Ransomware viruses have been striking hospitals and schools at an epidemic level
BY Seung Lee
The first wave of emotions, victims say, is a combination of panic and powerlessness. They click and reclick on files on their desktops—agendas for the Christian camp, payroll data for hundreds of teachers or medical information for veterans—to no avail. Someone, or something, has converted the files to foreign MP3 files or an encrypted RSA format. And next to these unopenable files the victims get a ransom note in a text file or HTML file: “Help_Decrypt_Your_Files.”
“All your files are protected by a strong encryption with RSA-4096 [military-grade encryption],” reads one note shared with Newsweek by a victim. “So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!, and restore your data the easy way. If you have really valuable data, you better not waste your time.”
In February, Hollywood Presbyterian Medical Center in Los Angeles made national news after it was the victim of ransomware, a virus that blocks owners from accessing their files. For weeks, the hospital had to shuttle its patients to nearby facilities. But hackers aren’t going after only big targets. In the past few months, school districts in South Carolina and Minnesota, hospitals in Kentucky and Georgia, and a church in Oregon were paralyzed for days, and many experts believe there are far more ransomware attacks that have gone unreported.
Institutions have resorted to using handwritten forms as they try to retrieve data. In many cases, the victims cough up hundreds or thousands of dollars in untraceable, open-source cryptocurrency to get back their own information. Some cybersecurity experts call the attacks an epidemic. The United States and Canadian governments issued a rare joint alert in March warning businesses about ransomware. In 2015, affected Americans paid around $325 million due to ransomware attacks; in 2016, cybersecurity analysts estimate, it will be much higher.
“Ransomware is dangerous because anyone can [use] it and target anyone,” says James Scott, a senior fellow at the Institute of Critical Infrastructure Technology. “There are two types of organizations now: those who have been breached and those who have been breached but [don’t] know it yet.”
While the culprits come from all over the world, ransomware attacks are mainly coordinated by highly organized mercenary hackers based in Russia and other Eastern European countries, prompting some to hark back to Cold War–era concerns. “This is World War III,” says Clint Crigger, a cybersecurity manager for SVA Consulting, though he insists he is not an alarmist.
Firewalls or antivirus programs do a bad job detecting ransomware but aren’t the cause of the epidemic. Instead, it is carelessness in clicking on infected emails. Two-thirds of ransomware cases stem from phishing emails, according to cybersecurity research company Lavasoft. Rookie hackers, known as script kiddies, can easily scrape together a fake email from a senior hospital doctor or school superintendent laced with ransomware viruses. A common method is mass-collecting email addresses from the company’s domain name, identifying the top executives of the company using LinkedIn or Facebook, creating a fake email address under one of those executives’ names and sending a ransomware-laced email to a lower-level employee with a subject line reading “Invoice” or something else that looks as if it demands attention. One ransomware attack at a Georgia Veterans Affairs hospital began with an employee clicking on a fake USPS email, paralyzing the hospital for three days.
David Eppelsheimer, pastor of the Community of Christ Church in Hillsboro, Oregon, speaks from experience. He found all his PowerPoint files converted to the MP3 format on February 18, and he got a curt ransom note asking for 1.3 bitcoins—about $500 to $800. “I felt helpless, and it felt surreal,” he says. After two days frantically trying to obtain bitcoins in shady-looking online markets, Eppelsheimer paid the hackers $570 of his own to obtain the encryption key to open the files.
Several cybersecurity experts tell Newsweek that paying ransom should be considered only in the worst-case scenarios, when one has no backups or lines of defense in place. “If you pay the ransom, what you are saying is, you have been caught with your pants around your ankles,” Crigger says.
Charles Hucks feels he had no choice. As executive director of technology at the Horry County School District in South Carolina, he was a victim of ransomware. For a few weeks starting on February 8, his county’s networks were frozen, bringing the daily routines of 42,000 students and thousands more staff and teachers to a holt. Despite having ready backups and a full-time information technology staff working 20 hours daily to get the data back, Hucks and the school district still had to pay 22 bitcoins ($8,500) to the hackers for the key.
Experts say institutions and people aren’t helpless against ransomware. The best thing to do is to back up data frequently, on a cloud storage platform or external hard drive. Scott also advocates training employees about “cyberhygiene,” comparing not clicking on malvertisements to washing one’s hands before working in a restaurant or hospital. “Loose clicks sinks ships,” Crigger says.
If a company or server is breached, the recommended procedure is to cut off all servers from public access and then have IT staff comb every folder and network for infections. Scott says institutions need to be vigilant about ransomware viruses acting as diversions for an attack elsewhere, perhaps downloading a company’s personal data.
Institutions like small hospitals are easy targets, but Scott worries that even more critical and outdated systems that control dams or nuclear silos built during the Cold War can be similarly hacked. The scale of the danger hit Scott during a recent visit to a small town in Virginia’s Shenandoah Valley. “I was thinking, I can go to a public computer right now and take down a local hospital in a day.”
For victims like Eppelsheimer, it can be hard to deal with a faceless attack that can seem very personal. “My theology is…love my neighbor even if he steals from me,” Eppelsheimer says. “But I was angry at the moment. It felt like a faceless, nameless evil from the other side of the world descended on me and my church.”