If the idea of a ransomware attack doesn’t keep you up at night, it should

Ransomware is like New York City, says Shawn Richardson, principal of Cyber Services at Rea & Associates.

Ransomware is a type of malware designed to threaten to publish the victim’s data or block access to company data until a ransom is paid. The two main types are designed to encrypt or lock out information so data aren’t readable and the victim cannot gain access.

Locker ransomware locks the computer, server or device, and Crypto ransomware prevents access to files or sensitive data through encryption. Believe it or not, ransomware dates back to the late 1980s with the AIDS Trojan. It’s been evolving since. Just like how New York’s downtown buildings have constantly changed over the past 25 years, ransomware gets bigger, better and more modern as bad actors build upon past forms.

“It’s gotten sophisticated,” Richardson says. “The ransomware is injecting itself inside of applications such as email through phishing. Often, all it takes is clicking on an email to execute some malicious code. Then, it attaches to local information stores like customer databases or accounts payable.” 

The cybercriminal promises to restore the data if the victim pays a ransom — but there is no guarantee you’ll get your data back, even if you pay. In some instances, attackers ask for a little bit of money first to generate trust and then extort more funds.

Smart Business spoke with Richardson about the ransomware threat, which may loom larger than you think.

What are examples of ransomware attacks?

The most prevalent types of ransomware are CryptoWall, Locky and WannaCry. But as they get used, people take the code, make copies and improve it with higher levels of encryption. There are variants that are uncrackable, and federal authorities don’t have the ability to reverse engineer the modified versions of ransomware. 

In one case, ransomware was dropped into a company’s Microsoft Office 365. It locked down the user database. Then it elevated the account permissions to allow the attackers to exfiltrate information and sent emails to the organization’s bank. Fortunately, the federal authorities caught on to what was happening before funds were transferred.

In another instance, a services company with fewer than 50 employees was attacked. The ransomware hit the backups first, which were not properly segmented off from the existing networks, and then locked its customer database and service contracts. The business never recovered the data and ultimately had to go back to a backup that was incomplete and nearly a year old.

Do businesses need to actually be attacked to feel the effects of ransomware?

No. A business can run the risk and hope nothing will happen, but it may grow large enough that its contractual obligations with third parties require a cybersecurity framework, audit, software, etc. Otherwise, the company won’t get that business.

Which companies face the greatest threat?

Small and mid-sized businesses are the most at risk today, as the lowest-hanging fruit within the threat landscape. Surveys have found an estimated 80 percent of small and mid-sized businesses have been victimized by ransomware within the last 18 months, and only 20 percent of them reported it.

These companies typically don’t have an IT company with expertise in security mechanisms and controls managing their infrastructure. Owners of small and mid-sized businesses often don’t put the resources into a cybersecurity strategy because they don’t recognize the need — although this is starting to change as they’re targeted.

Within the small and mid-sized business sector, the most targeted are health care, which includes small doctors’ offices, and government organizations like schools.

Where do you recommend businesses start with risk mitigation?

You should put in security controls and a framework to protect your company. Bring in a trusted adviser to talk about the risks within the operation and how to protect important data. Consider putting in a customized cybersecurity strategy that makes sense — John’s Auto Body will have a very different approach than Bob’s Dental, which must follow certain regulations. 

It all starts with a business conversation and it’s critical to have that conversation before the bad actors get ahold of your information.

Insights Accounting is brought to you by Rea & Associates