Back in the 1970s and 80s, if you worked for a large company in Colombia, it was common to have ransom insurance. Crime was rampant, drug cartels were the norm, and the kidnapping of high-ranking individuals at multinational companies like Shell, IBM, Nestle, or Proctor & Gamble was a viable revenue source for shady figures. Companies would assign security to these folks, insurance policies were taken out, and then the uncomfortable negotiation with kidnappers ensued.
Fast-forward to today, and Colombia has gotten much safer. And while kidnapping for ransom has certainly not disappeared, a new wave of online hackers has been engaged in similar practices with local governments. You’ve likely heard of SamSam ransomware. In 2018, SamSam exploited vulnerabilities in file transfer protocol (FTP) servers, remote desktop protocols (RDP), and Java-based web servers to enter a host of networks and wreak havoc.
SamSam encrypted files, and to recover them, a payment in bitcoin was required. It’s ransom, perhaps not as violent as Colombia, but the model is all too familiar. And this model hit the cities of Atlanta, Newark, the Port of San Diego, the Colorado Department of Transportation, and a multitude of universities and medical centers across the US. An estimated $30 million in losses were attributed to SamSam, and the authors collected $6 million-plus in ransom payments.
In today’s context, millions of folks have been forced to work from home. Remote work has its advantages, but for state and federal entities working from home equates to fewer restrictions on the employees, and risky online behavior (clicking on links in spam and phishing emails) invariably increases. Ransom amounts range from $20,000 to $1 million, and many government actors simply pay up to avoid what they deem to be a giant, clean-up headache. And while paying a ransom does return the entity “back to normal,” this does not guarantee data return. There have even been cases of nefarious actors returning data and selling it to other cybercriminals to be used later.
But the big takeaway is that by paying the ransom, state, and federal actors legitimize this behavior as a profitable model for the hostage-takers. The answer is not payment, but rather a robust cybersecurity policy, which details all security elements and the expectations of everyone with access. By access, we mean file-sharing, email accounts, overall data, and remote access to applications and databases. Intrusions occur when clear principles surrounding mobile device management and internet access restrictions are not spelled out, widely adopted, and widely understood by all employees.
An increasingly popular component of cybersecurity policies is the “principle of least privilege.” This limits the potential exposure to an infection (ransomware) by only granting select data privileges to a handful of employees. Removable media devices are another vector, and limiting their use alone can protect against potential attacks.
A strong defense is bolstered by a stronger offense. Bad actors aren’t going anywhere, but you can make your employees more responsible and adherent to policies via frequent training, regular audits, and repeating the process. Paying ransoms is no way to go through life.