Last year, ransomware ravaged Florida. City after city was paying huge ransoms to get their files and applications back after compromising networks by way of an employee clicking on an innocent-looking email that carried the infection.
Ransoms were big, as I noted last year in an article about the escalation in the amounts of the payoffs.
When this type of hacking first arrived on the scene, most ransoms were around $1,000; then, the stakes grew higher — with amounts of $10,000 or more.
Soon, the money started really going up, with six-figure asks. Eventually, the first $1 million+ ransom arrived.
Well … last week was something new.
A company allegedly get infected with ransomware, its systems shut down for days, the hackers asking for a $10,000,000 ransom to hand over the decryption keys.
The company under attack was an American tech firm called Garmin, which makes a huge assortment of fitness, marine, aviation and outdoor products. A Google search will quickly show you they are an industry powerhouse.
(This fact will be important in a minute, keep reading.)
Before we go further, how about a refresher course?
A ransomware attack usually comes via email. It is most often socially engineered to go to someone specific in a company and with a message that would appear relevant to their job function. So, the hacker finds someone in HR on a company website and whips up a nice email saying to click the attached PDF grid to see a list of resumes they have available.
However, the PDF (or link) contains malicious code; once clicked, it spreads throughout the organization. In worse-case scenarios, all PCs and servers on-premises are infected — locking all files and applications.
Often there is a clock ticking down and an amount they would have to pay (ransom) to get the codes from the hacker to unlock everything.
Fast forward to this new attack on Garmin. What made it unique was there were no amounts listed for ransom — only a message to email the hackers to find out the amount they want.
The bottom line is, if they sent out targeted attacks to 100 (or 1,000) organizations, hackers just sit back and wait to see who is vulnerable.
Why would they do this? Assuredly, it’s because they want to see who they got on the hook.
They look at the email address a victim emails them from; if it is a large corporation, they price the ransom accordingly. So, the cupcake shop around the corner of your office would get the $1,000 ask versus Garmin with $10,000,000. Wow. Talk about upping the stakes.
A good rule of thumb when emailing hackers: Don’t use your real name and use a Gmail address so they cannot look you up to put a price tag on you.
Or how about this? Don’t email the hackers, don’t poke the “ransom-bear,” if you will. Their goal is to monetize the situation. An even better rule of thumb is to rely on your enterprise-level backup methodologies and don’t deal with hackers in the first place. That just encourages them to hack more people and stay in business.
If you don’t have robust backup procedures in place, now is the time to learn from Garmin and get it done. Make the investment.
Same with enterprise-level cybersecurity solutions, roll them all-out. Cybersecurity training? Yes, do that too. The same with a cyber-insurance policy.
I love what Stacy Arruda, Executive Director for the Florida Information Sharing and Analysis Organization (she is former FBI, too) had to say about cybersecurity in general.
I have found myself giving people similar advice; if you are following best practices that is the best you can do.
As Arruda says in this TampaBay.com piece:
“There is no silver bullet (against ransomware). If there was a silver bullet, I think it’s riding around in a yacht somewhere. But I think good cyber hygiene lessens the likelihood of governments, companies, businesses being affected. It’s important for employees to understand your training; that maybe they shouldn’t be doing these things. Individuals aren’t trained to know that it’s not such a good idea to put all of your life on the internet. Bad guys do a lot of their homework on LinkedIn.”
Hackers keep changing the game, creating more challenges for all Floridians, particularly in the coming months and especially regarding the election.
Everyone in your organization must be part of the defensive strategy for cybersecurity (at least until that silver bullet gets back from yachting).
Be safe out there — and do not click on the pizza coupon, IRS alerts, Wells Fargo account verification page, etc. If you have questions about a company call them directly to avoid disaster.
Blake Dowling is CEO of Aegis Business Technologies and can be reached at [email protected].