It’s not going away, and it’s getting smarter all the time.
Ransomware is the weaponization of encryption,” says James Scott, Senior Fellow at the Washington, D.C.-based Institute for Critical Infrastructure Technology. Encryption is an enormously important feature of protecting the computerized information that belongs to your dealership, your clients, and your potential clients, but unfortunately, in the hands of malicious actors, it can be used against you.
Just like a kidnapping in malicious software form, ransomware has the distinction of demanding payment in order for its creators and distributors to back off and release the information to which it’s blocking your access. If you don’t pay, the threat is that the information will remain inaccessible or be published.
In spite of potential vulnerabilities, Scott says encryption remains key to your cybersecurity, and in the case of credit applications and the like, should come in the form of field encryption, ie. every field on every form should be encrypted; all your data and your servers should also be encrypted, as should wherever you’re storing it.
Low hanging fruit
Ransomware isn’t going away, partly because it’s so easy to perpetrate. Those who have the skill set to write code are too high-level to bother with the distribution of ransomware (the risks of getting caught far outweigh the potential rewards), Scott says, so they rely on eager “script kiddies” they find in forums on the dark web.
The script kiddies are would-be black hats (those code-writing hackers who steal data and sell it, or who are “hacktivists” who want to bring down networks just because) who lack the skills—“Parasitic underbelly dwellers,” says Scott—but have the connections to make sure the malignant software finds its way to your inbox.
Because the code is becoming more sophisticated, it’s no longer necessary for each individual to click on the wrong attachment or open the wrong email; ransomware now behaves as self-replicating worms that can perpetuate themselves once one user lets them in.
Not going away
“It’s here to stay and we’re going to see more sophisticated variants,” Scott says. This spring’s WannaCry ransomware attack, which brought down systems as far afield as Russia and included the UK’s National Health Service’s computers, has changed the game.
So, how bad can it get? Scott says the real threat of ransomware is that it can be used to distract your IT department while something else even more sinister is going on, like the sussing out of your entire treasure trove of customer data.
Such data has value on the dark web, as it facilitates ID theft. “When a bad actor has a complete record—date of birth, SIN, etc.—they can go to a hacker and say, ‘Hey, I have Jennifer Jones’ complete record. Here’s my pic, make a full ID set.’ That can extend to passports, driver’s licences, birth certificates, credit cards. And there are different levels of that sort of fraud.
“If you have just an image, maybe it doesn’t pass muster with the cops when the person gets pulled over, but it’s different if they tap into federal databases and start actually switching things around, taking over identities.”
Your HR records can be vulnerable too. Scott says he has seen individual pieces of information for critical infrastructure executives on sale for $1,000 to $2,000 apiece.
Dangers beyond the desktop
It’s not just your desktop computers that are vulnerable, either. “When you’re on a network and they find a vulnerable device, they can open a backdoor for use whenever they like,” Scott says. “And that goes for your partners and contractors too. If you’re trying to get at a big retail store, say to get into the POS terminals so you can use the information gained every time a payment card is swiped, you might do that through the HVAC contractor who has access to the system.”
Fortunately, you and your team aren’t helpless. There are some relatively simple steps you can take to protect your encrypted data.
• Download patches for any applications, industry-specific software and operating systems you use as soon as they’re released. The WannaCry attack took advantage of vulnerabilities in outdated copies of Windows.
• Invest in a threat-sharing platform that information shares between companies, or between dealerships in an auto group. Or, purchase services that will monitor your networks for you. Some ransomware is set up to go off like a time bomb in the future — a threat-sharing platform can help find it before it detonates.
• Be smart about username and password creation. “If Bob Jones was born 5/10/75, there are too many times when ‘bobjones’ and ‘51075’ are used, and it makes it really easy to get into his stuff,” Scott says. “Once someone is into your social media profiles, they have everything.” Use upper and lowercase letters, numbers and punctuation marks, and stay away from anything obvious.
• You should know this one already, but remember (and remind your staff) to never follow unknown links or open attachments from unknown contacts.
• Hover your cursor over a link prior to clicking to make sure the URL matches the hyperlink.
• Install ad-blockers and do not track browser extensions (such as AdBlock and DoNotTrack).
• Back up your systems regularly and create restore points, preferably on multiple media. Copy important data files onto external devices or cloud storage.