By Carola F. Berger, PhD, CT
This article originally appeared in the Spring 2021 edition of the Caduceus, the newsletter of ATA’s Medical Division, and has been reproduced here with permission.
What is Ransomware?
The US Government Agency CISA (Cybersecurity & Infrastructure Security Agency) defines ransomware as follows:
“Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
In other words, ransomware holds the infected computer hostage until a ransom is paid. The ransom is usually requested in form of more or less untraceable cryptocurrency. Ransomware attacks have been on the rise recently. More than 1500 businesses were recently affected by attack on the IT provider Kaseya. These businesses were end-customers of managed service providers (MSPs) who used Kaseya’s technology infrastructure to in turn provide their IT services to the end-customers. The affected businesses ranged from a Swedish supermarket chain that had to completely close its small-town stores for a week to language service providers (LSPs).
There are two ways in which ransomware typically infects a computer system: either through a software vulnerability, in which case the infection can be of a larger scale, such as in Kaseya’s case, or through a user action, such as a click on the wrong website or opening the wrong email without a strong antivirus/firewall combination which leads to the download of malicious code. This malicious code, also known as malware, then accesses the content of the storage drives of the infected computer and encrypts the drives, rendering the data completely inaccessible for the user. In the case of a cloud provider, the storage drives holding the cloud data are infected and rendered inaccessible.
In some cases, the malware sends the data to the malware author before rendering the data inaccessible. The malware author then has access to all sorts of confidential and personal data, in addition to holding the infected machine hostage. Thus, ransomware is a twofold threat, rendering the infected system useless and revealing confidential information to unauthorized parties.
Recently, the number of ransomware attacks has risen strongly, leading CISA to publish a guide on ransomware in September 2020, long before this July’s attack on Kaseya. Below I will list a few tips on what you can do yourself to combat this ransomware pandemic, although a disclaimer is in order: I am not an infosec expert, just an informed end-user of IT services. I strongly recommend visiting the CISA website for further and in-depth guidance.
Ransomware steals information and holds it hostage. By limiting the amount of information that’s stored in a system, you can also limit the damage. In other words, if you process and store information, limit the amount of stored information to information that you actually need. For example, I recently completed the on-boarding paperwork as an independent contractor for an LSP. They asked for my date of birth. My date of birth is completely irrelevant, since I am an independent contractor, and even if I was an employee, it is illegal in most places to discriminate based on age. They are therefore processing and storing completely irrelevant sensitive personal information. So, if you store information, go through your files now and throw out everything you do not need. Keep the information you need, and if you’re not sure, store the information you are unsure about offline on an external drive that you remove from the active system.
Conversely, if you provide information, limit the amount of information that you give out for somebody else to process and store to the information that they actually need. For example, if you are an independent contractor and an LSP asks you for your tax identification number, give them an EIN (employer identification number, despite the name also available for freelancers) instead of your social security number. See for example the information on EINs here. Likewise, nobody needs to know (or is actually interested in) your childhood phone number or other overly personal details that you divulge in those viral shares on social media. These can be used to socially engineer answers to backup questions for logins.
Authentication and Authorization
The next question to tackle is access to stored information. People typically restrict access to computer systems with passwords, fingerprints, facial ID, PIN codes, or two- or more-factor authentication (2FA, MFA). 2FA or MFA combines two or more authentication methods, respectively, usually on more than one device. Ransomware bypasses these authentication methods. Sometimes, this is because of a security flaw in the underlying software, as in the case of the aforementioned MSPs that were affected by the Kaseya attack.
Other times, hackers and malware gain access because the authentication methods aren’t strong enough. And this is where you, the reader, need to pay attention. If your password is “123456” or “password” or any other password that can be found on this list of the worst passwords on Wikipedia, please change that password immediately. The same goes for PIN codes, if you use 1234, 1111, etc. etc., you get the idea. The FBI recommends to use passphrases and/or 2FA/MFA. A passphrase is a combination of multiple words into long strings of at least 15 characters that don’t form a sentence. Also, do not reuse login credentials for multiple accounts! Since most people have dozens if not hundreds of accounts everywhere, I recommend a password manager (see, e.g. https://www.pcmag.com/picks/the-bestpassword-managers or https://www.wired.com/story/bestpassword-managers/). Avoid password managers that allow recovery of the master password.
The next question to tackle is who has access to what, and more importantly, who needs access to what. It is likely that nobody needs access to all the data that an organization stores. Thus it is better to compartmentalize things, store things in separate databases, in separate locations. This of course takes more work to keep up to date than an all-in-one system that everybody has access to, but when ransomware or another disaster strikes, you’ll be glad you didn’t put all your data eggs into one system basket.
If you are a solopreneur working from home, you might not think access control is relevant, but if you’re sharing a computer with your kids, at least set up separate login accounts with possibly restricted access to your work data. Perhaps use a separate external hard drive that you can unplug and store in a secured place before the kiddos are unleashed and download questionable games and chat software onto the machine.
If you’re using the cloud to process and/or store data – do you really need to do everything in the cloud? A cloud account is, by definition, online 24/7, meaning, hackers have literally all day, every day, to hack that account, in contrast to a system that you take offline after your workday is done. If you use cloud services, are your data encrypted? Is the encryption sufficiently secure? Never store any important and/or sensitive data in plain text! This may be obvious, but even Facebook ignored this obvious fact for years.
Do you have firewalls and antivirus software in place? You need both a firewall and an antivirus. A firewall inspects communication packets that come in and out of your computer, sort of like a border guard. If it detects something potentially dangerous, it blocks that traffic. But your system can still get infected by a virus that sneaks in. An antivirus detects that virus when it’s already on your machine and hopefully prevents it from doing any harm. That’s why you need both.
Prevention and Restoration
To quote Benjamin Franklin, “an ounce of prevention is better than a pound of cure.” Today, this old adage still holds true more than ever. Look at your current system and setup and think about the worst-case scenario and make a plan. What would you do if your main computer system was unusable? What would you do if your external storage were inaccessible, be it because of ransomware or a simple hardware failure? Do you have a backup of your system and data? Is the backup accessible even if there is a complete Internet and/or power outage? What would happen if your data were broadcast into the dark corners of the web?
You don’t need to invent end-of-world nuclear war disaster scenarios. But for example, many years ago, my main computer suffered an overheating motherboard that proceeded to completely fry the hard disk and render all data completely unusable. This had the same effect as ransomware, namely, I couldn’t access any of my data. Of course, unlike with ransomware, no sensitive data were disclosed to unauthorized parties, but ever since then, I make a weekly backup of all my data and store that backup offline on an external hard disk in a fireproof safe. In my risk assessment I concluded that I can live with a week’s worth of lost data, assuming the fire isn’t so severe that the fireproof safe goes bust. However, I can’t live with a scenario where those data were divulged to unauthorized parties. Thus I opted for an offline fireproof, locked safe instead of cloud storage for my backups.
Now, if disaster strikes and you made a plan, you are prepared. You can quarantine an infected device immediately, meaning, you take it offline, wipe all the data and format the hard disk (expert recommend several passes) and restore things from your backup. If a cloud software or other online service is affected and recovery is not up to you, your aforementioned disaster planning should take that into account, too, so that you don’t end up like the Swedish grocery store chain that had to close all their stores for a week. Can you work, however haphazardly, offline in some analogous way?
Also, analyze how the attack/disaster could take place – in cybersecurity parlance this is called digital forensics. How did this happen? How did you find out? How can you prevent this from happening again? If you were affected by a cybersecurity incident, report it to law enforcement immediately, e.g. the FBI Internet Crime Complaint Center, or the Federal Trade Commission.
What should you do if your personal data was compromised?
If your bank or credit card account was hacked or your financial information compromised, let your bank, credit card company, and the credit bureaus know. Place a credit freeze and fraud alert with the major credit bureaus, see the instructions by the FTC here. Hopefully, your social security number was not compromised because you used your EIN instead (see above). If your SSN was compromised, follow the instructions by the Social Security Agency here and here. If any other information was compromised, you can place a Google Alert to monitor the visible web for that information. Unfortunately, there is no monitoring service for the Dark Web, but sometimes some information trickles through into the visible portion of the web, which Google can see. Instructions on how to set up a Google Alert can be found here.
Summary and More Information
Hopefully most of the above seemed just like plain common sense to you, however, I also hope that it helped to see it laid out this way. In this article, I loosely followed the NIST Cybersecurity Framework. The Washington Small Business Development Center developed a very readable cybersecurity workbook for small businesses based on this framework, which you can download here. I highly recommend going through this workbook, even if you are a one-person small business/freelancer. Remember Ben Franklin and his ounce of prevention!
CISA, the US Cybersecurity & Infrastructure Security Agency, has an entire sub-website on ransomware. This includes the Ransomware Guide I cited above and steps to take should your system be affected by ransomware.
And finally, if you have not watched it, I recommend my ATA webinar on Scams Targeting Language Professionals. The webinar is completely free to watch. In the present context, especially phishing scams are relevant, because that’s one of the paths for malware and thus ransomware infection. I have also written a few articles for The ATA Chronicle, which ATA collected along with a few other relevant resources on scams here. On Translorial.com, the online journal of the Northern California Translators Association, you can read my article on Phishing and Spoofing.
Stay safe in cyberspace!