The last two years have seen a significant increase in ransomware attacks. The ones we hear about typically target large corporations or critical infrastructure companies that often have a large impact to daily life and raise the ire of the federal government. And yet, the ransomware attacks that impact small and medium businesses, municipalities, and small healthcare operations are not making the front page. Why? Small businesses alone make up nearly half of the U.S. economy. Worse, we cannot measure the economic impact to date, as many of these attacks go unreported. Payments are made via cryptocurrency and are anonymous. Collectively, the economic importance of U.S.-based small and medium businesses is meaningful to the stability of the economy and U.S. national security. National security? Yes, most of the ransomware attacks are emanating from Russia and Russian-influenced Eastern European countries. The capital that leaves our country via the blockchain is put to use there. Small and medium businesses*are* the critical infrastructure to the U.S. economy.
Since the start of the pandemic, myself, and my team at GroupSense, quickly became known for our ability to assist in ransomware cases, often negotiating with the “threat actors,” as we call them, to reduce the amount paid and ensure mutual resolution. The initial engagements were often brought to us via insurance companies offering cyber coverage, or law firms who specialize in breach response and notification. In those early days, we did not advertise the ransomware response and negotiation services on the GroupSense website since we had a steady influx of victims from the insurance and law channels. A few months into these cases, and under pressure from marketing and from one of the cyber breach firms, we decided to put the response service offering on our site. Prior to doing so, the profile of the victims that we serviced were larger well-known brands and large enterprises. These companies had, for example, cyber insurers and breach specialist law firms on retainer. Shortly after posting our services on the website, a whole new profile of victims began showing up at our proverbial door. These victims were, frankly, everyone else. The small print shop, the 20-person architecture firm, the concrete contractor, even a microbrewery, were being hit and they needed help. We took as many of these cases on as we could manage, even forgoing our fees if the victim couldn’t afford to pay.
This shift in victims impacted me profoundly. When working with a larger enterprise, the incident was no less urgent, emotional, or meaningful to the victims. The stage was different, though, and the risks more easily mitigated. A boardroom stocked with executives, financial professionals, legal counsel, and technical contributors working together, albeit often poorly, with significant resources to bring to bear was the norm for the large cases. The small businesses were different. This was Carol, who built this business herself over 20 years. Carol was about to have to lay off her 17 employees and shut the business down. On top of that, Carol had been struggling before the attack because of the pandemic. It was heartbreaking to witness, and we did everything we could to help Carol and her peers.
To help combat this problem, last year I started volunteering to speak to associations, incubators, and chambers of commerce around the country to instruct small businesses on how to protect themselves from cyber-attacks with an emphasis on ransomware. While the feedback from both the sponsor organizations and the attendees was very positive, I often heard “…but this won’t happen to me, right?” “…the bad guys aren’t going to target my little shop.” The fact is, it is likely they will target your shop; they are opportunistic. The attackers are looking for easy targets, and the U.S. small business landscape is ripe for the picking. Our cyber discipline and hygiene are lacking in the key areas that are often exploited by the threat actors. During my instruction, I really focus on the “why.” Why make these small technical adjustments? My anecdotes from real-world experiences press home the reality that this may happen. The impact is real, and people lose their jobs, and some companies shut down altogether. If the “stick” of “this will hurt you” isn’t enough, how about patriotism? If small businesses make up nearly half of our economy and our economy is critical to national security, then isn’t this an attack on the United States of America? Aren’t these attacks chipping away at one of the fundamental components of our country’s stability?
It is widely known that Russia and the nation states over which it has influence are aware of these attacks. It has been proven, even in the ransomware software − which one can look to see if the primary keyboard language is Russian or Ukrainian before executing − that there is an unofficial amnesty afforded to these attackers. While not proven, many among the cyber intelligence community believe that there is a quid pro quo for this amnesty. It is common practice that the threat actors steal as much data from their victims’ networks as they can before they execute the file-locking of the ransomware software. They do this to use the private data as extortion to increase the speed and likelihood of a ransom payment. The quid pro quo is that the Russian state gets a copy.
Below is a short list of ways to protect yourself. Even if you only do the first three, it will have a significant impact toward reducing your risk of a successful attack.
- Use complex passwords
- Use unique passwords for every site (this is more easily accomplished using a password manager program)
- Use Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA) everywhere possible
- Do not use your corporate email address on personal or hobby sites
- Update your software immediately when updates are offered by the software vendor (this includes your mobile phone)
- Stop. Clicking. On email links. Stop, think, and inspect any links or attachments sent to you.
Let’s prioritize cybersecurity. It is our duty to make these small, relatively simple changes in our cyber habits, to protect ourselves and to protect the United States.