Legal professional with a substantial technology business acumen, passionate about intersecting practice areas of data privacy, cybersecurity & civil rights law

Apr 30, 2016

Hackers Usurp Entire Business Network Infrastructures Using RansomWare to Extort Huge Sums from Unwary Business Owners

Ransomware is a term that few have heard of, but those who have will detest they ever had the misfortune to have reason to learn what it means. It has been an alarmingly frequent trend as of late for hackers to break into the networks of mall business owners, who often either don’t have the means or the knowledge technical expertise to understand how to protect their Internet infrastructure. Often the Internet connection and server side software is the lifeline for a business to remain profitable, and in many cases without that stream of revenue a business would have to shutter its doors entirely.

In recent months, the frequency of these types of attacks have increased substantially, so let me explain the core theory behind the RansomWare surge so that you’ll have a deeper understanding of how it works, and why it is so often a very effective extortion technique, akin to the mob days when Vito used to get paid ‘protection money’ to ‘protect’ the neighborhood from himself.

First, the hacker will scan small business websites for easily detectable security holes that have not been patched, which is incredibly easy as most small businesses wouldn’t know the first thing about installing security patches on linux servers (I can hear the “was that English” comments already), and rarely have dedicated Information Technology personnel at all, or if they do who are sophisticated enough to take necessary precautions (though they do exist elusively in the aether). This is critically important, because without up to date security patches, hackers can use very simple and widely available security utilities to break in and take over a business’s computer network entirely. I don’t mean they can simply read what’s on the network, I mean that the hackers can lock down every computer attached to the network rendering them entirely useless to anyone but the intruder. The only ways to “safely” unlock them without risking losing all your invaluable data are: 1) to succumb to the terrorist’s demands and transfer $XXX dollars into an untraceable cryptocurrency account and hoping they actually unlock your data (cryptocurrency is another tale for another time, but suffice it to say it’s like gold mined using computers that’s traded for real world cash in order to anonymize transactions), or 2) you can report the event to the FBI and hope that they’ll be more successful salvaging your data than they were at decrypting a simple iPhone 5s which had outdated encryption algorithms and still took them a full year or more to access (which did not involve breaking the encryption, FYI). It’s difficult to imagine the FBI being successful decrypting a 2048 bit or higher PGP encryption cipher scrambled with an unknown algorithm possibly multiple times, and likely containing an integrated password lock which will destroy the data after 10 or so failed attempts to guess it (ala Apple’s iPhone security technique).

Second, now that the hacker(s) have control of your system they will immediately download all of your databases and other proprietary information that would essentially ruin your business if it were leaked. That’s the honey lures the businessperson into the trap. “If you don’t give us cash your business will be ruined because we’ll leak all of your customer’s sensitive data including all of your trade secrets.” Or something equally ominous.

Third, the hackers will then encrypt all of your network attached system drives, making them virtually inaccessible without an extremely high degree of computer expertise, and even then it’s often impossible without the full weight of the federal government, vis a vis the battle between Apple and the FBI over whether Apple should be forced to unlock their (previously) unbreakable encryption. The case was ultimately moot because the FBI found another hacker to pay to do the job, but the analogy is the same. A screen pops up on your computer systems telling you that you have X number of days to deposit $XXX,000 of bitcoin currency into account XXXXXXXXXXX, and that failure to do so will result in the destruction of the entire computer infrastructure.

This is an extremely powerful technique, and the result is often that people will pay the sometimes fairly reasonable cost rather than risk losing their hard earned customer databases, as well as their reputation in the marketplace as being a safe and secure place to do business. The hackers operate in a similar fashion to the Somali pirates that regularly seize big tanker vessels at sea, kidnap the captain, and immediately ransom him back to his employer for $50,000. It’s such a paltry amount of money to the company in the grand scheme of the business that they just pay it without often asking any questions— it's the cost of doing business, and all that. Paying the ransom also has the added bonus of avoiding the public relations nightmare that would ensue if a Captain died on their watch who could have been saved for a mere $50,000.

Businesses often conclude that to pay is simply the easiest route to take, and then they harden network security after the crisis is resolved. This isn’t a bad strategy for an after-the-fact situation, because the cost of fighting or trying to resolve the situation using other high-tech methods could prove disastrous. If the data was lost entirely or worse, was leaked publicly, the breach of the public’s trust in the business to protect their confidential information could cause irreparable harm to the business.

Reputation is an invaluable tool to a business of any size, and is critical to the continued success in almost any industry, but it is of particular importance for small business owners. Entrepreneurs often rely entirely on their customers’ faith in the quality of their products, services and the sound business judgment of its employees as the bedrock on which the business is grounded. Establishing this degree of trust can take many years, and the first several years may actually result in losses while that reputation is nurtured. Just ask Target how much it hurt both financially (approximately $150 million) and in lost trust when a data breach resulted in millions of account holders credit information being stolen. This was the largest data breach at the time in 2014, and led to a massive class action lawsuit with an unprecedented damage award for a case of its type, of course the average customer only received a gift card for a paltry amount and a free credit monitoring service, but the litigation expenses were astounding. To this day, Target still makes headlines related to their handling (or mishandling) of the data breach and what lessons we should learn moving forward. One of the “lessons” is always “don’t shop at Target” or wherever the latest breach occurred, but to be honest, I think the largest lesson learned was “buy cybersecurity insurance.” While that will help mitigate losses in the event of a breach, it is not a sufficient to adequately address data privacy and cybersecurity within a company.

This leaves the question, “How can an entrepreneurial business person protect his / her vested interest in having adequate security for Internet based transactions, particularly given the importance of that revenue?”

The first recommended course of action is to consult with an attorney who specializes in technology, data privacy and cybersecurity law, but also possesses a substantial technology background beyond the law. For example, I worked as a network engineer and system administrator for twenty years prior to deciding I wanted to become an attorney, and from the very beginning I understood that my focus area would be to serve this particular niche where there is an innate difficulty in bridging the communication gap between dissimilarly motivated groups of individuals within a company.

Possessing dual training in both telecommunications technology and law will enable your chosen attorney to effectively and efficiently communicate complex solutions between the engineers who design the systems, and the executives who defend the company from the constant threats of litigation and liability in all areas of law, not specifically for cybersecurity attacks or personal data breaches. It is critical to understand that the two fields of technology and business do not naturally produce elegant solutions to such complex problems. Balancing regulatory compliance for Internet business that often crosses multiple national boundaries in a single transaction is fraught with potential liabilities, and it takes someone who understands the intricacies to guide clients’ through the global regulatory minefield.

Technology always has limitations imposed by cost of implementation, limitations on the skills of available talent who must maintain the network system after the security upgrades are installed, and even when dealing with executives the attorney must be able to analyze the limitations in the technology area in order to craft an elegant solution to the problem which will satisfy the demands of the executives ultimately responsible for the protection of personally identifiable information as well as preparing company policies best suited to mitigate a breach when one does occur. This degree of ingenuity in a single attorney is rare, and hiring multiple attorneys who collectively have the talents required is much less efficient because the same lost in translation exists between attorneys who speak different vernaculars.

It’s extremely frustrating for owners and executives in charge of defending the business interests of a company to be unable to communicate freely because of the different worlds from which they come. Executives are held to strict budgetary requirements and deadlines, and are also pressured by changing regulatory structures. Engineers on the other hand, are restrained by existing technology and the available resources the company has to develop new solutions to their security problems. Having an attorney who is competent in the languages of engineers and executives is essential to smooth implementation of privacy policies, and cybersecurity solutions that efficiently satisfy the company needs for security, while simultaneously assuaging concerns at the executive level where worry about liability, litigation and regulatory compliance are at the top of the order.

Also ensure that the coursework that the attorney undertook during his tenure at law school actually contains educational materials regarding information privacy, data security and/or cybersecurity (and possibly national security which is also helpful). My final major recommendation when hiring an attorney to guide you through the regulatory and litigation minefields to shield you from future harm by ensuring your compliance with requisite standards, as well as analysing your current infrastructure looking through the lens of a well-paid and highly motivated hacker. If you see a way you think he could get in, there are ten others you missed. It takes a keen and well-trained eye to find the issues that will arise, and to develop a policy and implementation plan that works on all levels from engineering to executive and everyone in between.

Other Publications (full issue available at the link below):

Jason G. Norman, Taking the Sting Out of the Stingray: The Dangers of Cell-Site Simulator Use and the Role of the Federal Communications Commission in Protecting Privacy & Security, 68 Fed. Comm. L.J. 139 (2016), http://www.fclj.org/volumes/volume-68/issue-1/