It began with an early morning phone call and instant fear for the technology director of Horry County, South Carolina's school district. Computer servers were acting unusual, and Charles Hucks listened as his administrators described frozen computers and a cryptic message spreading across computer screens.
Hucks raced to shut down the system before the unidentified virus could spread, but in minutes, up to 60% of the school district's computers were frozen. Hackers had encrypted the school's data, and that cryptic message was a ransom note.
"They said, 'Hey you want to free your data? Pay us,'" Hucks told CNN.
The school district nestled in the far northeast corner of South Carolina's coast became the latest victim in a crime wave racing across the globe.
Experts call the crime "ransomware," where criminals lock digital files, like text documents and pictures, and demand a ransom before the system is unlocked. The FBI says it received 2,453 complaints about ransomware hold-ups last year, costing the victims more than $24 million dollars. Victims often pay because, so far, authorities like the FBI have been unable to stop it. That was the conclusion made by the Horry County School District.
"You get to the point of making the business decision: Do I make my end-users — in our case teachers and students — wait for weeks and weeks and weeks while we restore servers from backup? Or do we pay the ransom and get the data back online more quickly?"
Earlier this year, officials at Hollywood Presbyterian Hospital in Los Angeles said they paid the Bitcoin equivalent of $17,000 to cybercriminals after patient and doctor records were locked for almost two weeks. The hospital says it had to resort to handwriting to cope with the computer lockdown.
That has left many small- to medium-sized companies unable to defend themselves against the attacks, which often enter into computer systems by unwitting employees. The ransomware pops up in emails, photos, Internet links and "dozens" of other ways, according to an industry analyst.
The U.S. Computer Emergency Readiness Team (CERT) recommends taking the following actions:
- Perform regular backups of all critical information, keep data on a separate device and keep backups stored offline.
- Maintain up-to-date anti-virus software and keep operating system and software up to date with the latest patches.
- Do not click on unsolicited web links in emails, and using caution when opening email attachments.
The FBI discourages businesses from paying the ransom, "as this does not guarantee files will be released."
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says that the FBI's advice about not paying a ransom is well grounded, but likely unrealistic for some organizations struggling desperately to unlock their data in the wake of a ransomware attack.
To mitigate the risk of nation-state attacks, the FBI recommends:
- Recognizing internal and external security threats to the entity's sensitive data and implementing a plan for safeguarding it;
- Confining access to an entity's sensitive data to a need-to-know basis;
- Providing training to employees about its data security plan and how to avoid email attacks involving phishing;
- Avoiding storing private information on any device that connects to the internet.
The U.S. CERT advises organizations to mitigate the risks of a cyberattack on smartphones by implementing such security practices as:
- Enabling the password feature on mobile phone, as well as enabling encryption, remote wipe capabilities and antivirus software;
- Checking what permissions mobile applications require. If the permission seems beyond what the application should require, do not install the application;
- Setting Bluetooth-enabled devices to non-discoverable;
- Avoiding using unknown Wi-Fi networks and using public Wi-Fi hotspots;
- Deleting all information stored in a device prior to discarding it.
Fitzpatrick, David, and Griffin, Drew. “Ransomware crime wave growing.” CNN Money; first published April 4, 2016: 5:38 PM ET
McGee, Marianne Kolbasuk. “Thwarting Healthcare Cyberattacks: New Guidance.” ThreatsDataBreachToday; Information Security Media Group; April 6, 2016.