Columbus Day 2016: What We're Discovering About Ransomware

Columbus Day celebrates discovery and exploration. In 2016, businesses across the country are discovering something they didn't want to find: ransomware is now a mainstream threat, not just something that happens to other people.

This year has seen ransomware explode. Hospitals, schools, police departments, and small businesses are getting hit daily. The attacks are getting more sophisticated, the ransom demands are getting higher, and the attackers are getting bolder.

Let's talk about what we're discovering about this threat as we head into the final quarter of 2016.

Discovery 1: Ransomware Is Big Business

Ransomware isn't amateur hour anymore. The people behind these attacks are running professional operations with customer service departments, payment portals, and guaranteed decryption.

Some ransomware operations offer:

• 24/7 support chat to help victims pay ransom
• Payment plans for victims who can't afford the full amount
• Technical support for victims having trouble with Bitcoin
• Guaranteed decryption or money back (yes, really)

This professionalization makes ransomware more effective. Victims who might have been too confused to pay ransom now get walked through the process step by step.

Discovery 2: Healthcare Is a Prime Target

2016 has seen a massive surge in ransomware attacks against healthcare providers. Hospitals, medical practices, clinics, all getting hit.

Why healthcare? Three reasons:

First, healthcare can't afford downtime. When patient records are encrypted and the EHR system is down, care gets disrupted. That pressure makes healthcare providers more likely to pay quickly.

Second, healthcare IT security is often weak. Many medical facilities are running outdated systems with poor security because upgrading clinical systems is complicated and expensive.

Third, healthcare data is valuable even beyond the ransom. Medical records sell for premium prices on the black market, so attackers sometimes steal data before encrypting it, creating double leverage.

Discovery 3: Backups Aren't Always Enough

The standard advice for ransomware has been "have good backups and you won't need to pay ransom." That's still true, but 2016 has shown us that backups alone aren't sufficient.

We're seeing attacks where:

• Ransomware sits dormant for weeks before activating, getting backed up along with legitimate files
• Attackers specifically target and delete backup files before encrypting production data
• Network-attached backup drives get encrypted along with everything else
• Restoring from backup takes so long that paying ransom is faster

Good backups are still essential, but they need to be isolated from your network, tested regularly, and fast enough to restore from quickly.

Discovery 4: Ransom Amounts Are Rising

Early ransomware attacks demanded a few hundred dollars. In 2016, we're seeing demands in the thousands or tens of thousands.

Attackers are getting smarter about pricing. They research their targets and set ransoms based on what they think the victim can afford. A solo dental practice might see a $2,000 demand. A multi-location medical group might see $50,000.

The higher amounts make the economics work better for attackers while still being low enough that victims often pay rather than dealing with recovery costs and downtime.

Discovery 5: Prevention Is Still Possible

Despite how scary all this sounds, ransomware is preventable. The majority of successful attacks exploit basic security gaps:

• Phishing emails that trick users into opening malicious attachments
• Unpatched software vulnerabilities
• Weak passwords on remote access systems
• Lack of email filtering
• No staff security training

Addressing these basics significantly reduces your risk. You don't need expensive security tools or a dedicated IT security team. You need consistent execution of fundamentals.

What Small Businesses Should Do

Now, Today

• Verify your backups are actually working (test a restore)
• Make sure backups are isolated from your network
• Patch all software, especially Windows and Office
• Remind staff about not opening unexpected attachments

This Month

• Implement email filtering to block obvious phishing attempts
• Require strong passwords and enable multi-factor authentication
• Review who has remote access and limit it to only necessary people
• Create a simple incident response plan

By End of Year

• Conduct formal security awareness training for all staff
• Audit your backup and recovery process end to end
• Review cyber insurance coverage
• Replace or upgrade old systems that can't be properly secured

If You Get Hit

Despite best efforts, ransomware might still get through. If it happens:

1. Disconnect infected computers from the network immediately
2. Don't shut down infected computers yet (they might be needed for forensics)
3. Call your IT support and cyber insurance carrier right away
4. Don't pay ransom immediately; explore other options first
5. Document everything for insurance and potential law enforcement reporting

Many ransomware infections can be cleaned without paying ransom if you have good backups and respond quickly.

The Exploration Continues

Columbus Day is about discovery and exploration, but also about learning from what you find. In 2016, we're discovering that ransomware is a serious threat that requires serious attention.

The good news is that the defenses are known and accessible. Small businesses can protect themselves without massive security budgets. It just requires commitment to doing the basics consistently.

If you're not sure where your practice stands on ransomware preparedness, we can help. A quick security assessment will identify your biggest risks and give you a roadmap for addressing them.

We've been keeping Arizona businesses secure since 1991. We've seen the ransomware threat evolve from curiosity to crisis, and we know how to help practices protect themselves. Let's make sure 2016's discoveries lead to better security in 2017.