Capital Region

Prevention better than cure, local cybersecurity experts say

Ransomware attacks becoming bigger threat

Local cybersecurity experts are urging people to see the massive WannaCry hack as a warning signal, because while that particular ransomware isn’t having much impact on U.S. computers, other malware attacks are causing breaches here every day.

“Hopefully, the business community sees this as a wakeup call,” said Mike Stamas, chief business development officer for GreyCastle Security, a Troy-based cybersecurity firm.

“This isn’t going to slow down.”

WannaCry is a ransomware that locks down data on a computer until its owner pays a fee, or ransom, to the hacker that unleashed it. It was developed as a cyberwarfare tool by the U.S. National Security Agency but stolen by hackers. Widespread reports of infections began Friday, when the British National Health Service was locked out of its computers, along with many other users. By Monday, 200,000 computers in more than 150 countries were infected. 

After the weekend, the feared second wave of infections didn’t materialize — with the major exception of China, where many computers run on pirated software.

United States businesses remained largely unaffected Monday.

Shaun Wiggins, CEO of Soteryx in Saratoga Springs, said the company hasn’t seen a lot of reports about WannaCry, and the time difference may have helped spare the United States. The attack was underway Friday in Europe long before the business day began in the U.S., so there was time to react here.

However, George Dew, president of cybersecurity at Soteryx, said no one should feel safe because of geography.

“We deal with this all over the place,” he said. “The internet takes away time and distance. For all intents and purposes, the locality is irrelevant.”

What keeps computers safe from ransomware and other computer malware, Dew said, is updated operating systems, updated anti-virus software, and — above all else — not clicking on email attachments and links. Period. Ever. Unless the source of the email is known, trusted and verified. 

“Any time there’s an unsolicited incoming communication, they have to assume it’s not a good thing,” Dew said. “You have to assume right away that it’s a threat.”

He goes so far as recommending that information technology managers disable attachments on emails that come into their company’s computers. He also suggests people be careful with requests for information via phone call and old-fashioned letters, though the latter is much less common now, due to the cost of stamps.

Dew also recommends that computer managers install software patches, even for past threats, even after the initial wave of attacks subsides.

“Stuff like this has a habit of coming around again,” he explained.

And WannaCry is far ahead of previous generations of ransomware such as CryptoLocker and CryptoWall, Dew said. “It’s engineered pretty well.”

One of the problems that makes WannaCry more virulent than other ransomware, explained Stamas at GreyCastle, is that it doesn’t spread via operator actions such as opening attachments and clicking links. It’s a worm that spreads itself through vulnerable spots in a computer’s software. 

In this case, it’s infecting Windows XP, an operating system that was very widely used after its introduction in the early 2000s, but which Microsoft eventually stopped updating and supporting, as it rolled out newer operating systems.

Because switching operating systems on a companywide basis can be costly, disruptive and create incompatibility issues, not to mention inconvenience, some companies will run as long as possible with a legacy operating system, Stamas said. So XP still runs on many computers.

The WannaCry attack got a lot of people’s attention, he said. GreyCastle, which has clients in almost every state, had more than a hundred people signed up for a webinar it was presenting Monday afternoon.

“Our phones have been ringing off the hook all day.”

This is the latest iteration of the long-running effort to separate victims from their money, Stamas said. Electronic siphoning of funds and credit card data theft each had their moment.

“Now the flavor of the month so to speak is ransomware,” he said.

“We respond to a lot of ransomware calls. I’ve seen dollar amounts from $300 to $55,000.”

One of the most common and lucrative targets for ransomware is health care records, Stamas said. It’s potentially a matter of life and death if health care providers can’t access patient records, he said, so they’re more likely to pay. It’s also among the most valuable data to sell to identity thieves, sometimes commanding $20 per patient, because it can enable Medicaid fraud, tax fraud and even blackmail, not to mention further electronic crime.

“Think how believable of a phishing email I could send to you, armed with your health records,” Stamas said.

Asked if someone should pay the ransom demanded by hackers, Stamas said it’s never a good idea, for a variety of reasons, including that it might encourage further attacks.

Dew at Soteryx suggested people should pay the ransom, if it’s something like the $300 sought in the WannaCry attack, because the cost to a business of losing the data is likely to be far greater in lost income and productivity.

But both of the cybersecurity experts agreed that prevention is better than response, and that a ransom payment does not  guarantee the hackers will unlock a computer.

“Just because you pay the ransom doesn’t mean you’re going to get the data back,” Dew said.

Fighting ransomware

Some tips for preventing ransomware attacks offered by Capital Region cybersecurity firms Greycastle Security and Soteryx:

  • Keep your operating system and antivirus software up to date. 
  • “Any business should have disaster backup plan and a business continuity plan.” — George Dew, Soteryx.
  • Back up your data to an out-of-network location regularly and disconnect it from the network except when backing up.
  • Keep vulnerable ports closed.
  • “Have a healthy paranoia.” — Mike Stamas, GreyCastle.
  • Train employees not to click on links, which cause most infections, and remind them regularly.
  • Disable links in incoming email, because somebody will probably go ahead and click them anyway.
  • “It’s important that businesses prepare. A lot of companies wind up doing this as an afterthought.” — Shaun Wiggins, Soteryx.

Categories: -News-, Business, Schenectady County

Leave a Reply