If you’ve been paying attention to the news, you know that malevolent hackers nearly took out the American oil and meat packing industries in the last few months. Colonial Pipeline, which supplies close to half of the gas on the East Coast, and JBS, the biggest supplier of beef in the world, were attacked. But what you might not have known, is that organizations in the 530 area code were similarly compromised. Last month, Sierra College was hacked, as was the government of Yuba County last February. In these cases, as in the cases of Colonial Pipeline and JBS, hackers used ransomware. This software infiltrates its targets’ computer systems, encrypts important information, and holds it hostage, while sending a demand for ransom. This year’s two devastating local assaults have put Nevada County on the defensive.
In Yuba County, everything from employee payroll to customer utility payments were affected. Employees were locked out of large parts of their system. At Sierra College, the attack happened during finals week. Students were unable to access any online services, such as virtual classes, registration, and the student dashboard, Canvas. Both Yuba County and Sierra College declined to comment on the ransom amount demanded by the hackers. In a public statement, Yuba County said they did not pay the ransom. Sierra College declined to state whether it had or not. Both of these incidents currently remain under federal investigation.
Since the onset of the pandemic, there has been a 500 percent national increase in ransomware attacks, with an average ransom payout of $200,000. These attacks are increasingly focused on vital infrastructure and small government; systems that the public cannot afford to lose. Ransomware attacks cost government organizations $19 billion in 2020. In January of last year, Oregon’s Tillamook County paid a $300,000 ransom to regain control of its systems. The next month, San Miguel County in New Mexico paid a $250,000 ransom. The cost of refusing to pay is often higher than the cost of ransom, putting small county officials in a nightmarish position, and giving attackers extraordinary leverage.
In Tillamook County, the attackers encrypted multiple data backups. The county received estimates from data security companies that it would cost between one and two million dollars over the course of a year to retrieve the data. All the while, employees’ ability to complete key tasks would be nearly impossible. Technology research company, Gartner, estimates that every minute of system downtime costs companies $5,600 because of problems such as customers not being able to pay their bills, and employees not being able to do their jobs.
Thankfully, for Yuba County and Sierra College, secured backups prevented total catastrophe. Both the county and the college have stated that core functionality has returned while the investigation continues. They are currently working alongside third party cybersecurity firms and government officials to minimize the risk of a future attack.
Still, one error is all it takes.
“Minimizing the risks of backups encrypted by ransomware requires strict procedures,” says Paradise, CA-based former information systems consultant Cory Emmett. He recommends having backups on isolated servers and rotating the underlying harddrives frequently. “If an attack happens and there is a hole in your system, you’re pretty much screwed. Pay now, or pay more later.”
It gets worse. Even when a ransom is paid, there is no guarantee that the hackers will hand you the decryption codes. Global cybersecurity company Kaspersky released a report earlier this year showing that over half of global ransomware victims paid the ransom, and yet 17 percent of the victims didn’t get their data back. The FBI’s official position is that you should not pay a ransom. Instead you should contact a local field office and hope for the best.
Aware of the threat, Nevada County has bolstered its information systems defenses.
“We’ve been working very hard over the last few years to be prepared for these types of attacks,” says Steve Monaghan, the County’s Chief Information Officer. “The biggest issue is the human error factor, so that’s primarily what we’ve been focusing on.”
What Monaghan is referring to is the fact that most ransomware enters through employee email. It typically takes the form of a tantalizing advertisement for something you can’t help but click on, such as a pair of great looking knock-off Frye’s Boots or an astrological quiz that will reveal with which sign you have the best sexual chemistry. According to digital media research firm Techwire, the Yuba County attack was initiated through someone working in the Building Department downloading a suspicious file that brought the ransomware into the network. From there, it quickly infiltrated the County’s entire system.
Nevada County officials are trying to prepare for a similar breach. Employees must participate in fifteen modules of training over the course of several days, which cover everything from detecting suspect emails, to what should be done if they download something they shouldn’t have. If you open an email, you have to sit through the training all over again.
“We send out about four fake emails a month,” says Monaghan. “If an employee opens one, they have to attend another training. They are designed specifically to trick you.”
Nevada County is also using the newest machine learning technology and point protection software to detect and snuff out threats.
“We’ve established a pattern of behavior based on all the interactions between people in our network,” says Monaghan. “If someone in our network is communicating with Eastern Europe, that is a big red flag.”
Despite these precautions, no system is entirely safe from ransomware. The escalation of attacks over the last year points to a problem we’ll be battling for the foreseeable future.