By Ruth Simon • WSJ • 4/15/15
Mark Stefanick, president of a small Houston-based firm, Advantage Benefits Solutions, was shocked when one of his consultants suddenly found his work computer locked. Within hours, rogue computer code had spread from the consultant’s computer to the server and backup system at the firm. The code encrypted the claims information and financial data.
A ransom note popped up on the infected computer: Pay $400 within 72 hours to unlock the data.
Mr. Stefanick’s first thought was to ignore the ransom demand and regain access to the files on his own. But then his firm’s IT provider said it would take “thousands and thousands of hours of running software” to try to break the code on the encryption.
“They set the ransom so low that, as violated as I feel and as much as I wanted to fight, at the end of the day I realized I can pay and get back to work,” he said.
To recover Advantage’s data, Natalie Stefanick, marketing manager for her father’s company, drove to a nearby Walgreens, pulled a MoneyGram gift card off a rack and asked the cashier to load $400. Within 30 minutes, a program that unencrypted the data began to run.
In the end, no data was stolen and there were “no confidentiality breaches,” according to Mr. Stefanick. It was about 72 hours before the company was fully back and running and about two weeks before everything was put back where it belonged, he added.
About 30% of ransomware victims pay to regain their data, estimates Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., an Irving, Texas, cybersecurity firm.
Intel Security, a unit of Intel Corp., said it reviewed more than 250,000 new ransomware samples in the fourth quarter of 2014, up 155% from the previous quarter. And the Internet Crime Complaint Center, a partnership between the FBI and the nonprofit National White Collar Crime Center, said businesses and individuals submitted 2,275 ransomware complaints from June 1, 2014, to March 31 of this year, with reported losses totaling more than $1.1 million. Ransomware can target more than 230 different types of computer files, up from 70 in 2013, according to Bromium Inc., a Cupertino, Calif., an information-security firm.
Michael W. Cocanower, owner of itSynergy, an IT consulting firm in Arizona that works with many small businesses, says he has seen a resurgence of ransomware in the past three to six months. He tells clients that the first step is to disconnect the infected computer from their network immediately. The infected computer must also be scrubbed and other computers need to be checked as well.
One of Mr. Cocanower’s customers, CoValence Inc., a Chandler, Ariz., maker of private-label skin-care products with roughly 100 employees, has been hit with four ransomware attacks in the past six months. A backup system prevented the loss of data, but the attacks “caused a lot of anxiety,” says John Dennison, the company’s IT manager.
After the last attack, CoValence upgraded its Internet security protections. It also now regularly reminds employees to be on the lookout for fraudulent email.
Small businesses can be particularly vulnerable because they often have less sophisticated computer defenses. Some 80% of small and medium-size businesses don’t use data protection and less than half use email security, according to Intel Security. Overall, 23% of recipients open phishing messages used to transmit ransomware and other malware, according to a data-breach report released Wednesday by Verizon Enterprise Solutions, a unit of Verizon Communications Inc. An estimated 11% click on the attachments, according to Verizon.
Cybercriminals will exploit vulnerabilities in new technology as they figure out how to make money from such activities, a group of security experts tell the WSJ.
Cybercriminals have made it possible for fraudsters with few, if any, coding skills to launch attacks that lock up computer systems at small businesses, among other targets. Some groups of cybercriminals sell “exploit kits,” invisible Web applications that deliver ransomware and other malware. Other criminals peddle payloads, the malware used to lock up files, or obfuscation services that make malware more difficult to detect.
Cybercriminals may rent out exploit kits for $150 a week or $500 a month, or license them out. A cybercriminal can earn roughly $84,000 a month on a $5,900 investment in an exploit kit and other tools, estimates Ziv Mador, vice president of security research at Trustwave Holdings Inc.
To boost response rates, cybercriminals sometimes offer a “freemium” service, decrypting one or a few randomly selected files at no charge, he adds. Many schemes double the price of decryption after a couple of days to create a sense of urgency.
Bitcoin is a preferred method of payment, partly because the use of bitcoin makes payments difficult to track.
As with many computer viruses, ransomware often begins with a fraudulent email.
Kevin Simpson, co-founder of RSFLA Inc., a Santa Monica-based commercial real-estate firm, was waiting for documents from a client last year, when he clicked on an email with an attachment that appeared to come from Federal Express. Within hours, a virus encrypted RSFLA’s data, shared folders used by the company and its clients, and a year’s worth of Mr. Simpson’s photographs. He says he refused to give in to the $500 ransom, a decision made easier because most of the locked-up files were backed up in the cloud or archived.
“To get all those photos, it would have been worth it, but it was on principle that I decided not to pay,” he says. RSFLA was offline for two days and spent at least 10 hours recovering its data, he adds.