Cyber Security

HIGHLIGHTS

Ransomware Was Booming Even Before Latest Mass Attack

How to Protect Yourself From Ransomware

Cyberattack Is Likely to Keep Spreading

U.S. Agencies Work to Thwart Cyberattacks

Editor’s News Picks: Breach Brand Damage, New FTC Resource, Insider Threat Personified, Phishing Trouble

Advertisement

Commentary & Analysis

Ransomware Was Booming Even Before Latest Mass Attack

By Kate Fazzini

The worldwide market for cyber extortion exploded this week with one of the biggest simultaneous hacking attacks in history. But the event was just the latest development in a global proliferation of ransomware that, while capturing the interest of the public and many governments in a big way for the first time, has worried businesses for years.

Ransomware became a $1 billion business in 2016, according to the Federal Bureau of Investigation. It will undoubtedly surpass that in 2017. Attempts to hold data for ransom using a variety of techniques rose 6,000% in the last year alone, according to a study by International Business Machines Corp.

For the attack that started Friday, as of the weekend, Europol had reported that 150,000 servers had been infected. Companies from a broad range of industries were targeted, with the highest profile affected including Britain’s National Health Service and FedEx Corp., both of which said their services were interrupted by locked files.

Businesses with valuable intellectual property and relatively limited security resources are increasingly in the crosshairs: law firms, consultancies, real estate organizations, construction firms, tech start-ups, accounting offices and smaller financial firms, like hedge funds and broker-dealers.

According to one study by cyber protection firm SentinelOne Inc., ransomware has affected 50% of U.S. organizations in the last year, with business and professional services firms targeted most, followed by construction and property companies, and technology and telecommunications firms.

Cyber extortion encompasses a range of criminal activities that involve stealing a company’s data and only releasing it when the company pays up. Most commonly, this scheme takes the form of ransomware, a type of malware that locks certain company information using encryption. The company must then pay for a decryption key, usually a small amount in the hundreds or thousands of dollars.

Other cyber extortion schemes include stealing valuable or embarrassing company data and threatening to make it public unless the business pays, a more complicated and more lucrative attack than with ransomware. Least often, companies find themselves on the receiving end of a threatened Distributed Denial of Service attack, with hackers demanding payment to call it off.

Professional Firms in the Crosshairs

Austin Berglas, senior managing director of cybersecurity firm K2 Intelligence, said he had observed a law firm that paid seven figures to release valuable data that had been stolen and ransomed. He said that while few firms would be willing to pay so much in a single extortion attempt, there have been numerous but uncredited reports of businesses paying six-figure sums for their data, a credit to the fact that companies are often keenly interested in keeping these transactions private.

There are a few simple rules for ensuring readiness for a ransomware incident, he said – most notably ensuring robust back-ups, and testing how recoverable they are, combined with conducting regular risk assessments with ransomware in mind.

And while there may be traditional tenets of disaster recovery that come into play with a ransomware incident, there is no standard company response, because so much depends on what is ransomed. Some information may be necessary for the continuity of business operations, in which case a company may feel payment is critical just to continue existing.

Other information may severely damage the company’s brand, such as revealing details about an unannounced merger. In still other cases, companies frequently don’t even know what is in the stolen data sets, and if that information might contain personal data or health-care information, a business must make a quick decision on whether to involve law enforcement or regulators.

Quick Evolution

The response equation is further complicated by the constantly evolving nature of cyber extortion, said Ziv Mador, vice president of security research at information security firm Trustwave Holdings Inc.

“First of all, criminals realized they could make money, and a lot of money, on ransomware,” he said. He estimates the average ransomware criminal makes a 15-fold return on investment through these schemes, “And as more make money, more will hear about it, and want to make money too.”

Rather than view the growth in targeted companies through an industry lens, Mr. Mador said it is important to remember that these “criminals capitalize on urgency, and when sensitive transactions are in play, companies have more of a tendency to be desperate for their information.”

Therefore companies should be on particular alert when they are in the midst of potential deals, or are providing legal or financial support for those deals. Companies that rely on their ability to be in constant operation should also closely assess their risk exposure to having data locked down and ransomed.

Avoiding the problem before it starts is important, because there is no apparent right answer when it comes to paying ransom demands.

For example, in February 2016, Hollywood Presbyterian hospital paid around $17,000 to hackers who had encrypted and ransomed hospital records, after more than a week of being unable to access their data, and criticized for the slow response. That same month, also in California, the Orange County Transportation Authority refused to pay an $8,500 ransom to unlock data, and instead opted to fix the problem internally—at an ultimate cost of $660,000, according to the Authority.

Basic Security

Security experts said that while ransomware may present new risk calculations, readiness is a matter of using some tried and true techniques. As Friday’s global instance has illustrated, simple patching is a preventative measure that is both simple but still illusive to many businesses.

“I actually think ransomware is a relatively easy threat to combat,” said Michael Sutton, chief information security officer of cloud security company Zscaler. “It just reveals how weak security is in many enterprises.”

Older security products like anti-virus software aren’t particularly helpful against ransomware—criminals have become too good at changing the way they design and send the malware for anti-virus software to keep track. But other cybersecurity essentials matter, Mr. Sutton said, especially when it comes to backing up data.

“Not just backing it up, but testing the back-ups, so we know if anything happens, we can have quick access to that data,” he said.

Starting the Conversation

Executives should be able to start a conversation with security staff about ransomware by gathering some basic information. Mr. Mador recommended first gathering simple information about whether the enterprise is already targeted: “Have we been attacked in this way, and how vulnerable are we to ransomware attacks?”

Mr. Sutton suggested asking: “What are we doing now to combat against this? How can we prevent this from happening? And on the other side, if this does happen how can we react? Are we testing our back-ups? If this happens, and our back-ups aren’t available, will we pay? And under what circumstances?”

The calculation of how to deal with ransomware involves balancing the benefit of quickly getting back data, knowing the true value of that data and involving the enterprise in the dirty business of negotiating with criminals, he said. “Because at the end of the day, you know full well that you are dealing with a criminal, and you are making a choice in doing business with them.”

(Kate Fazzini writes about cybersecurity for WSJ Pro. She has held roles in cybersecurity at Promontory Financial Group and JPMorgan Chase, and is an adjunct professor of cybersecurity at the University of Maryland, teaching cybersecurity for business and government. Write to Kate at kate.fazzini@dowjones.com.)

Advertisement

More From Dow Jones

How to Protect Yourself From Ransomware

By Robert McMillan

A programer shows a sample of a ransomware cyberattack on a laptop. RITCHIE B. TONGO/EUROPEAN PRESSPHOTO AGENCY

The past few days have alerted the wider world to the dangers of ransomware, and it has been an ugly awakening for victims including doctors at the U.K.’s National Health Service, employees at Russia’s Interior Ministry, and staffers at some FedEx Corp. offices.

Ransomware, which has been on the rise for the past few years, encrypts files on a computer so that they can’t be read and the device becomes essentially useless. It gets its name because the culprits post messages on victims’ computers demanding payment, generally in the digital currency bitcoin, to undo the encryption (a promise they don’t always fulfill).

The good news is that there are effective measures to protect against the software in Friday’s attack, generally called WannaCry, and other Ransomware. Here is what security pros recommend:

Take a hard look at your computer’s operating system

Still running Windows XP because it is good enough to get your web browsing and emailing jobs done? Then the recent WannaCry headlines are warning sirens. The first thing to do is download the emergency Windows XP patch Microsoft Corp. made available here. That will protect you from the attack that WannaCry uses to spread.

But it is important to know that Microsoft is no longer providing regular software updates to Windows XP, which means there likely are many other unpatched flaws on your system that could cause problems later. The only way to address that is to upgrade your operating system (which could require buying new computers). If you are running Windows 10, you are protected from WannaCry.

Update, always

If you see those Windows Update messages on your PC, don’t put things off: Update your computer. Microsoft issued the software that protects against the WannaCry worm on March 14, which means some of those who have been infected merely needed to follow instructions and they would have been shielded.

While WannaCry spreads via a Windows bug, other forms of malicious software can spread through flaws in other software on your computer, such as Adobe Inc.’s Flash and Oracle Corp.’s Java. So the next time you see a prompt for a software update from those programs or others on your system, take the time to install it. It helps.

Back up your computer

If you have a backup copies of your files, the ransomware threat rings hollow. And think beyond ransomware. Over time, your computer’s file system faces a growing chance of becoming corrupted and unreadable. If it happens, you will be grateful you backed up those business records, videos of baby’s first steps, and photos of your Hawaiian vacation. As my colleague, Geoffrey Fowler, has noted, there are some really great automatic backup options available these days that run about $50 to $60 a year.

Float over to the cloud

Those willing to take a bigger leap can move their files to cloud services like Google Drive, Amazon Drive, Microsoft OneDrive, or Apple iCloud. That shifts a lot of the burden of protecting against malicious software to big companies with greater expertise and resources. You can do this with existing PCs, or by buying special computers using Google’s Chrome operating system or Microsoft’s forthcoming Windows 10 S, which are designed with extra behind-the-scenes security precautions, and make it easier to seamlessly store files in the cloud.

Even with cloud-based files, you still have to be careful not to open any dubious attachments on your own computer.

Antivirus time

By now, all of the antivirus vendors have updated their products to detect WannaCry, along with countless other ransomware variants. Antivirus software provides no guarantee that you will avoid the very latest attacks, but it is a sensible step that security experts recommend. The good news is that there are decent antivirus programs available free, including Microsoft’s own Windows Defender.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Cyberattack Is Likely to Keep Spreading

By Nick Kostov, Jenny Gross and Stu Woo

Network cables are seen going into a server in an office building in Washington, D.C., on Saturday. ANDREW CABALLERO-REYNOLDS/AGENCE FRANCE-PRESSE/GETTY IMAGES

The cyberattack that spread around the globe over the weekend, hitting businesses, hospitals and government agencies in at least 150 countries, infected more computers as users returned to work early Monday.

Investigators launched a far-reaching hunt for the perpetrator, as institutions around the world worked to mitigate damage from the highest-profile computer-worm outbreak in nearly a decade. Europe’s police-coordination agency estimated at least 200,000 individual terminals had fallen victim to the attack, while Chinese authorities put the number as high as 1 million world-wide.

The fallout in the early hours of Monday morning appeared limited, with some government agencies in Asia reporting that operations had been affected as employees returned to work after the weekend.

“This is something we haven’t seen before,” Europol director Rob Wainwright told U.K. television channel ITV. “The global reach is unprecedented.”

Among the highest-profile corporate victims was French auto maker Renault SA, which was forced to shut down factories across Europe.

When workers arrived at a Renault plant in Sandouville, in northern France, on Saturday morning, TV screens that usually update staff on company productivity had a different message: A demand, in French, for $300 in ransom. The screens also showed two clocks counting down the time Renault had to deliver the payments before the factory’s files were deleted.

“Everyone was running around, saying we’ve been hacked,” said Mohamed Amri, a 41-year-old parts maker. “It spread like wildfire.”

The cyberattack involved a ransomware dubbed WannaCry, designed to spread quickly after infecting computers. Files on affected computers were encrypted, and users were told to pay a ransom with bitcoin, an untraceable online currency, to unscramble them.

So far, the virus hasn’t been blamed for destroying hardware itself. Where users have backed up data, long-term damage likely can be limited. But some targets responding to the attack had to shut down entire systems to help combat or slow the virus.

The computers of dozens of hospitals and health-care facilities in the U.K. were affected, but officials said that—so far—there was no indication patients had been put in grave danger from the outages. They also said patient data hadn’t been stolen. German train operator Deutsche Bahn AG said its trains were running as usual despite the attack, though it was straining to get its computer systems back online. U.S. delivery company FedEx Corp. was also affected.

Japan’s Hitachi Ltd. said Monday that its email system had been hit. It said system failures had affected it in Japan and overseas, and that the issue hadn’t yet been resolved as of Monday morning.

The police force in Yancheng, a Chinese city 200 miles north of Shanghai, apologized on its official social-media account for being unable to provide certain services because of the virus. A swath of Chinese gasoline stations, run by China National Petroleum Corp., was closed because of the attack.

Russia’s central bank said domestic banks had been targeted, according to state news agency RIA. Sberbank, Russia’s largest lender, said Friday night its cyber infrastructure had been targeted but that it had fended off the attack, news wires reported. The country’s interior ministry said around 1,000 computers had been affected, but that the attack had been localized.

Britain’s National Cyber Security Center, a government agency, said Sunday that there hadn’t been any new attacks similar to Friday’s, but that existing infections from the malware could continue to spread within networks.

“This means that as a new working week begins it is likely, in the U.K. and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale,” the agency said.

The virus was slowed down over the weekend by the identification and activation of a “kill switch” embedded in the virus’ code, computer experts said. But few believe it was halted completely, and one security expert had identified late Sunday at least one new strain, unaffected by the kill switch, though it was spreading slowly.

While the U.S. appears relatively unscathed compared with Europe and Asia, the Federal Bureau of Investigation, the National Security Agency and the Department of Homeland Security all were on the case. Tom Bossert, President Donald Trump’s homeland security and counterterrorism adviser, held emergency meetings with cabinet members Friday night and Saturday morning at the White House, an administration official said Sunday.

Government agencies have started a global manhunt for the perpetrator—a complex international probe that requires the same sort of cooperation and intelligence sharing common in large terrorist attacks.

Security experts have been able to track a small amount of bitcoin transactions they said were likely ransom linked to the attack. It was impossible to say how many companies were paying, or whom they were paying. Unlike bank and other financial accounts, bitcoin accounts are theoretically untraceable to their owners.

The attack took advantage of security vulnerabilities in Microsoft Corp. software that was either too old to be supported by security patches or hadn’t been patched by users. Microsoft on Sunday said that the software tool used in the attack came from code stolen from the National Security Agency. The NSA has declined to comment on the matter.

None of the infected computers had installed a March 14 software patch by Microsoft that stopped the worm, either because they were running older versions of Microsoft Windows that no longer received software updates, or because companies had simply delayed installing the software.

An early sign of trouble at the Renault plant in Sandouville came when the assembly line’s alarm system stopped working early Saturday—right after the demand for ransom appeared on TV screens. Tanguy Deschamps, a 38-year-old who was working at the factory when the virus hit, said the alarms were failing to sound whenever workers tried to alert others to crooked or improperly welded parts.

Management told workers to unplug the machines.

At 1 a.m. French time, Malik Denon was making final alterations on cars that were almost finished when his boss came down to tell him Renault had been hacked. At first, Mr. Denon thought it was a joke, but his boss wasn’t laughing.

“He was panicked,” Mr. Denon said.

Séverin Beuche, a local IT expert, was called to the plant Saturday morning to help restart the site.

“I’ve never seen something of this size,” Mr. Beuche said. He and a crisis unit worked around the clock to rebuild servers that had been crippled.

The auto maker’s cybersecurity team time pored over company computer systems before the factories were due to resume full production on Monday.

The assembly remained dormant much of Saturday. Instead of making car parts, workers were asked to tidy up the factory. Union officials estimated that 100 cars weren’t produced at the plant as a result of the hack.

Robert McMillan in San Francisco, Liza Lin in Shanghai and Louise Radnofsky in Washington contributed to this article.

Write to Nick Kostov at Nick.Kostov@wsj.com, Jenny Gross at jenny.gross@wsj.com and Stu Woo at Stu.Woo@wsj.com

U.S. Agencies Work to Thwart Cyberattacks

By Louise Radnofsky and Shane Harris

A Trump administration official said Sunday that the Department of Homeland Security, Federal Bureau of Investigation, National Security Agency and other agencies were working “around the clock” to stop the spread of ransomware and find its perpetrators.

Hundreds of thousands of people across the globe have been hit by a cyberattack that began spreading Friday. In such situations, the Department of Homeland Security typically takes the lead on coordinating with the private sector, getting information from the federal government to companies and individuals to defend their computer systems.

DHS and the FBI usually issue pertinent warnings, sometimes together, sometimes separately. On May 12, DHS representatives issued a statement through the press office to “encourage all Americans to update your operating systems” along with other, familiar tips about backing up data and ignoring unfamiliar links and files in emails. The press officials said the agency was ready to lend technical support, including overseas, for “critical infrastructure entities.”

The United States Computer Emergency Readiness Team, a unit of DHS, published an alert about the WannaCry ransomware, citing open-source reports. US-CERT said that it discouraged people from paying the ransom, “as this does not guarantee access will be restored.”

Last year, the FBI warned that the number of ransomware victims was growing. The agency also says that it does not condone payments, though in the past, officials have said that they have advised victims to do so.

Intelligence agencies don’t operate domestically, but they do play a significant role in trying to understand the nature and source of malware in incidents like this. Suspects are typically overseas, which prolongs the process both of shutting attacks down and bringing perpetrators to justice.

Representatives for the CIA and the Office of the Director of National Intelligence declined to comment over the weekend.

Write to Louise Radnofsky at louise.radnofsky@wsj.com and Shane Harris at shane.harris@wsj.com

Advertisement

Editor's News Picks

Breach Brand Damage: Private companies that experienced a data breach experience a fall in share price of an average of 5% afterward, according to new research to be published Monday from the Ponemon Institute and the identity management firm Centrify. Breaches also put a dent in consumer trust, leading 31% of users to discontinue their relationship with the affected company and contributing to a 7% churn rate. “Security personnel have a hard time quantifying the value of security so hopefully this raises boards’ security awareness,” Tom Kemp, chief executive at Centrify, told WSJ Pro.

New FTC Resource: The Federal Trade Commission has launched a new website--FTC.gov/SmallBusiness--meant to help small businesses stay ahead of the latest trends in cybercrime. The 28 million small businesses in the U.S. employ roughly 57 million Americans, and present a tempting target for hackers aiming to exploit a lack of cybersecurity awareness and spending for their own gain. The FTC also announced last week it returned more than $48,000 to people ensnared in a customer support scam.

Insider Threat Personified: A California court fined a former patrol officer at Tyan, a private security firm, over $318,000 after he was found guilty of breaking into the company’s computer system to pad his hours worked, steal customer data, defacing the website and committing other crimes. A Tyan employee unraveled the crime spree after noticing the pay anomaly and following his gut. Read a full account at NakedSecurity.

Phishing Trouble: Attorneys specializing in information security law told Ars Technica journalists at the news site Gizmodo may have broken the law by sending a “security test” to sources close to the Trump administration. Reporters sent phishing tests to Newt Gingrich, Peter Thiel, Federal Communication Commission chairman Ajit Pai and others in an attempt to see if any high-level officials were susceptible to the common attack. The test didn’t appear to find anything concrete, but now legal experts say journalists may have opened themselves up to charges under the Computer Fraud and Abuse Act. The issue again highlights vague language in the law that could be interpreted to criminalize many innocuous web activities.

Cyber Security