Tulane Home Tulane Home
Close

For updates and resources as we move forward after Hurricane Ida, please visit our Forward TUgether site.

Episode 23 – Ransomware attacks: How secure are we?

Episode 23 – Ransomware Attacks

Ransomware attacks are up 300 percent this year compared to 2020. Anyone who uses an electronic device, whether it’s a simple cellular phone or computers that runs small or large businesses, is at risk for a ransomware attack. But how does a society defend itself against an unseen enemy and an impending cyberattack? Tulane cybersecurity expert Randy Magiera discusses how hacking occurs, what to do following a ransomware attack and how to avoid becoming a victim.

Transcript ▾

Speakers
Roger Dunaway, Assistant Director, Tulane University Public Relations
Dr. Randy Magiera, Adjunct professor of Information Technology and Information Security, Tulane School of Professional Advancement

 

Roger Dunaway  
Hello, and welcome to On Good Authority, the podcast by Tulane University, where we bring you leading experts to talk about issues of the day and ideas that shape the world. I'm your host, Roger Dunaway. Cybersecurity has become a mainstream news topic worldwide thanks to a number of high-profile cyber-attacks. According to the FBI, over 2400 US entities were victims of ransomware attacks, and roughly $350 million in ransom was paid to malicious cyber actors in 2020. Now who exactly is at risk for ransomware attacks? Simply put, it comes down to anyone who uses an electronic device, whether it's a cell phone or a computer. So how does an individual or an entire nation defend itself against an unseen enemy and an impending cyber-attack? Today, I'm sitting down with Randy Magiera, a cybersecurity expert and adjunct professor in the Tulane School of Professional advancement. Randy, welcome to On Good Authority.

Magiera  
Thank you for having me.

Dunaway  
Randy, why are cyberattacks becoming so common?

Magiera  
I think with the advancement of technology, as more people get connected to the internet, unfortunately, there are more bad people that are willing to do something like this. I think the most common factor, though, is the financial aspect of it. Especially with ransomware, the majority of cyber-attacks are done with a financial motive. Criminal actors, malicious actors, whatever you want to call them, they want to make money. With the uptick of ransomware that's been happening for several years, you know, these criminal actors, whether they're part of a gang or just an individual person, they're seeing more and more companies paying these ransoms. They're incentivized to do more.

Dunaway  
Ransomware attacks are the most common type of cyber-attack. Randy, can you provide our listeners with background information about how exactly a ransomware attack works?

Magiera  
Absolutely. So, ransomware has been around for quite some time. They slowly became more popular, and really around 2013 they spiked, if you will. Basically what a ransomware attack is is when an individual launches a program script, and in essence, it locks up your PC and encrypts all your files. You get a screen pop up that says, “we have encrypted all your files, if you would like your access to your data back, you know, please pay this ransom.” And it varies in how much they want.

Dunaway
What are hackers looking for during a ransomware attack?

Magiera  
So primarily hackers, malicious actors, whatever you want to call them, they're looking for people to run their program. So, one of the most common methods for ransomware to infect the victim is called social engineering. The idea behind social engineering is this hacker or malicious actor gets you to do something for the attacker’s benefit. A good example of this that’s not related to ransomware are those phone calls. I'm sure most of the people listening to this has gotten at least one phone call from someone claiming to be from Microsoft saying, “Hey, your systems infected, you know, please work with me so we can uninfected our system.” Those are scam calls. They're using social engineering techniques to try and get you to install a program or allow them access to your computer, and have them, ultimately, purchase a bogus antivirus subscription or whatever the scam is. So social engineering is the technique, and more often than not, they don't necessarily target an organization. More often with ransomware, when they're sending out emails, they're just hitting as many people as they can and seeing who takes the proverbial bait. Now with these more advanced groups, which we can talk about later, you know, they'd be a little more targeted. But most ransomware attacks are just simply people's spraying emails out to everyone, and whoever gets hit is who gets hit.

Dunaway  
Can you talk about the severity of taking the bait and clicking on a ransomware link?

Magiera  
The severity, it really varies on the victim’s situation. If it's someone that's at home, like you and me, we're on our home PC, we would lose our system, right? That's the idea behind ransomware. They click the bait, they run the program, your system gets locked up. If you don't have backups of your files, then you're in a really bad situation because you have to pay the ransom for the ransomware. Then, you'll get access to your files. And even in scenarios like that, it is not always the case. There have been many instances where someone has paid the ransom and they didn’t get that decryption key to allow them to unlock their system. When we look at it from a business perspective, it is pretty different because if you click on ransomware at your business and they don't have the appropriate controls in place, not only is your system infected, but theoretically it's possible that the ransomware can spread on your network and infect other systems. One of the interesting things about ransomware, especially its evolution over the years, these groups, especially the organized gangs, have evolved. They actually hire out hackers to further look and see what information that they can get. So, if you infect a business PC, they're actually going to use that infected PC to do what's called a pivot, where they work off that PC and look at other PCs in the network and download your sensitive company data, exfiltrate that data. When the ransomware comes, not only are they saying, “hey, not only will we give you your systems back, but if you don't pay us, we are actually going to release all this sensitive data to the public internet for anyone to see.”

Dunaway  
Why is Bitcoin so popular with criminals?

Magiera  
Bitcoin is very popular with criminals when it comes to ransoms because it is very difficult to trace. In fact, there have been very few documented instances where the authorities, you know, the FBI, the US government, other governments, have actually been able to trace a Bitcoin to its owner, which is what's also known as a wallet. Most recently, one of the very few successful attempts they did was with the Colonial Pipeline attack, where the Colonial Pipeline company paid the ransom, but the FBI watched as the bitcoins transferred from wallet to wallet to wallet, you know, these bogus wallets. They were actually able to seize some of the bitcoins and get some of the money back towards the Colonial Pipeline company. But overall, it's relatively known that Bitcoin is a great way to do anonymous payments.

Dunaway  
Randy, when businesses do pay the ransoms, does everything fall back into place for them?

Magiera  
So when a business pays the ransom, assuming that they technically do have the ability to get their files back, there are a lot of issues with doing that. One thing we saw with the Colonial Pipeline is a great example. They paid the ransom, they got the decryption keys. So, they started decrypting their data, but it was, quite frankly, so slow that they relied on their backups to get systems restored faster, If you’re a time sensitive organization, like Colonial Pipeline, then it's not like you just get this key and everything's unlocked and back to normal. It takes time. Furthermore, in certain industries, especially the healthcare industry with HIPPA, they consider data that was encrypted by a ransomware attack as a breach because you don't know how that data has been manipulated. It's called the integrity of the data. The data integrity may have been modified. While it's encrypted, you don't know what these malicious actors did. In some cases, they're not even allowed to use that data anymore, and you have to report it to whatever government agency that's overseeing your particular organization.

Dunaway  
Now, after a ransom is paid, how does an organization know they have received their complete data?

Magiera  
Usually, your IT department would be able to tell you if there are any assets that are still missing. They're going to be the ones, or the consultants, whoever you're working with, that work with you to get everything unlocked. There's that aspect. With regard to being hit again, some organizations make it a part of the deal when they pay the ransom. “Hey, we will pay this ransom, but you cannot target us again.” So theoretically, that works. But if you're telling one or one criminal organization that, “hey, don't hit us, again,” there's nothing stopping these other criminal organizations from hitting you again. First and foremost, you're dealing with criminals. There's literally nothing holding them to their word. Ideally, I like to think that when an organization is hit with this, you know, there will be lessons learned after everything's done. They'll realize, “Hey, you know, we need to address the gap, if you will, that allow this ransomware to successfully get in and proliferate within our system.”

Dunaway  
Do you think paying up that ransom encourages cyber criminals?

Magiera  
Absolutely it does. A majority of cyber criminals are motivated by money. You know, they want to make money. When they see more organizations paying the ransom, it's just going to further embolden them to continue to attack organizations.

Dunaway  
Should organizations pay that ransom?

Magiera  
The government says no. Personally, I say no, you know, you're only encouraging criminal actors to continue doing ransomware attacks when you pay. But the problem is that’s kind of ideological. When the government tells you not to pay this attack, or not to pay this ransomware and your business is literally down like we saw with the Colonial Pipeline, you really have to think it through. It's not just as simple as saying, “hey, yeah, we're never going to pay.” Unfortunately, you have to think of how it's going to impact your business and make the decision that makes the most sense with a balance of the implications to your business and the ethics, if you will, of paying a ransom. So unfortunately, it's a pretty gray area. As much as we really shouldn't pay, I understand why some organizations do pay the ransom.

Dunaway  
Let's shift gears. Are cyber criminals more likely to target large industry or small businesses?

Magiera  
We don't actually see as many successful tests against big industry. Typically, big industries, big organizations, I should say, they have so many resources, they can put in that high end security awareness training to make sure people know not to click what they should not click. They can put in that next generation antivirus, which protects their endpoints, their devices from getting infected. They have the appropriate network segregation, so if one device does get infected, you know, if you're an accountant's PC gets infected, it's not going to be able to spread to the rest of network and hit their critical servers. They have the resources to put in these controls. Smaller businesses, and most commonly what I've seen in local governments, they don't have extensive budget for this kind of stuff. They don't have an infosec team or information security team of 30, 50 people and an IT team of, you know, 100 people. They typically have a handful of IT people, in general, who are charged with taking care of everything, and are given limited budgets to do it. So that's why we see those types of attacks being more successful against local governments, smaller organizations.

Dunaway  
Randy, in your experience, do you believe that the recent attacks will force companies to make cybersecurity more of a priority?

Magiera  
I love to think that they're doing it. More than likely they are, but I can't say for sure. And at the end of the day, it's up to management, it’s up to the board directors to weigh the risk of cybersecurity versus other business objectives, as well. So, they may say, “Hey, you know, ransomware is important, but this other thing is way more important. So we need to fund this other thing over ransomware mitigation, over additional cybersecurity.”

Dunaway  
Let's go on the offensive. Some lawmakers are urging the Biden Administration to use military cyber capabilities against these criminal hackers overseas. Randy, how would using the military work against criminal hackers, and is this really pragmatic?

Magiera  
I really don't think it's pragmatic. Hacking back, as is called, has been discussed for a long time. The US military may have some very talented people, but not all organizations do. At the end of the day, you can only do so much hacking back.  At the end of the day, if you target someone in Russia, for example, especially someone that may be a state-sponsored entity that's given state resources, yeah, sure, Maybe you can trace them. Maybe you can take over some of their systems, but there's really nothing stopping them from, quite frankly, getting another system and continuing their attacks. It's not like it's a physical attack where you're physically disabling someone. When you disable someone from a cybersecurity perspective, you can literally go out to your local store most of the time, get another PC, and continue your attacks.

Dunaway  
The Russia-linked REvil ransomware syndicate recently disappeared from the internet. Now, for our listeners, this cyber gang was blamed for attacks on hundreds of businesses worldwide. Who do you think was directly or even indirectly behind the disappearance?

Magiera  
It's really all speculation at this point. Chances are that they realized that there's becoming too much heat. They are getting too much heat on them, so they decided to take themselves offline. That's entirely possible. We look at the group that's called DarkSide. They're the ones responsible for the Colonia Pipeline attack, and they were relatively unknown until they hit the Colonial Pipeline. Then all of a sudden, people started paying attention to them, and they started getting nervous to the point where they released a statement, a public statement saying, “Listen, you know, we're not political actors. We're not trying to attack the United States. We just simply want to make money. This is why we’re here.” And basically, they put a target on their own backs by attacking the Colonial Pipeline. I don't think they realized what they did. So when it comes to REvil, it's really hard to say if they did it themselves to, you know, try and take some heat off of them because their profile is being raised, or if someone, you know, possibly the Russian government took them offline. Possibly the US military took them offline. It's impossible to say. It's all speculation at this point.

Dunaway  
The US government recently launched a new website to combat the threat of ransomware called stopransomware.gov. Randy, is this a good first step by the government to assist the general public when it comes to ransomware attacks?

Magiera  
I like to think so. Absolutely. One of the most effective controls with cybersecurity is awareness, so making more people aware of ransomware. We like to think, “Hey, you know, with everything in the news, people are definitely aware of ransomware by now.” But it's not always the case. So, making them aware of ransomware is a great idea, giving them overviews of how ransomware works, some effective controls, preventing ransomware from hitting you, whether it's your personal device or at business. It's always great information. It's an excellent first step, absolutely.

Dunaway  
What is the best proactive approach any individual or business can take to make sure they do not become a victim of a cyber-attack?

Magiera  
The most effective control I always teach people is security awareness training. It seems kind of simple, it seems kind of silly, but the biggest weakness in an organization is an untrained employee or end user. The greatest defense an organization can have is a properly trained employee or end user. You know, that infection has to start somewhere. And as previously stated, it's almost always social engineering. You're tricking people to click those malicious links, what have you. You can throw all the controls in the world. So you can, you know, get that anti-virus on your endpoint and your desktops, laptops, what have you. You can have your network segregation. You can subscribe to all this latest threat intelligence. You can put in all these controls, but the most effective control an organization can do is make sure that their employees are properly trained with regard to security awareness.

Dunaway  
With all these major attacks going on, how pleasing was it see that the President has implemented a new cybersecurity team?

Magiera  
It's great to see government action. It's nice to see that they put cybersecurity higher on their priority list. And they're working hard to work with businesses, and consumers to help them better understand what's going on. They're working hard on threat intelligence-sharing. It's great to see them, you know, taking a more proactive role in this. I think it's really going to help a lot of organizations out.

Dunaway  
is there anything else we should all know about cybersecurity and ransomware?

Magiera  
The one thing I always recommend when we're talking about ransomware, in particular, is always make sure, especially as a consumer, you have a good backup of your files. This doesn't apply just to ransomware itself, you know, just to provide mitigation against a hardware failure. It's less of an issue now, with the expanded use of Google Drive, Microsoft, OneDrive, you know, all these cloud storage devices. The one thing I tell people is take advantage of them. Don't just leave stuff on your desktop. Unfortunately, your desktop can and will fail at some point. And in the event of a ransomware attack, everything on your desktop, on your computer itself, will be considered gone. So the one thing I tell people, make sure you have great backups. Always be suspicious of what you click on. You know, as I said before, a few times, email is the most common way to spread ransomware. And so people get concerned about, hey, you know, they don't want to offend someone or what have you. So, you know, it never hurts, if someone you know sends you something odd, to pick up the phone and call them and just make sure that what they sent you was legit. Don't just take their word for it. If someone that you don't know sends you something, then just ignore it. Just delete it. Don't worry about hurting someone's feelings. One thing social engineers know is how to manipulate people. And they will try and take advantage of that inherently people are good people and they want to help others.

Dunaway  
Randy, thanks so much for joining us today.

Magiera  
Absolutely. Thank you for having me.

Dunaway  
Thank you for listening to the latest edition of On Good Authority. For information on future episodes, please visit our website, tulane.edu/ongoodauthority. If you like our show, please subscribe using your favorite podcast app.

Host: Roger Dunaway
Editor: Daniel O’Connell 
Producers: Daniel O’Connell and Audrey Watford
Production team: Marianna Boyd, Keith Brannon, Will Burdette, Faith Dawson, Roger Dunaway, Libby Eckhardt, Aryanna Gamble, Daniel O’Connell, Mike Strecker and Audrey Watford

Listen to other episodes of On Good Authority.