How Florida companies can protect themselves from ransomware attacks
A rash of ransomware attacks in Florida offers some lessons in cyber-security for business and government.
Last summer, hackers infiltrated the computers of WMNF 88.5-FM radio in Tampa and encrypted the station’s pre-recorded promos, archived news reports and other files. The cyber-crooks also knocked the station’s live broadcast off the air and told the station in a digital message that if it wanted its files back, it would have to pay up. The station didn’t pay and has spent more than $5,000 restoring files and repairing its system.
A recent report by Beazley Breach Response Services, a unit of specialist insurer Beazley that focuses on cyber-incidents, found that 71% of ransomware attacks in 2018 targeted small businesses and organizations like WMNF, with an average ransom demand of approximately $116,000 and a median ransom of about $10,000. Other recent reported targets have included Florida ISP Network, a Tallahassee broadband provider; FABEN Obstetrics and Gynecology in Jacksonville; Dr. Carl Bilancione’s Maitland dental practice; and Congregation Ohev Shalom, a Maitland synagogue.
In addition, between April and June, at least five Florida municipalities were hit with ransomware that paralyzed their systems and collectively cost their insurers nearly $1 million.
Roger Grimes, a “data-driven defense evangelist” with Clearwater-based security awareness firm KnowBe4, has spent much of his career advising companies about how to thwart malicious attacks. Over the past couple of years, he’s watched ransomware thieves grow more sophisticated.
Once upon a time, he says, cyber-extortionists would break into a computer and make a quick demand for money. Today, they take their time and explore how to maximize their revenue. “They’re staying in there for weeks to months trying to figure out what’s the best critical systems to lock up and how to encrypt the backups.”
In theory, a good backup system should negate the threat of ransomware. The reality, Grimes says, is that most backups aren’t properly tested or stored in a way to ensure that critical systems will actually work when restored. He suspects the “vast majority” of IT workers who swear they’ve tested their backups might have restored a few files successfully but have never done a full system restore. (When Grimes says this to IT audiences, he usually sees a sea of bobbing heads, he says.)
Another common flaw Grimes sees is backup systems that are connected directly to the main systems. Today’s strains of ransomware can hunt down those backups and encrypt them, too. That’s what happened to the city of Mexico Beach when it got hacked last April; Lake City also lost some backed up data in a similar fashion.
Some cities have switched to what’s known as a 3-2-1 backup rule that maintains three copies of data on two different types of media, such as disk and tape, with one copy backed up off site. Sarasota switched from tape-only backups to a multiple disk and tape system that followed the 3-2-1 rule through a Swiss-based vendor called Veeam in 2015. Four months later, a cyber-extortionist encrypted millions of city files, but with its backups the city was able to get its systems up and running within 14 business hours — and avoided paying a $34-million ransom demand. The city is on track to add cloud backup this year.
Herminio Rodriguez, Sarasota’s IT director, says cash-strapped cities might scoff at the idea of spending $150,000 on a backup system, but having that system and rehearsing for an attack were the only reasons Sarasota came out of the crisis unscathed. “Not once did I sit with my city manager and talk about paying the ransom. We never had a conversation like that. I knew where my data was, and I knew the data was safe.”
Good backups are better than decryption key codes that unlock and restore encrypted files for other reasons, experts say. Some decryption keys simply don’t work and others don’t work well enough, fixing some data but leaving other files permanently corrupted.
Focus on ‘Frequent Clickers’
With scammers using sophisticated techniques to trick a person into clicking on something they shouldn’t or giving up confidential data, cyber-experts say it’s critical that companies train employees how to recognize phishing attempts — especially those that appear to be from someone they trust. Organizations also need to pay extra attention to a subset of employees known as “frequent clickers” who are more apt to fall for such schemes.
The 2016 ransomware attack in Sarasota started as many do, with a realistic-looking e-mail about an “invoice” to an unsuspecting employee in the police department. When the worker clicked on the fake invoice attachment, it refused to open and unleashed a malicious software program that spread throughout the city’s network.
The more recent phishing e-mail that set off Lake City’s attack also involved an invoice that appeared to be from one of the city employee’s contacts. To make it seem even more legitimate, it mentioned a previous e-mail conversation the two had. In both cases, making a simple phone call to the supposed sender of the e-mail might have averted the attack.
“At the end of the day, this all starts with some employee clicking on some e-mail attachment or a link that they should never have clicked. It goes back to education, which I’ve been preaching since 2014,” says Sri Sridharan, director of the Florida Center for Cybersecurity at the University of South Florida.
Matthew Canham, a research assistant professor of cyber-security at the University of Central Florida’s Institute for Simulation and Training, says the behavior of a few can create big problems for a company.
Looking at the data of one organization, Canham found that fewer than 1% of its 6,000 employees were repeat clickers. But those workers had failed seven or more simulated phishing exercises in a one-year period and made up nearly half of the failures in one training exercise.
“If as an attacker I can identify who those people are and target messages to them, then my probability of success goes up tremendously. As an attacker, all I need is one success,” says Canham, who is conducting research to identify personality traits that might predict those who are “security vulnerable.”
He thinks research findings on “accident-prone personality” types might provide some clues. Robert Hogan, a personality assessment researcher, found that people were more prone to workplace accidents if they were defiant, panicky, irritable, distractible, reckless or arrogant.
Canham believes companies may be able to use that information as a screening tool for hiring or at least as a basis for additional training or putting additional protections in place.
Invest in Cyber-Insurance
According to the Florida Association of Insurance Agents, only 30% of organizations purchase cyber-policies. In addition to covering ransoms and helping to negotiate a ransom response, comprehensive policies may also cover a computer forensic analysis to determine how the attack happened and how bad the damage is, business interruption costs, legal expenses related to compromised data and public relations costs to help a company or brand recover its reputation.
Law enforcement agencies argue that paying a ransom only encourages attacks. It’s also a gamble because there’s no guarantee that paying a ransom will result in getting all files back in working order. Nonetheless, surveys suggest that somewhere between 40% to 70% of targeted businesses pay the ransom.
Cyber-insurers tend to take a pragmatic approach. After Lake City lost its e-mail systems, telephones and other services in June to a ransomware attack dubbed “triple threat” because the malware targets systems through three methods of attack, the city attempted to restore its system. The League of Cities, which insures Lake City and other municipalities, did a cost-benefit analysis that suggested it would be cheaper to just pay the ransom. Lake City paid a $10,000 deductible, and its insurer covered the rest of the $460,000 payment. The league declined to comment for this story.
Atlanta, by comparison, refused to pay a $51,000 ransom after hackers knocked its systems off line in 2018 and may have to spend upward of $17 million repairing the damage. And the city of Baltimore recently dipped into its parks and recreation fund to help foot the bill for a May 2019 ransomware attack that could ultimately cost $18.2 million to fix. Baltimore Mayor Bernard C. “Jack” Young is now urging other city officials to purchase $20 million worth of cyber-liability coverage for $835,000, according to the Baltimore Sun.
Hackers usually rely on tricks and traps to coax people into clicking on malware that sets off ransomware attacks. But MIT post-doctoral associate and researcher Gregory Falco says businesses and governments hit by ransomware can use the same sort of psychological manipulation to improve their footing when negotiating with cyber-crooks.
The first step, he says, is coming to terms with the “worst outcome” — whether that’s losing all your data, paying a ransom or spending millions of dollars on remediation. “All of that acceptance is obviously very difficult to swallow, but it kind of gives you a starting point on how aggressive you want to be with negotiations,” says Falco, co-author of a recent study on ransomware negotiation strategies in the Journal of Cyber Policy.
After that, he says, you need to select a ransom negotiator, come up with a strategy and start haggling. The key to successful negotiations, he says, often comes from considering a hacker’s motive. While some hackers are after money, others are looking for the cyber-street cred that comes with wreaking havoc. He suspects that’s often the case when local governments come under attack. “If their motive is to cause chaos, then you demonstrate they’ve caused some chaos. Then ask for a reduced payment.”
Joe Partlow, chief technology officer for Tampa cyber-security firm ReliaQuest, warns that paying a ransom isn’t always straightforward. “There can be hurdles to properly set up and fund an account” — and that can cause trouble when the clock is ticking. He advises having a cryptocurrency wallet ready to use in advance and looking for ransomware decryption keys and tools that “already may be publicly available” before paying.
The surge in ransomware attacks is spurring the growth of a new niche insurance product: Cyber- extortion coverage.
Insurance giant AIG, for instance, offers cyber-extortion coverage under its “kidnap and ransom” suite of products. Other companies offer similar protections under broad or bundled cyber-policies that cover everything from ransomware to wire transfer fraud to telephone hacking to data breaches.
While cyber-experts agree that cyber-insurance is a business necessity, buying a policy can be tricky. “Insurance companies just don’t write a cyber-insurance policy without asking a lot of questions,” says Sri Sridharan, director of the Florida Center for Cybersecurity at the University of South Florida.
Many insurers require an intensive audit examining a firm’s vulnerabilities and then write policies based on those findings. Some policies contain more exclusions than inclusions, he cautions, so companies need to read the fine print. One Florida business, he says, experienced a breach but didn’t get a penny from its insurer because the company had failed to provide cyber-security retraining to its employees every three months as the policy required.
Companies such as San Francisco- based CyberPolicy, meanwhile, want to make it easier for small and medium-sized businesses to get coverage. Chief Strategy Officer Anita Sathe says CyberPolicy operates almost like an Expedia for cyber-insurance: Businesses can go to CyberPolicy’s website, answer a few questions about their risk factors and security practices and get quotes from several carriers.
CyberPolicy’s annual premiums range from $221 to $18,878 in Florida. The Florida Association of Insurance Agents says the majority of small to mid-sized businesses can purchase a stand-alone cyberpolicy for just under $5,000.
In a ransomware attack, Sathe says, the cyber-insurer will typically call in a “breach coach” and forensics experts to determine the extent of the damage and come up with a game plan — whether to pay the ransom or try to rely on a backup.
While all policies are different, many cover everything from crisis communications expenses to legal bills to lost revenue, she says.
Florida is CyberPolicy’s second-largest market after California, but Sathe sees plenty of room for growth in a global market that’s at about $4 billion today and could hit $23 billion by 2025. “I do think we are still scratching the surface here. I feel like I almost think this should be a mandated policy to have, just like workers’ compensation or car insurance.”
Ransoms are just one of the costs associated with a ransomware attack. Lost productivity, damaged equipment and remediation efforts can increase the costs considerably. On its website, insurance carrier Chubb provides this estimate o f costs from an actual claim from a car component manufacturer that was hit by ransomware. While the original ransom demanded about $12,200 in bitcoins, the remediation process cost six times that amount.
Ransomware Attacks on Governments in Florida
More than two-thirds of ransomware attacks target businesses — most often, small businesses — but between April and June, at least five Florida municipalities were hit with ransomware that paralyzed their systems and collectively cost their insurers nearly $1 million: Mexico City; Stuart; Lake City; Riviera Beach; and the Village of Key Biscayne.
Catching Them Is ’Like a Lightning Strike’
In January, FLORIDA TREND reported on the arrest and conviction of Raymond Uadiale, a former Miami Dade College adjunct math professor and Microsoft employee, for his involvement in a ransomware scheme. Uadiale’s case was unusual because only a handful of ransomware crooks ever get caught.
One reason is that internet crimes often go unreported. Another is that cyber-criminals are notoriously hard to track down and many reside in countries that won’t honor U.S. warrants. Case in point: In 2018, a federal grand jury indicted two Iranian men it alleges were behind recent ransomware attacks on Atlanta, the port of San Diego, Kansas Heart Hospital and others — but because the U.S. does not have an extradition agreement with Iran, the two men remain at large.
“In my 32-year career, I have identified hundreds and hundreds of hackers by name and maybe heard of three of them being arrested,” says Roger Grimes, the Clearwater cyber-expert. “They do get caught, but it’s like a lightning strike.”
Cyber Florida’s “Guide to Ransomware Prevention” provides these tips for governments and businesses:
- Create multiple backups for all critical data; use a cloud backup that contains “multiple iterations of backups” in two separate physical locations.
- Stay current with all manufacturer updates and patches.
- Provide cyber-security awareness training to all employees and repeat often.
- Put in place a cyber-incident response plan, as well as a business continuity and disaster recovery plan.
- Enable all spam filters, firewalls, anti-malware solutions and other security features.
- Restrict access to system and files to only those who need it.
- Isolate older “legacy” systems that no longer regularly receive manufacturer updates from other systems.
- Disable macro scripts from Microsoft Office files that are transmitted via e-mail.
Read more in Florida Trend's November issue.
Select from the following options:
* offer valid for new subscribers only