There are many reasons to hope that 2021 will be an improvement over 2020. One trend, though, that is likely to continue to grow worse in the new year is ransomware.

What is ransomware?

Ransomware refers to any malicious code that takes control of a computer system, software application, or data, and forces the owner to pay a ransom in order to remove the malicious code and regain control of the system, application, or data. Over the past several years, ransomware has grown in sophistication and reach, affecting both large and small organizations, and becoming a lucrative tool for bad actors from international criminal syndicates to rogue nations.

Who was targeted in 2020?

Here’s a small sample of organizations hacked by ransomware in 2020:

  • Carnival Corporation
  • Kenneth Cole
  • Canon
  • Xerox
  • Diebold
  • Electronic Warfare Associates
  • NRC Health
  • Magellan Health
  • Universal Health Systems
  • Greater Baltimore Medical Center
  • Tampa Bay Times
  • The University of California San Francisco
  • The NYC Department of Education
  • Baltimore County Public Schools
  • Clark County School District, Nevada
  • Fairfax County School District
  • City of Torrance, California
  • City of Jupiter, Florida
  • Hall County, Georgia
  • Jackson County, Oregon
  • Blackbaud

Who’s at risk for ransomware attacks in 2021?

Ransomware attacks are a threat to organizations across every industry, from for-profit B2Bs and consumer-facing B2Cs to nonprofits. The threat is growing because the targeted organizations, in most cases, are paying hundreds of thousands of dollars, and in some cases millions, to the criminal gangs that targeted them. This increasing flow of cash, often facilitated through crypto currencies and wire transfers, has made ransomware one of the most profitable forms of hacking.

In countries such as India, Russia, and North Korea multi-story buildings house hundreds of hackers working together to build massive networks of compromised systems. These “botnets” are comprised of all kinds of systems, from web servers to desktop and mobile devices to IoT (internet of things) devices, such as printers and refrigerators. The ransomware gangs use these botnets to scan internet-attached systems, including content management (CMS) and customer relationship (CRM) software, looking for any known vulnerabilities and exploiting them to take control. They also leverage phishing schemes, viruses, and social engineering to bypass security protocols. Organizations with outdated software, poor security practices and training, and inadequate or inexperienced IT and security staff, are particularly at risk.

How are non-profits affected?

Nonprofits need to recognize that ransomware is a real and immediate threat. There are thousands of small to medium-sized nonprofits that have been directly hacked, and thousands more that have been exposed due to a hack at a partner or vendor organization. One of the organizations included in the list above is Blackbaud, a provider of CRM software for thousands of non-profit organizations. Blackbaud was hit by a ransomware attack in the spring of 2020, but only began telling its customers in July. Initially the company claimed that only a limited amount of data was compromised, and said that they paid the ransom only after receiving guarantees that no copies of the data would be retained by the hackers.

Of course, criminals being criminals, the hackers did not destroy the copies, and compromised data began appearing on the dark web shortly after. To make matters worse, Blackbaud revealed in later disclosures that much more information was stolen than they previously admitted, including passwords and bank and payment information, much of it unencrypted. Blackbaud now faces dozens of class-action lawsuits over the breach.

If your organization is a Blackbaud customer, you likely already know about the breach (although perhaps not the full extent, due to Blackbaud’s lack of transparency), and have had to notify your own users. If you aren’t a Blackbaud customer, just wait. It is very likely that one or more large CRM providers will be hacked in the next 12 months. In such cases, if the partner or vendor is storing your data, your organization likely has legal obligations to notify your users, and may share liability.

What should non-profits do?

1) Ensure all of your software is up-to-date with no open vulnerabilities. This includes applying all updates, especially security-related updates to your website. Whoever is maintaining your website should be keeping track of any security notices issued by your software vendors, and applying updates and patches as soon as possible. The window between when a vulnerability is announced and when exploits appear in the wild is often a matter of hours, so there is no “safe” amount of time to wait before updating or patching.

2) Do not collect or store any unnecessary data on your users. Limit registration and form fields to essential information, rather than “nice to have” data, and avoid collecting any sensitive information, such as social security numbers, unless absolutely necessary.

3) Never store data in plain text, and use hashes rather than full values whenever possible. Use the most robust encryption schemes possible, and ensure that all salts are the maximum length and entropy possible.

4) Limit the timeframe for storage of user data, especially on public systems such as websites, to no more than six months. In the event of a breach, having a limited window of data will reduce the number of affected users, and the extent of the compromised data.

5) Limit the amount of user data that you share with partners, either explicitly or through shared cookies, tags, etc. Your organization can be exposed to liability and disclosure obligations in the event of a partner breach, just as with a breach of your own systems.

6) Review and understand your obligations under the law for user privacy and disclosures of breaches. Doing so before any breach will allow you to limit your organization’s exposure, and be prepared to act quickly in the event that a breach occurs.

7) Keep all your desktop and mobile applications up-to-date, as hackers can often gain access to critical systems by installing viruses and key loggers via less critical software, such as desktop publishing software.

8) Maintain best security practices across your organization, enforcing strong passwords, multi-factor authentication (MFA), and reasonable timeouts/expirations of logins. Also train your staff to avoid sharing and emailing passwords, and to avoid responding to phishing emails and spoofed communications.

9) In the event of a breach, DO NOT PAY! While paying the ransom may appear to be a quick fix, the reality is that the hack will be revealed eventually, and your actions scrutinized. Under state and federal law, you will likely need to disclose the breach to your users as soon as you become aware of it. Failing to do so may incur additional liabilities. Further, criminals cannot be trusted to act honorably to destroy copies of your data, and in nearly all cases, hacked data has later turned up for sale on the dark web. Paying the ransom places a bullseye on your organization for subsequent hacks, once hackers know that your organization can and will pay. Many organizations that have paid ransoms have been hacked again quickly, and in some cases, it was determined that the original hack was never removed. Lastly, paying a ransom is illegal in most circumstances, and opens up your organization, and possibly you personally, to prosecution and criminal penalties: https://www.reuters.com/article/us-treasury-cyber/companies-may-be-punished-for-paying-ransoms-to-sanctioned-hackers-u-s-treasury-idUSKBN26M77U

How can CviaD help?

At CviaD we’ve been educating our clients about cyber threats, and helping them secure their digital presence for over two decades. We welcome a chance to use our deep experience and up-to-date knowledge of technology platforms, security, and privacy to conduct a thorough audit of your organization’s website and online systems, help you secure those systems, and assist in training your staff and users. From CMS such as WordPress and Drupal, to CRM systems and custom apps, our mission is to help our clients understand the evolving technology landscape, and to make the right decisions to protect their interests and the interests of their customers and stakeholders. Contact us today to learn more about how CviaD can help your organization guard against ransomware attacks.

For more information:

https://healthitsecurity.com/news/blackbaud-faces-another-lawsuit-as-more-healthcare-victims-reported

https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2020