On the morning of February 27, Scott Heiferman opened his email to find an extortion demand. The email said that a competitor had organized a cyber attack that was about to bring down the website of Meetup.com, the Boston-based social networking company where Heiferman is co-founder and CEO.
“I can stop the attack for $300 USD,” the ransom note said. “Let me know if you are interested in my offer.”
Heiferman didn’t pay, and the attack was launched. Meetup’s site was down off and on for the next several days, which Heiferman said was the first significant outage in the company’s 12-year history.
Although it sounds more like a rough draft for a movie script, experiences like Heiferman’s do happen in the real world. And cyber attacks are becoming more frequent and sophisticated. A recent study by security firm McAfee forecast rapid growth this year in attacks on mobile platforms. Reports of malware targeting Android users increased 33 percent in the second half of last year, the company reported.
By the end of this year, McAfee warned, attacks channeled through social platforms would be “ubiquitous.” Small businesses that lack the size to fund internal security departments or demand improved security from cloud and other IT providers were especially vulnerable, the security firm noted. And online businesses, because they had more to lose from data and service interruptions, were more likely to suffer as well.
The nature of the attacks varies widely. According to industry experts, two that are growing in frequency and potency are denial of service or DoS attacks like the one that afflicted Meetup, and ransomware viruses that block a user’s access to data. Denial of service attacks employ a gang of robot PCs to flood a website with malicious traffic and cause it to crash. Cryptolocker, a form of ransomware that has hit many users in recent months, encrypts data on a hard drive and offers the key in exchange for a Bitcoin virtual currency payment.
One consistent feature is that attacks today are more virulent. “It’s different technology,” says Robert Siciliano, a McAfee online security expert. “It’s more organized, it’s more efficient, it’s more automated, it’s more stealthy.” Most attackers are overseas and, rather than being amateur hackers, are for-profit entities focused on making money from cyber threats.
Addressing the Threats
No one knows how many targeted organizations respond by paying, but some definitely do. For instance, the police department in Swansea, Massachusetts, reportedly paid $750 to Cryptolocker attackers for the key to decrypt departmental data. George Arruda, chief of the 31-officer department, acknowledged the department paid “a fee” in the October 2013 incident but declined to provide details.
Others, like Heiferman, refuse to pay. The Meetup CEO said in a blog post that he didn’t want to negotiate with criminals and felt that going along with it would encourage attacks on other firms. He said he believed the initial demand of $300 was a prelude to demands for much more if the initial request had been paid. And he expressed confidence that his company could defeat the attack without paying.
He's right on all counts, according to the experts. Attackers usually start with demands of just a few hundred dollars to find out who's willing to pay anything, then ratchet up their demands into the thousands very quickly. Paying encourages repeat attacks, with the website of any company that pays being more likely than others to receive another assault. And, experts say, most or even all attacks can be defeated.
If you're threatened with a DoS attack, the first response is to stall. “Play along,” Charles Tendell, CEO of Denver-based Azorian Cyber Security, advises. Tell the extortionist you need time to prepare the payment. Meanwhile, gather up any emails and transcribe any conversations between you and the hacker, and prepare to defend your company.
The evidence isn't for presentation to police—law enforcement probably can't help, Tendell says, because local police lack the technical sophistication. And federal agencies like the FBI cyber crime unit won’t get involved unless the loss is more than $5,000, Tendell explains. Both law enforcement agencies are hamstrung by the fact that most cyber criminals are based overseas, where they're hard to trace and harder to prosecute.
Calling in the Cavalry
Your website hosting provider is a better first call. The hosting company can begin collecting traffic logs that can be used to help defend against the attack. Most hosts will also have DoS defenses they can activate or, if those should prove inadequate, can help connect you to a provider of advanced DoS mitigation such as Cloudflare. Using such techniques as redirecting Web traffic from an over-matched in-house server to a crowd of distributed data centers, DoS mitigation can get a website back up in hours and render future attacks useles, Tendell says.
If you’re struck by a virus such as Cryptolocker, predicted outcomes vary. Siciliano says there often isn’t a workaround. “Once the virus gets in there and attacks your information," he says, "it’s pretty much game over.”
Tendell says surviving a virus attack depends on the specifics of the ransomware used and the victim’s system. For some but not all attacks, he says, a qualified forensic cybersecurity expert or company can unlock the data.
In any case, paying a ransom will likely only lead to escalating demands or to simply being ignored as the hacker takes the money and runs without providing a key, Tendell says. “Depending on the data that you’ve lost, you might be SOL,” Tendell says.
Dealing With the Fallout
Survivors of ransom attacks often face additional problems. Meetup, for instance, had paying customers who were worried about the loss of personal data, griping about their inability to schedule meetings and fretting over undelivered email. Heiferman reassured them that their data was safe, gave a credit to affected organizers and worked to accelerate the delivery of held-up mail.
After all is said and done, however, don’t expect closure. A DoS-afflicted website will likely be down for hours, if not days, and page updates, emails and other data may be lost for good. Ransomers are rarely prosecuted. The only thing you’re likely to gain is experience.
Business owners who want to avoid these experiences should practice standard data security: Run backups scrupulously, and employ antivirus, anti-spyware, anti-phishing and firewall software. Train everyone in the company in smart surfing behavior. “You have to be conscious of where you’re going and what you’re clicking on,” Siciliano stresses.
And never think it can’t happen to you. Small businesses, online businesses and businesses that employ mobile devices or apps are all more vulnerable than others, and the threat is growing and becoming more dangerous. While security systems will evolve, so will attackers, who are only getting braver. Ransomware has existed for at least a decade, notes Siciliano, who adds, “This is will be around for quite some time.”
Read more articles on technology.