“Ransomware Just Encrypts My Data—No One Steals It” and Other Ransomware Myths

As ransomware daily ravages organizations, the struggle often involves working to contain the damage. It’s bad enough that ransomware encrypts files, rendering them useless unless a municipality restores its data from a backup or pays the ransom. Sadly, the damage of ransomware goes so much deeper.

For example, a common misconception is that ransomware only encrypts data. The thinking goes, “I simply pay the ransom and get my data unencrypted” or “I just restore my data through a backup, and everything is fine.”

Wrong.

Let’s take the recent case of Pensacola, Florida. Falling victim to the Maze ransomware virus, the City of Pensacola experienced the usual ransomware playbook: the virus encrypted files and cybercriminals demanded a $1 million ransom. Yet, another significant event happened. According to Bleeping Computer, “The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack. […] In a discussion with BleepingComputer, the Maze actors stated that they released the stolen data to prove to the media that they steal more than just a few files during a ransomware attack.”

How would your municipality react to the threat of ransomware differently if you knew that everything encrypted—all confidential, sensitive, and personally identifiable information—would end up accessible to anyone on the internet? That means all information about personnel, police investigations, and property taxes. Would this make you plan for a possible ransomware attack differently?

If so, we want to review a few more myths and misconceptions about ransomware viruses that may affect your security strategy.

1. Cybercriminals use ransomware viruses to connect to your data and systems through the internet.

A ransomware virus runs as a program and connects the cybercriminals to your systems through the internet. This isn’t just a random software program isolated on your computer that only encrypts your files. The virus is a gateway—like a virtual tunnel—that opens up your data and systems to cybercriminals.

2. As your data is held hostage, cybercriminals also have access to it.

Once someone has unauthorized access to your data, they are inside the tent and can do much more than simply encrypt your data. It’s the difference between someone locking you out of your house but never entering it versus someone locking you out of your house with the added fact that they’re inside with access to all your possessions. And even worse, in cyberspace it’s as if this person still has access to everything in your house after they let you back inside!

Yes, your data is encrypted and held hostage through ransomware. But you also don't know what cybercriminals are doing with your data. What would stop them from uploading your data and selling it on the dark web? The City of Pensacola example shows that cybercriminals can literally steal all your data and publish it in a public forum where everyone can access it.

3. If I pay the ransom, I’ll get my data back.

So, you’re trusting the kindness of criminals? Certainly, even criminals have an incentive to unencrypt your data—otherwise no one would pay ransoms. But if we look at the data, criminals do not always give back access to your data after you pay a ransom. Bottom line: Paying the ransom isn’t a sure bet.

4. With data backups, I’m fine.

Data backup alone will not protect you against ransomware, as various problems may arise including:

• Ransomware encrypting the data on your backup servers, rendering your backups useless.
• Disrupted operations as backups take weeks or months to restore data after an attack.
• Failure to comply with laws and regulations from poor security policies—leading to legal and financial penalties.
• Cybercriminals stealing your data—and possibly sharing it with the world.

We encourage you to read two of our posts:

• Data Backup: Not the Only Answer to Ransomware and Viruses
• How to Prevent a Virus from Infecting Your Backup Servers

5. We’ve got antivirus software, so we’re fine.

Antivirus software is no longer sufficient to protect you. Many ransomware viruses get past antivirus software through the following means:

• Sophisticated ransomware: The most potent forms of ransomware are built by nation states and organized cybercriminal rings—and ransomware evolves quickly with new variants. Ransomware often easily gets by antivirus software.
• Relying on people to click links and attachments: A person clicking on a malicious link or attachment makes antivirus nearly worthless—which is why so many ransomware attacks begin with a person clicking on something bad.
• Holes in your security: At the server or network level, a cybercriminal can gain access to your network and upload ransomware, bypassing antivirus software and even the need for an employee to click something. If your servers, network, and other access points are misconfigured, secured poorly, and lack oversight, then you open yourself up to ransomware.

Instead of antivirus, you need endpoint detection and response (EDR) software. It uses machine learning (a form of AI) to help spot both known and unknown threats that enter your system. Then, through a combination of automated tools and human oversight, EDR will prevent attacks from ever taking place, detect intruders, and respond quickly to threats.

It’s good that more municipalities are aware of ransomware, especially after so many towns and cities have been attacked. However, it’s critical that you educate yourself about the deeper impacts of ransomware and challenge any assumptions you’ve picked up along the way about how ransomware operates. We hope this post clarifies a few myths and misconceptions, spurring you to better secure your municipality.

Uncertain about your ability to survive a ransomware attack? Reach out to us today.

Original Date: 1/29/2020