Protect Your Agency from Ransomware
The biggest cyber threat to your agency in 2016 may not be a data breach, but a ransomware attack. I’ve had several agency owners tell me they have been a victim and have had to paid a ransom to get access to their compromised networks.
Ransomware is a type of malware that gains access to your computer system and makes either the entire system or the data on the network inaccessible by encrypting the information. The attackers then attempt to extort payment from the business in return for receiving the encryption key.
The healthcare industry seems to be especially vulnerable.
Incidents at Titus Regional Medical Center in Texas and the Hollywood Presbyterian Medical Center appear to be the start of a series of ransomware attacks on the healthcare industry this year.
Three California hospitals owned by Prime Healthcare Services, King’s Daughters’ Health in Indiana, Methodist Hospital in Kentucky, as well as Maryland/D.C.-based MedStar Health were all hit by or allegedly affected by ransomware in the past few months.
The reported amounts paid in ransom range from a few thousand dollars to $17,000.
- Virus Hits TRMC Computers
- Hollywood Hospital Pays $17,000 to Ransomware Hackers
- Two More Hospitals Struck by Ransomware, in California and Indiana
- FBI Investigating Cyber-Attack at Methodist Hospital in Henderson
- Ransomware Attack Hits Medstar Health, Network Offline
Is your agency secure? Unlikely!
Ransomware is not new. It first appeared when the Internet became more popular in the early 90s and had been around in various forms since. However, ransomware activity has significantly increased lately. Because acknowledging a ransomware attack involves owning up to vulnerabilities or mistakes, it is believed that only a small fraction of them are reported.
I talked to Mark Parrish, owner of Ajasent, a managed service provider that specializes in insurance agencies, to get his take on how ransomware is affecting his insurance agency clients.
During March, April, and May of this year, Mark received two to three calls per week from agencies that suffered a ransomware attack. This is the worst cyber-attack occurrence he has seen.
If an agency has not taken specific preventative steps to protect against a ransomware attack, his advice is to pay the ransom.
He suggests the following steps any agency can take to protect themselves:
- Have a backup (he received a call from an agent in Florida the week before I talked to him and that agency had never done a backup of agency data).
- Test your backup to make sure it is actually usable.
- Make sure you have a commercial grade virus protection program in place.
- Make sure you have a web filter to prevent your staff from going to malware sites. Malware sites account for 10 times more problems than viruses attached to emails.
- Have an agency-wide policy detailing expectations of staff for protecting the agency from any type of cyber-attack.
- Make sure everyone in your organization practices safe computing. Don’t connect to public Wi-Fi hotspots, be overly cautious about clicking on links in emails from unknown or unrecognized people, be very careful about opening email attachments even from people you know (their email could be compromised), and keep security software up to date – to name just a few.
- Think about creating and funding a Bitcoin account. Almost all require the ransom be paid using the cryptocurrency Bitcoin. It can take up to five days to set up a Bitcoin account. Many ransomware attacks will automatically double the amount of the ransom after two weeks. If you don’t have a plan in place, you could face a higher ransom.
Talk to your clients about how ransomware could affect their organization. While there is no insurance policy that I am aware of that will cover a ransomware attack, you can help them think through the risk management process so they can be better prepared.
Moreover, don’t be the cobbler with holes in his shoes! A ransomware attack could significantly impact your agency. Your organization will be better able to respond to an attack if you take the time today to think through your options and adequately prepare.
What have you done to plan for the possibility of a ransomware attack? Let me know in the Comments section.
We use White Cloud Security. This is Trust-Listing which is a little different then white-listing. I know that a few in my office still click on links in suspicious emails because they ask me why something won’t open. We train and they get busy and it happens but everything trying to get in is blocked. It’s wonderful. The other plus is that from any internet connection I can “blue screen” a laptop if my team were to lose one so sensitive information is safe. free trial at whitecloudsecurity.com
Kicker, you certainly are taking the right steps to protect your organization.
Steve,
Cap Specialty has a Network Extortion Threat Coverage Endorsement (Form #E-C-CPR-4131 (5-14). Coverage applies in excess of a $2,500 deductible. Form states that, “We will reimburse the Insured for a Network Extortion Payment …which the insured paid to a person or entity to avert, prevent, or stop … Form still require report to carrier before payment is made. Thought you might want to know there are efforts out there to insured against this loss.
Jeff, thanks for letting us know about this possible coverage information.
We have had 5 attacks since April. All came in through an employee clicking on an email link/attachment. The first 3 actually started the encryption process however we caught the activity right away and do have backup tapes and we restored the data so no ransom paid. After that we did the following:
1. Subscribed to KnowBe4 security. They have training modules for users and templates that can be sent out to test users knowledge on what not to click on. We can see who clicked on a link or an attachment. The training was mandatory and shows passed or failed. We will continue to send out the training videos every so often and continue to send out the phishing emails to see where our weakest links lie and provide additional training.
2. We created a “honeypot” program that sits at the root of all our network drives. Originally, it struck only the main network drive but the next one struck every drive simultaneously. Also ransomware will go everywhere the infected person has rights to.
I think the single most important way to combat this is user training and KnowBe4 is the best. It provides an admin console to track your Phishing test by user and the training modules are really good.
Leslie, the Ransomware issue is compounded in larger organizations simply due to the fact that you have more employees who will click when they shouldn’t as you’ve described here. Thanks for being willing to share the information.
I was hit with the Ransomware back in Feb, 2016. All my documents from Word, excel, copied emails to PDF file etc.. were affected, including everything in my external hard drive backup) and my cloud. What saved us was a backup we did 6 months prior on another hard drive. The only recommendation I would include is to backup everything on another hard drive and disconnect it. I know this seems like a lot of work but believe me it was a life savor. PS: The ransom you pay doesn’t guarantee you that you will get your data back.
Anthony, thank you for sharing your story.
This spring one of our producers had her SurfacePro attacked by Ransomware. We utilize TAMonline (soon to be EpicOnline) and the attack was confined to her local hard drive. This contained little or no client/prospect data since our protocol is for all business to be conducted via our Agency Management System. As a result we were able to make the call to simply erase and reformat her hard drive vs. paying ransom. Still, it was a shock and caused us plenty of worry that day!
Steve:
Your article was timely.
We were hit on Monday between 2pm and 3 pm. 95,000 infected / locked files. The employee who noticed it on her PC, one of 35 in my office, was smart enough to say “this does not look good” and walked 600 feet to I. T. She later told me she never saw an I. T. person run so fast to turn off her computer and disconnect it from the network. Think O. J. running through the airport in the old Hertz Rent a Car ads and you get the picture.
Establish a bitcoin account, sorry, no way but I will not criticize others for doing so.
Our 3pm backup was compromised so we restored from our backup made at noon. We called a security firm that we hired in 2014 and again 2015 to try to hack us. They found some small holes each time and we changed things to close the holes. An hour on the phone with the security firm, allowing them to remote in and by 8:30 pm we were back up and running. I am fortunate to have two I T people on staff. The senior guy is on vacation this week in Cape May NJ and in a typical “geek” reaction was mad he was not here when it happened. Not because he wanted it to happen but since it did he felt it was his job to be here. But he remoted in and did some work.
We are now backing up every 30 minutes. I may not be correctly stating this but with VMWare and a “SANS” device with 12 terabytes of space it is easily done. My head of I T, when he returns, will look at why Symantec Endpoint protection not catch this (we always have an up to date version) and look at perhaps adding Malwarebytes Endpont Security as another line of defense or as a replacement. He will read your article.
Also we use AppRiver to filer all of our e-mail.
We will provide more employee education.
I was lucky, it was a shout across the bow and a not a direct hit. It also shows I have a good staff.
How secure should I feel when it comes to back ups since we are on Tamonline? I know they do the back ups and there have been only 2 times in 10 years that we had to go back in time because of issues- that weren’t virus related. We have lost a computer that went dead after getting into an email. But new laptop and we were back up and going.
Kathy, I would feel pretty secure about using the TAMOnline backup process. The thing I would recommend you double check is to make sure that the files located within your agency are also backed up. These would be the files in your local network, not the ones within the TAMOnline environment.
What government agency do we report the attack to?
Cameron, this is a great question. You certainly could report to local law enforcement, but it is unlikely they have the expertise available to do much for you. The FBI is certainly tracking this, so you could report to them. I am not sure where or how that reporting process would take place. If you find out anything let us know.