International cybercrime is rising dramatically, driven by sophisticated operatives holed up in places such as Russia and North Korea who use advanced technology and even psychological tricks to penetrate computer systems, and then steal, lock up or even disseminate private data of all kinds.
Criminals are targeting businesses large and small, along with municipalities and colleges, with tools such as ransomware, in which an institution’s computers are entered and locked until a ransom is paid, and phishing, when an innocuous-looking incoming email, for instance, can release an invasive virus into a computer system.
Discussion at the Cybersecurity Summit co-hosted virtually on Oct. 7 by Providence Business News and Tech Collective verged on the ominous tone of a John le Carré novel as a Boston-based FBI analyst and Rhode Island experts described the range and growth of cybercrime, spurred on by the COVID-19 pandemic.
Tom Doyle, a cyber analyst in the Boston office of the FBI and the summit’s keynote speaker, referred to an Oct. 1 advisory from the U.S. Department of the Treasury that indicates the department may look to sanction Americans who pay ransom or facilitate ransom payments to nations and individuals designated by the federal government as special threats.
Panelists urged listeners to protect their computer systems early, a project that has become more fraught as workers scatter to their home offices during quarantine, thereby exposing the entire business’s cyber footprint to weak protections and careless practices at homes.
Buying cyber insurance is on the way to becoming a normal cost of business, said panelists in one of three breakout sessions that followed the keynote speech. In the wake of a cybercrime, insurance companies’ cyber panels handle a myriad of urgent tasks: detection, forensics, legal matters, public relations, and notification of customers and law enforcement.
‘They are getting entire network penetration, with a great impact on victims.’
TOM DOYLE, FBI cyber analyst
Doyle, whose FBI office also covers Rhode Island, said cyberattacks increased by 94% in the Boston area and 81% in Rhode Island in the first half of 2020 compared with the same period in 2019.
Doyle said ransomware attacks increased by 250% in the Boston area in the fiscal year ending September 2020.
After Doyle’s talk, three breakout panels tackled aspects of the cybersecurity challenge. The first panel examined a recent cyberattack and discussed best practices for businesses to reduce damage and recover. Panelists were Jeffrey Ziplow, a partner at Blum, Shapiro & Co. P.C.; Cindy Lepore, vice president of Marsh & McLennan Agency LLC.; and Linn F. Freedman, chair of the data privacy and cybersecurity team at Robinson & Cole LLP.
Another breakout session took a closer look at Tech Collective’s “Rhode to Resilience” security program for small businesses. Panelists were Eric M. Shorr, president of Secure Future Tech Solutions, and Douglas Tondreau, from the Digital Forensics Center at the University of Rhode Island.
A third session examined technical methods for controlling the spread of ransomware. On that panel were David Sun, digital forensics and security partner at blumshapiro, and O’Shea Bowens, founder and CEO of Null Hat Security LLC.
Kim Casci Palangio, assistant vice president of victim services for the Cybercrime Support Network, gave the closing remarks.
Doyle said the Northeast is a target of high interest to cybercriminals because of its wealth of research and medical facilities. Some cybercriminals are state actors, but most are individuals operating on the model of organized crime. He and others said the crime of ransomware has evolved into a “double extortion” in the past year or so because bad actors infiltrate systems, lock up data by encrypting it, and, in a newer twist, also threaten to publish the data on the internet if the victim fails to pay the ransom.
“They are getting entire network penetration, with a great impact on victims,” Doyle said. “They are going on to systems, capturing passwords, capturing data, then getting ready to do more damage later.” He said he knows of victims who have paid more than $1 million and up to $2 million to retrieve their data.
Asked if businesses should pay ransom, Doyle said the official position of the government is “no,” but he added, “It’s a business decision.”
Doyle introduced an advisory published Oct. 1 by the U.S. Department of the Treasury titled “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory denounced the practice of paying ransom, saying this “may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.”
The advisory said Americans may not pay ransom to certain parties designated as threats by the government. “Under the authority of the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities … on OFAC’s [Office of Foreign Assets Control] Specially Designated Nationals and Blocked Persons List.”
Doyle was succinct: “If you are paying ransom to sanctioned companies, you may be in trouble.”
‘We are going to see a whole different scenario about paying ransom.’
LINN F. FREEDMAN, Robinson & Cole LLP data privacy and cybersecurity team chair
Panelist Linn F. Freedman later concurred, “We may be subject to fines and penalties … for paying foreign adversaries a ransom.” She added, “We are going to see a whole different scenario about paying ransom in the future.”
The Treasury advisory encouraged cybercrime victims to reach out quickly to law enforcement.
Doyle also encouraged victims to contact the Boston FBI office, which estimates that it receives information about only 25% of cyberattacks in the region. “It takes years to figure this out. Reach out to us; we are making progress; we are making arrests,” he said.
Offering reassurance, Doyle added, “We don’t want your data. We want to look for indicators [of crimes]. If you are a victim, we treat you like a victim.”
Without giving names, Doyle alluded to some cybercrime cases he has worked on, but one breakout panel discussed a well-publicized break-in this year at Blackbaud Inc., a global provider of financial and fundraising technology to nonprofits.
Freedman reviewed the incident, in which hackers entered the Blackbaud system and stole a subset of the company’s data. The company discovered the breach in May and began to notify customers in July. Freedman said the hackers “probably threatened to leak the data into the internet.” Blackbaud paid the ransom. Freedman said she “would not be surprised” if the amount were in the seven figures.
Among the many difficult cleanup problems for Blackbaud was to notify customers whose data may have been exposed.
Asked if cyber insurance could help with costs of a major hack, Freedman said, “In many instances, insurance will cover payment of ransom. Insurance is key here. Some companies don’t have insurance, so all of this would be out of pocket.”
Lepore, of Marsh & McLennan, called cyber insurance “relatively affordable,” but also noted that losses to organizations not covered by insurance include brand deterioration and decreased revenue.
She described many of the aspects and difficulties of reporting and managing a cyber breach. “Organizations need to be prepared,” Lepore said. “Even if a partner has a cyber event, it will ripple through the organization.”
Freedman added, “The statistics of small business coming out of a ransomware incident are very bleak.”
Statistics from the Boston FBI office and the U.S. Treasury Department show that the pandemic and quarantine have turbocharged cybercrimes.
“It has been bubbling up,” said Ziplow, from blumshapiro. “The FBI saw the same number of attacks in the first five months of 2020 as in all of 2019.” He said two major effects of the pandemic are fueling the trend.
First, the federal stimulus money paid out to individuals and businesses in spring 2020 sent a lot of cash washing through the economy, and cybercriminals ramped up to grab some of it.
Also, Ziplow said, having people working from their homes “has increased the attack surface. In the past, we just had to protect the office and its perimeter. Now we have an increased number of offices,” that is, employees working remotely.
Home protections mean locking computers, and changing passwords, including the passwords for routers.
As always, computer users need to arm themselves against sneaky phishing maneuvers, in which criminals pose as a legitimate contact, such as a person from a company’s own information technology department. Opening the email can release a virus into the system.
Emails from cybercriminals “look and smell just like an email from a co-worker or a CEO,” Ziplow said.
Lepore added, “People are getting a lot of text messages with links. It is easy to be going through text messages quickly and to click on a link.”
Said Ziplow: “Stop, think, then click.”
(SUBS 27th paragraph to clarify losses not covered by cyber insurance.)