On January 19, 2017, a ransomware attack brought circulation and public access on over 700 computers at all of St. Louis’ Library branches to a grinding halt. According to St. Louis Public Library Executive Director Waller McGuire, the source of the attack was not through email phishing, the most common ransomware infection vector, but through a network break-in. As explained by the FBI in a release entitled “Incidents of Ransomware on the Rise”, in a typical ransomware e-mail phishing attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software. Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides. Although the St. Louis Library system suffered an atypical network break-in ransomware attack, the results were the same: it found itself locked out of its system, with the attackers seeking $35,000 to restore network operations.
To the dismay of the attackers, the Library was ready for such an attack and within two days, its circulation system was restored and book checkouts were back in operation. The Library System was able to quickly get back online for one simple reason: it fully backed up its systems, and was therefore able to wipe its servers (including the ransomware), and reinstall its network resources from the backup. The St. Louis Library system is certainly not alone in suffering a ransomware attack, and can count itself among a growing number of organizations that are able to repel such an attack by having a back-up of their systems. According to a January 2017 study released by Ponemon Institute and Carbonite entitled “The Rise of Ransomware,” more than half of small and midsized businesses have been victimized by ransomware, with 48 percent of those businesses electing to pay the ransom. However, of the 52 percent of respondents that said they were attacked by ransomware but didn’t pay the ransom, having a full backup was by far the leading reason (42%). Other reasons included: company policy are not to pay ransom (16%); no belief the decryption cypher would be provided (15%); compromised data was not critical to business (14%); and law enforcement advised not to pay (10%)).
Of course, organizations may feel as though the easiest way to deal with a ransomware attack is to pay the ransom. However, the FBI has made clear that it doesn’t support paying a ransom in response to a ransomware attack because doing so does not guarantee an organization that it will get its data back, and it also emboldens criminals. The FBI’s position is supported by real-world examples. Just last May, the Kansas Heart Hospital was hit by ransomware, but after the hospital paid a ransom, the hackers did not return full access to the locked files, and instead demanded another ransom (the hospital did not pay the second ransom). When an organization such as the St. Louis Library or the Kansas Heart Hospital suffers a ransomware attack, there are generally no good options. And although it is impossible to be 100% insulated from such an attack, the ability to limit its disruptiveness lies in planning and prevention. Prevention should take the form of both awareness training for employees, a written incident response plan (with a copy left offline), as well as sound technical safeguards. And of course, a full and secure back-up.