Ransomware Extortion in the Americas
En primer lugar, pido disculpas por no publicar, esto es en varios idiomas, especialmente en espa?ol; dado que una de las áreas más afectadas es LatAm. Sin embargo, escribir esto el fin de semana en mi tiempo libre no me permite ese lujo. Si no lee bien el inglés y lo necesita en espa?ol, avíseme y lo traduciré cuando tenga tiempo o haga que uno de mis ejecutivos latinos lo ayude.
Of the 50 municipal attacks in the USA, January to July, only three cities chose to pay the ransom. Many others are instead fighting it out, with mixed levels of success. Baltimore, which was attacked in May, refused to pay a $76,000 ransom; it has to date spent more than $5 million recovering the data lost in the attack. And they will be reconstructing internal and customer data profiles for another year. So why did they not pay the hackers and was it the wrong decision?
Less than a third of the reported cities who reported that they paid were able to recover their data. Most times the type of virus used blocks all new incoming data while the system is impaired. Why pay a crook for screwing you? You shouldn't! However, you should prepare with proper cyber security before you turn on your first server. However, cities and private companies have a few things in common...
- Arrogance
- Ignorance
- Denial
- Procrastination
Wednesday, last week, a mayor who I have known since we were in Elementary school, called to as if I had time to meet him at Starbucks for coffee. Since we were long-time friends, I told him that since a year ago, I closed my local office and worked remote with my offices in Latin America, India and Israel, and to come to my home to talk. Why he asked? I said because I live in Huntsville, Alabama near one of the most security sensitive sites in America, NASA and the Redstone Arsenal…every hotel lobby and coffee shop are under surveillance, if not by the government, then by industrial spies to collect information on competitors. He laughed and said good idea!
At home I made us two double espressos and we began chatting about old times and family before entering the discussion which began…
Woody, we were hacked, ransomware last week. Our IT guy said not to pay that he could penetrate it and fix it. However, we lost 4 days of incoming data in the process and too, our backup was from Sunday; so we literally lost 9 days data on 130,000 customers and platform records. We will survive but it will be 3 months before we reconstruct 90% of the records and up to 12 months for complete reconciliation of all accounts at a cost of $90,000 in third party assistance and probably $200k in direct losses since we cannot err in respect to the customer’s ascertains. How did it happen and what should we do?
I told him, we are good friends, but you know with my history and successes in IT, Telecom and security in general, usually I get big bucks for this sort of advice. I said, but ok, let us discuss what you did wrong. First of all, I know your IT chief. He is really intelligent and experienced; but not in cyber security and has been with you over 10 years. I never see him at any expos or IT/Cyber Security meetings in our state nor anywhere else for that matter. Over the last 10 years, you have made several upgrades to your platform but mostly these were added for customer service and access. You made a budget based on his recommendations, right. Yes, we did. Did it include homology or research into equipment and software interaction in regard to vulnerabilities? He said, I have no idea. I said, since you do not know, then it did not. You see, buying add-on equipment and software which in itself may be great and at the lowest price without taking into consideration the vulnerabilities of the updated platform and network was your weakness. Not hiring a third party to audit and evaluate your concurrent platform since updating was the second. The third was assuming that your internal IT advice was sound and valid this day and time.
This story is not rare. It is typical in most businesses and government entities. Assuming that because you have a software to prevent hacking or an antivirus software on your laptop is protecting you from hackers who spend mountains of time and money to penetrate your network is a false dream. Think logically! If you have a multi-faceted platform, how can a simple off-the-shelf solution protect you? How can a singular patch prevent damage? How can an unsecured backup solution be guaranteed? Most major extortions have insider associations. What type of Network Access Control platform do you have? Is your cyber security processes as up-to-date as your platform?
The fact is, most small businesses and nearly all government entities do not have the funds to have employees to do proper cyber security prevention and if they do, they do not spend money to keep them up-to-date on current hacking strategies. I am not a tech or engineer; but I started my telecom businesses in 1994 with the advent of VoIP so I learned with my techs and engineers. While I was sitting with the major, I said let me see your smartphone. Within 10 minutes, I had circumvented his platform using his saved login and password data lodged into his Google account. I told him, this is your bank wire key right? With this I can authorize a wire be sent anywhere in the world? He said yes, but there would have to be an invoice to and from the treasurer’s secretary. OK, and if I use your email to send the request and approve it, what happens? He said damn, you are right! Yes, if I hack or clone your smartphone, I can control much of the city functions.
People, this is not rocket science. It is common sense decision making. But if you are diligent and ask for the advice of competent third parties, you can prevent damage from hacking and ransomwares…even data mining which to me is more dangerous. It is not as expensive as you think to secure your business or government facility. In fact, with complex systems, most consultants like myself will work with you on a payment plan so it is affordable. But for example, a contract with a cyber security company may cost for a small business of 20 employees and annual income of $10,000,000…$25k upfront and $5k a year; however, if attacked the ransom will likely be above $75k and there is a 33% probability that you will never restore lost data or even have a platform to operate afterwards. Yes, sometimes there are so many errors and lost OS data that your best solution is to re-format, start fresh and restore that which you backed up the last date. Also, there is no magic software that will protect anyone's system 100% 24/7. If you are the first who is attacked by a new virus, the anti-virus may not recognize it as it has never been used on anyone and reported, and a solution offered for updating...it takes days sometimes weeks. Also, backups become more difficult with external servers and with a high speed network extending to alien access in CPE and linked devices. Some data will always be missed.
And for my followers and readers, I did not write this for technical critique. No. I wrote this purely for business and government administrators who do not have the full technical background as you may have; so that it is understandable from the standpoint of the manager or responsible person at the top who takes the heat when there is a problem. If you write me for advice or a solution, I am happy to oblige when I have free time, so it may take up to a week if you are not a customer. Thank you and good luck in this fast changing world of technology we live in today.