the way our system is designed, patron information, such as addresses and phone numbers, is held in a remote location and kept secure. It was not accessed. If you have used a credit card at the library, that information has been recorded only on secure, encrypted lines by banks. It was not accessed.”
He continued: “Second, the St. Louis Public Library never paid any ransom. Staff brought the demand to me within moments of discovering it, and we were on the phone with the FBI moments later. Although I understand that the decision to pay can be complex for many institutions and companies, SLPL never considered it.”
Ounce of prevention
McGuire notes that SLPL’s IT staff is well aware that its network is constantly probed for vulnerabilities. In this case the point of entry was found to be a four-year old voicemail server with an unpatched security vulnerability. Even the most vigilant staff won’t be able to fix problems that vendors don’t know about, haven’t warned their customers about, or simply haven’t fixed. Similarly, an article published last week by Government Technology describes a recent ransomware attack on the government of Livingston County, MI, that was triggered by malvertising on a trusted local news website.
But much of the usual advice about avoiding viruses and malware applies here as well. In “How to Protect Your Networks from Ransomware,” government agencies are advised to create and implement a training program to make employees and individuals more aware of these threats and how to prevent them.
As the FBI and nomoreransom.org advise, keep all software up to date and apply patches when available. Don’t open unsolicited email attachments from unfamiliar people or companies. More broadly, recognize that even the accounts of friends and associates may be compromised, and never open any attachments that seem suspicious, even if the source is usually trusted. The U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, has published a guide to “Avoiding Social Engineering and Phishing Attacks” with more granular suggestions. And, in a May, 2016 WIRED article “4 Ways to Protect Against the Very Real Threat of Ransomware,” Stu Sjouwerman, the CEO of computer security training company KnowBe4, suggests gamifying awareness training by sending employees simulated phishing attacks to help them understand what these threats look like.
Windows users should consider disabling the “hide extensions for known file types” option in Windows settings to make it easier to spot suspicious, executable files that have been disguised as something else, with names like filename.doc.exe or filename.pdf.vbs. “How to Protect Your Networks from Ransomware” also suggests that IT departments set their systems to filter out executable files from incoming and outgoing emails, to disable macro scripts from any office files transmitted via email, and to assign administrator privileges to individual employees only when absolutely needed.
Individual users could consider disabling remote desktop connection and remote assistance features as well, although this won’t be practical in many workplace environments in which IT departments use these features to help staff and troubleshoot workstations.
NoMoreRansom.org encourages individuals to use antivirus software with heuristic scanning/analysis features and be sure to leave those features activated, enabling the software to detect newer, undiscovered malware variants based on suspicious behavior by a program.
And employees should know to immediately power off a network-connected workstation or device if they believe it has been infected with ransomware, and then notify IT.