In early June, the Justice Department seized control of two of the most destructive viruses ever to plague American businesses. CryptoLocker, a highly effective form of malware, hijacked affected computers by encrypting their files, then threatened to withhold the private key necessary to release the files unless their owners paid a ransom in digital currency-which 41% of affected businesses did. By the end of 2013, more than 22,000 computers were infected with the malware, and the crooks behind it had netted more than $30 million.
Gameover Zeus, another sophisticated form of malware, was designed to steal bank log-in credentials. Hackers were able to gain access to confidential financial information and siphon some $100 -million from U.S. banks into overseas accounts. If it did not find the information it was looking for, Gameover Zeus would then launch CryptoLocker.
Both schemes were disrupted—at least temporarily—but the criminal gang behind them, allegedly run by a Russian hacker, is still at large, and there is no reason to assume that American businesses will not be subject to these and similar cybercrimes in the future.
In fact, as soon as companies find a way to mitigate the risk of one type of cybercrime, criminals seem to come up with a new one. In a 2013 survey of U.S. businesses by Carnegie Mellon University and the U.S. Secret Service, 75% of respondents reported that they had been the victim of a cyberattack in the past year. While governments are stepping up efforts to combat computer crime, the bad guys appear to be winning for now.
The most insidious cybercrimes are remarkable for their ingenuity and craft, and tend to fall into one of two general categories. CryptoLocker is only one of many extortion schemes in which cybercriminals commandeer computers and computer networks and hold them hostage, using threats that are often aimed at a company's greatest vulnerability. Some ransomware simply locks the affected computers. Other types, including CryptoLocker, work by infiltrating corporate public-key encryption systems, in which parties in electronic communication each have two different "keys"-a public key to encrypt information and a private key, known only to the recipient, to decrypt it.
In most cases, this is a highly useful security tool, since it bypasses the need for a password to decrypt communications. Unfortunately, hackers can use it to their advantage, usually by sending what appear to be legitimate emails containing attachments. When employees open those attachments, the files stored on the company's network are suddenly encrypted, with the decrypting key firmly in the hands of the hackers. The only way to regain network control is for companies to pay a ransom. The genius of the CryptoLocker scheme was the fact that most of the requested ransoms were small and relatively painless-often just a few thousand dollars.
Other types of cyberextortion target corporate or personal information, from proprietary trade secrets to employees' health data to customers' social security numbers, which hackers then threaten to make public online. A similar crime is the denial of service attack, in which hackers threaten to take down systems that allow a company to process its business-shutting down inventory control, for instance, or simply destroying data.
Some cybercrimes make money for hackers the old-fashioned way-by stealing it. A gang of computer criminals known as Pony, for example, created a botnet-a network composed of the compromised computers of thousands of innocent individuals-whose sole purpose was to rip off bitcoins and other forms of digital currency by stealing passwords from social media sites like Facebook, Twitter and LinkedIn. So far, they have only made about $250,000, though security experts concede that vastly more financial damage could lie ahead.
Staying Ahead of Hackers
As governments fight to win the war against cybercrime, the proper defenses can go a long way toward helping the corporate home front defend itself in battle. Although hackers and their schemes are becoming increasingly more sophisticated, some of the best methods of protection remain fairly basic and relatively easy to implement:
Design safety into your system. If you are designing your network from scratch, do not overlook security in your plans. That way, you can build in layers of security as you build up the system.
Improve interdepartmental communications. Given that so much malware finds its way into corporate networks through infected emails, an interdepartmental policy can go a long way toward protecting a company against cyberattacks. Before opening any attachment, no matter how innocuous it may appear, employees need to be directed to verify its legitimacy with the distributing department. If there is no record of it, it should be deleted immediately.
Back up, back up, back up. To protect data, it is essential to routinely back up files using cold backup-a system that is not attached to your computer. While cold backups are not as convenient-largely because you cannot use them to save or retrieve data when your computer network is in use-they are far safer because they eliminate the risk of saving data to a system that may already be infected with malware. Cold backups can be performed using tape or disks or by routing data to a cloud host.
Go with your gut. The real secret behind the success of cyberextortion is the fear that, unless you do what the criminals direct you to do, you will lose your files, or worse. Some extortionists, for instance, will warn their victims that going offline or shutting down an infected computer network will result in an immediate loss of files. In many instances, this is not the case. Some companies have found that, by shutting down the infected computer or rolling back the internal clock, they could buy themselves time to bring in consultants and/or to decide if they wanted (or needed) to pay the ransom.
Insure against cybercrime. Some insurance companies offer kidnap, ransom and extortion policies that also protect against cyberextortion. In addition, many sell funds transfer fraud coverage, which is part of a crime insurance policy to protect against cybertheft.
Watch for analog threats. While some thefts occur strictly online, others are less high-tech but can be equally devastating. For instance, there have been a number of incidents in which employees have been taken in by a criminal claiming to be a bank manager calling about a supposed computer system failure that requires an account number, log-on ID and passwords to fix. Law enforcement agencies are also seeing an increase in fraudulent funds transfer by individuals who walk through office hallways dressed as UPS or other delivery people and troll for Post-its or scraps of paper containing account information they can use online to steal from corporate bank accounts.
New Ransomware and Cyberextortion Schemes Hold Businesses Hostage
|