One strategy for hackers to monetize an infiltration of a company’s network is to encrypt a key chunk of data and then demand that the organization pay the hacker some amount of money to get a key to unlock it. To make it scarier: the company can’t know if the data has just been locked or if the hacker has downloaded copies as well. It can be hard or impossible to find out while the files are still encrypted. This can make it very tempting to pay up.
Robert Shaker II, CTO for Symantec’s Global Incident Response team, says that companies should never pay hackers to unlock ransomware. “The first thing that happens is you go on a payers list,” he told a room full of cyber security professional and business executives at the 2015 Cyber Security Summit in Midtown today. If you go on a payers list, other hackers will find out that you or your company is a sucker and go after your stuff as well. Hackers talk.
The next danger is that the payment never gets you a key. Or that the hacker will ask for multiple payments for different keys. Mr. Shaker says that Symantec has seen hundreds of incidents along these lines. Kaspersky has also written about the increasing prevalence of using cryptoware to hold data hostage. Some of the software commonly used includes CryptoLocker, TorLocker, CryptoWall, CoinVault and TeslaCrypt.
He also emphasized that unlocking the data doesn’t end the threat. “That wasn’t the infection,” he said. “It was secondary.” In other words, the cryptoware doesn’t get into your system. It’s a tool that’s used once an adversary is inside. The company needs to figure out how its system was infiltrated in order to prevent future ransoms. He later told the room that many of their firms were probably using Symantec Endpoint Protection, “and you probably have it configured wrong,” he warned them.
He advised bringing in someone who really knows how to set the protection up to check their IT departments’ work.
Mr. Shaker recommended the following after a ransomware notice:
- Don’t pay.
- Check your backups to see if you can just walk away from the local machine and/or what the hackers might have copied.
- Go to your privacy attorney and your cyber insurance broker (if you have one).
- Talk to a technology investigator.
What about law enforcement? “It’s probably not the first place we’d advise people to call,” he said. “The FBI’s goal is to prosecute. If they’re not going to get that, they’re not going to follow up.”
Paul Ferrillo, an attorney on the same panel with Weil, Gotshal & Manges, added more that helped explain the logic of this growing vulnerability exploitation. Mr. Ferrillo said that he sees a lot of executives and boards at midsize companies who make themselves vulnerable with what he called “the ‘I’m not a target issue.'” In other words, companies that aren’t a household name think their systems aren’t important enough to attract hackers.
That’s backward, Mr. Ferrillo said. Smaller companies are attractive to hackers because Fortune 500 companies have Fortune 500 security. Hackers want easier targets. A medium-sized company may not have extremely sensitive data, but its data is important to the company, and it probably has enough money to make a nice pay day for a small team of hackers.
That’s why small companies are targets, and that’s what makes the ransomware exploit useful.