On this episode, Eric is joined by ransomware thought leader, Niam Yaraghi. Niam is an assistant professor of Operations and Information Management at the University of Connecticut’s School of Business and a non-resident fellow in the Brookings Institution’s Center for Technology Innovation. The two discuss the origination of ransomware, how companies can protect themselves and make predictions on the future state of ransomware attacks. Be sure to keep up with Niam by following him on Twitter @NiamYaraghi.
Like this episode? Be sure to leave a ⭐️⭐️⭐️⭐️⭐️ review and share the pod with your friends!
Eric: Hello, everyone. My name is Eric Timmons and welcome to another episode of MSP ignition podcast brought to you by Axcient where it’s not about the backup, it’s about the recovery. Axcient protect everything. Be sure to subscribe to us on iTunes and give us a review. While you’re there you can also follow us on Twitter, Facebook, LinkedIn, and pretty much everything social media.
Today I’ve got the pleasure of having Niam Yaraghi on the show. He’s an assistant professor of operations and Information Management at the UConn School of Business. Has a non-resident fellow at the Brookings Institute. His research is focused on the economics of health information technologies. He has a Masters of Science from the Royal Institute of Technology in Sweden and has received his Ph.D. in Management Science assistance from SUNY Buffalo. Niam, welcome.
Niam: Thanks for having me. It’s a pleasure to be here.
Eric: Quite a background there, I’ll let you talk a little bit more about that. I’m jealous. I’m just a sales manager so I don’t really have the impressive accolades that you have. Can you walk us through some of the research you’re doing and some of your expertise?
Niam: Absolutely. My research, as you said, is primarily focused on health information technology. When it comes to health information technology, I think an integral part is privacy and security. You cannot talk about health IT without mentioning the security and especially recently, the wave of ransomware attacks on healthcare organizations. So [inaudible 00:01:54] become one of my major interests lately.
Eric: Awesome. I think that’s a perfect segue into really the main theme of the show today and is to talk about ransomware as a whole, and some different examples of late, where it maybe first started, where the future is, and everything in between, especially for our audience to remind themselves service providers ransomware is something they deal with on a daily basis. If you wouldn’t mind, maybe get us started.
I know you’ve done a lot of research, specifically, within ransomware. Obviously, specifically on the healthcare side of things, but maybe giving us a crash course overview of the origination of ransomware. How it took off and got to where it’s at today.
Niam: Absolutely. Although ransomware has become very popular very recently, it is not that young, it actually originated 30 years ago in a field, not surprisingly named healthcare. 30 years ago an AIDS researcher called Joseph Pop innovated the ransomware attacks by basically creating a malware on floppy disks and mailing it to 20,000 other researchers in the field.
What happened was that once those researchers inserted those floppy disks into their computers, after nine EF turn on of their computer, the screen locked, and then there was a demand of few hundred bucks in order to have their computer file released. If for me personally, it’s really interesting that ransomware attacks started in the healthcare industry and continue to be very prominent in this field as well.
Eric: That’s very interesting. I didn’t think we’re going to have a floppy disk named Rob on the show today. It’s crazy that it goes back that far. Then maybe, that’s the history of it. Where do you see it more today? What are the most common use cases or end results of ransomware attacks today?
Niam: I think it is more common than they think. Not only it is becoming more common, I think the amount of the ransom that hackers are demanding has been an upward trend in mid-2000, it was reported that the median of the ransom requested was about $300 per attack, but now it is about $500. Interestingly, about 20% of the ransomware attacks demand more than $10,000 in ransom.
Again, I really hate to go back to the healthcare examples but there is no way to avoid them. One of the most prominent recent examples in ransomware attacks was on Hollywood Presbyterian Medical Center, in which it was reported that the hackers initially demanded $3.4 million in ransom. However, the hospital system was so lucky because they could resolve the problem by only paying them $17,000.
Although we tend to hear about these large victims and famous examples, there are so many ransomware attacks happening on a day to day basis, that will never make it to the news. In fact, in 2017, according to SonicWall, there were an estimated of 184 million ransomware attacks in one year. That is almost more than half of the total US population. Imagine between you and your friend, one of you could be a victim of a ransomware attack, although these numbers are globally, but I just wanted to give you a scale of how ubiquitous they are.
One more area of concern is that that number was an 11% year over year increase. It is on an upward trend and we should really take it seriously and think deeply about what we should do in order to protect our organizations from such attacks.
Eric: Now, I definitely want to talk about that exactly, because there’s a lot of small businesses that are probably more likely affected by this and maybe big companies or even city governments. You had the example of Baltimore, the city of Baltimore getting hit with a ransomware attack, the target was an example of a few years ago. Before we get into that, you mentioned these numbers were for a small person, they’re only asking me to say $300 to $500, or maybe into thousands.
Do you know on average, how many people are actually paying that just because they don’t have the protection in place to stop that attack in the first place? Even when they do pay that, other files are still being locked out, or they’re paying and getting ripped off, essentially.
Niam: I think the numbers there are very difficult to find because it’s very difficult to report it, there is no authority to have a central database to track and document these attacks. However, the relevant statistic that I read a couple of days back was that of those people who agreed to pay ransom, only one in four, were lucky enough to have their files unlocked, meaning that even after you pay these hackers, there’s 25% chance that you still would not get your computers unlocked. That is again, another area for concern for small businesses.
Eric: I think that, especially for our audience in MSPs, a big portion of their clients are those small and medium-sized businesses. I don’t know if you have rough numbers, but what would you say, most that ransomware attacks today, are they towards that small business? I know they don’t get as much attention in the news because if they’re for $500 to $1,000, it’s not a big deal. When a huge company, enterprise company gets hit for a million-plus, that’s what gets the attention. Do you see more of a shift towards the attack of small businesses?
Niam: Yes, because those small businesses are the perfect target for these hackers, they can demand a small amount, and rest assured that many of these small businesses do not have the resources to solve the problem. The only other option that they have, and the quickest option that they have, unfortunately, is to pay the ransom. Logically, I would say that the number of attacks on small businesses will definitely be on the rise, and they will constitute the major chunk of the whole ransomware attack business if you can call it a business or illegitimate business.
Eric: You’ve been doing– you’ve been having a lot of research into this specifically, I know healthcare is a main topic of research for you. Do you have any examples of some big scenarios where different companies have been hit with ransomware? I know we have some general statistics, any specifics on what those attacks look like, and if they got their data back?
Niam: One example was the first example that I gave you on the Presbyterian Hospital. Then there are some other prominent examples of the ransomware attacks. One of the most famous one is, for example, WannaCry which interestingly started in Europe. However, it used the leaked malware from the NSA. It was very important because it spread very, very quickly. There was over 250,000 instances of the bug across 116 countries. It was so prominent because it affected so many different organizations including the National Health Services in the UK.
The other example is SamSam. Again, originated from a group of hackers in Iran. It resulted in over $30 million in losses according to the US Department of Justice. Another very example one for me personally is the Simple Locker which attacked Android-based cell phones. It is very interesting because usually when we start talking about ransomware attacks, the first thing that comes to the mind of the audience is the attacks that lockdown computer systems at workplaces and computer networks.
However, there are variations that attack people’s personal phones and that could create major problems in today’s business because nowadays it is very difficult to basically separate our cell phones that we use for personal use from the computers that we use for our work. Most of us have our email, of work email in our phones and use our phones to do a lot of our daily jobs in our phones, so locking it down could definitely lead to losses for businesses as well.
Eric: When you say losses, are they mostly just the cost of downtime or they couldn’t operate their company profit or is it just losses because they’ve paid a ransom?
Niam: I think it’s both and most importantly is the first part. Again, if you think about a couple of thousand dollars that you have to potentially pay to unlock your computer, that’s the direct cost. However, the hassle of going through that communication and the downtime that you will experience I think is the most significant part that is basically not calculated or documented anywhere.
In the hospital systems we have instances where the hospital had to go back to the paper records for sometimes days because they could not unlock their computers and it could have even resulted in patient harm or even the death of the patients because imagine you’re treating a patient in critical condition and you need to know what are the allergies of that particular patient to decide between two alternative drugs and all that information is recorded into your electronic medical record system.
When that happens I think you’re not only going to have the downtimes and the difficulties that come with your computers being locked down, but God forbid if something happens, I can imagine that those patients could potentially go and sue the hospital for negligence in protecting their computer systems that had resulted in harm and injury to the patients. You can think about similar scenarios in other instances when say ransomware attack results in locking down the systems of say a travel agency which cannot book their travels or the hotels or plane tickets for its customers and then that leads to some of them potentially losing their reservations and not being able to catch the planes that they wanted.
I think that there is another less discussed side of the costs associated with ransomware attacks that are loss of the reputation among the customers, customer dissatisfaction and then potentially lawsuits that may come along with those downtimes.
Eric: Yes, I think that’s the part that a lot of small businesses may not fully understand. It’s not just, “Oh, I’ve got to pay this thousand dollar ransom.” It’s, “Hey, I was actually wasn’t able to operate my business for 16 hours, whatever, 20 hours, et cetera.” How much in wages or lost profits did I have by not being able to work for those day, two or week, whatever timeline it may be, but it sounds like especially in a world where we’re getting away from all the pen and paper and everything is in a digital library or in the cloud, being able to have something to protect you from ransomware is critical because just like you said and especially in healthcare we could talk about child and patient livelihoods on the line here.
What are some different things, obviously, this ransomware isn’t going away. What are things that end customers and even MSPs specifically can use to essentially thwart these attacks?
Niam: Yes, let me discuss that before I mention something that I think is really, really important when we talk about the effects of the ransomware on small businesses. When it comes to a large corporation, the ransom that is being demanded for them something in the neighborhood of say, $50,000 is actually a drop in a bucket. For a multimillion corporation, that is nothing. More importantly, they have significant resources in terms of backup and having dedicated IT personnel and stuff like that to basically mitigate their losses.
However, when you’re talking about the small business, say only $5,000 in ransom means that you will not be able to go on the vacation that you had planned, or your kid will not be able to go to that private school next year because now there is $5,000 loss. That is completely unexpected, you were not planning for that, there is nowhere in your budget that you had planned for it.
When these ransomware attacks happen for large corporations, it’s like a big airplane crashing, 300 people may lose their lives in that tragedy and that will be the headlines in every news outlet, everyone will be talking about it. However, at the same time in the United States, I was checking the statistics, 102 people lose their lives in traffic accidents. That is like 74 crashes of A380s. Those are by the way the largest passenger airplanes in the world crashing in a year.
Nobody talks about that and those are the small businesses, those are the silent victims that unfortunately are losing profits. Some of them may even go into bankruptcy because of these ransomware attacks that are not newsworthy, that are not juicy enough for news organizations to talk about and nobody pays attention to them. I think small businesses should really take it seriously because the cost associated with that as we discussed, the direct ransomware cost, the downtime business cost and the costs in customer dissatisfaction are so significant that I think it has become a vital part of any business management to think strategically about protecting themselves against ransomware.
Now, to your question about what are the things that these companies can do in order to prevent themselves? I think when you think about the ransomware attacks and how they operate and most of them are initiated through some type of phishing attack. The scammers and hackers are going to send you an email with an attachment hoping that you will open that attachment.
Now, many of your audience may say that, “Oh, we’re going to set filters that are going to basically remove such malicious emails from even getting into our clients’ inboxes.” However going forward, I think these phishing emails are becoming much more sophisticated than before. Imagine your accountant receives an email with the subject of a question or an inquiry about my bill, nicely worded talking about a question in the bill that they received and there is an attachment.
I bet that accountant will open that attachment and as soon as that happen, then you’re done. This example just shows how difficult it has become very recently to basically combat these phishing attempts. The other thing that will basically make it even more difficult is the emergence of ransomware as a service programs, which is very interesting. Rather than taking the time to target an organization and attack that organization themselves, the hackers are now selling their ransomware software to people who are willing to take the time to basically do a sophisticated and spearheaded phishing attack on an organization.
If I know an organization well enough, and if I know English well enough to be able to write a nicely worded email. Due to the simplicity of access to such services and such algorithms, it would be fairly easy for me to target your organization and send like five emails that are really, really relevant and are really unlikely to be caught by these automatic email filtering systems. One of your employees will eventually open it.
Going back to what I said at the beginning because computers are now a very important part of our lives. It is impossible to separate computers and how we interact with them in our professional and personal lives. Networks are becoming larger and larger and more integrated every day. Back in 2000s, somebody could argue that, “Oh, my work computers are on a separate network and they are not even connected, so people from outside wouldn’t be able to send malicious software to my computers.”
However nowadays, not only they are connected but also they are connected to all of your employee’s cell phones. Not only they are connected to all of your employees’ cell phones, your employees are going to use their cell phones at work and also use work computers for personal things. It’s very likely that one of your employees will go on Facebook and open a message in Facebook that contains ransomware attack, ransomware software.
What I want to say is that it has become fairly easy to target an organization for a ransomware attack. The very first way to combat that is basically to have a privacy and security program that includes routine trainings for employees to, first of all, understand what these phishing attacks look like and educate them. Most importantly, remind them not to open suspicious attachments. That would ensure or that would reduce the possibility of getting attacked at the first place.
The other thing is that you will get attacked. Even if you have the most sophisticated privacy and security training program in your organization. What to do after that is done. I think the first option is to pay the ransom. Well, as we discussed, there is no guarantee that even after you paying the ransom, you’re going to have your files back. Even if you did, that will be an open invitation to hackers to attack you again because they say, “Oh, this guy’s going to pay. Why not attack him again and why not ask him for money again.”
When that happen, I think the best strategy is to avoid paying those ransoms but only if you have complete and proper backup of your files. Again, that is something that sounds easy but will become very, very expensive and time-consuming, unless you have dedicated IT staff or people who can provide that service to you. However, I think that is the best-case scenario. You have the backup of your file somewhere safe.
In case somebody locks them down, you do not need to ask them to release it because you have another version of the files that you can use. The other strategy that you have to undertake is to have structure than regular updates of your existing software and computer that you’re using. Many times you’ll hear in the news that this ransomware exploited at security vulnerability in older versions of some popular software such as Windows and could attack people, despite the fact that Microsoft had already created a patch for that, but because of the ignorance of the companies and their negligence, they did not update their software and so they fell victims to such attacks.
Again, the other thing that goes with the first option that I said which was having privacy training and security training in your organization, is to have a sensible security policy that is a very thorough explanation of the authorizations and accesses to your computer. Who can access your computer? Will you grant a contractor to have access to your network and if your employees are using work laptops or personal computers outside of their offices, how will they be able to connect to your network?
Those are the things that I think are really important. They sound easy, but they’re actually difficult to implement. I think they require diligence and require dedicated staff members in terms of IT personnel or third parties who can do that for you.
Eric: All amazing points. I definitely know I’m way, way more smart after hearing a lot of these different scenarios. Definitely ransomware as a service, I did not know that was something that existed and that they’ve also adopted a channel sales that they’re like a lot of vendors in our space. I do have a couple more questions before we wrap here. I think you did an amazing job of outlining there ransomware attacks are getting more complex and complex and sophisticated.
You need some front lines of defense in order to stop these from getting in in the first place, but then also have a robust backup policy on the backend where– Guess what, eventually something is going to happen. Something’s going to get past your first layers of security and having a backup in place to protect yourself. Where do you see the future state of ransomware attacks?
I know you elaborated on they’re selling their software to other people and if they know English well they’re crafting these intelligent emails with catchy tag lines and things like that, but where do you see kind of the future state of ransomware?
Niam: I think it will get much more exciting and interesting. [laughs]
Eric: Good at that. [laughs]
Niam: It depends on how you look at it. It will be increasing. There are a bunch of reasons for that. As I said, the very first one is the prevalence of computer networks and connected networks that will make it more vulnerable to such attacks. I think it has become a nightmare for CIOs to ensure the security of their networks because of the mere number of the devices that are connected to the same network.
I’m pretty sure that all of your audience members have heard this. I said that your network is as strong as your weakest point. There’s going to be a much higher likelihood of having a weak point when you have more number of devices and people connected. We’re talking about Internet of Things and especially in the healthcare domain, one problem that we are observing is that many of these device manufacturers do not take the security of devices serious enough.
Once a hospital starts using those devices, then they will become a nightmare for the organization and especially in the regulatory framework that we have, unfortunately, those device manufacturers are not held accountable enough for the security of their devices. It is a big problem for larger organizations to ensure the security of their network because now they have many more endpoints.
The other thing that we did not discuss here is the popularity of Bitcoin and other cryptocurrencies. One of the reasons that we see a rise in the number of ransomware is that it has become much, much easier to get paid. Back in the days when Bitcoin was not popular, was not even a thing, you had to think of some way to get paid, and most of the time, it was not possible to remain completely anonymous, so if law enforcement was after you they could find you.
The early examples of ransomware attacks were using PayPal accounts or even gift cards. Now it has become pretty much impossible to track the hackers because they use bitcoins or other types of cryptocurrency, and as bitcoins become more popular, and pretty much everybody who’s not living under a rock knows about them, and their, I think the only important feature which is anonymity, people will be more tempted to gain a few bucks through ransomware attack, especially because you no longer need to be a nerdy computer programmer with sophisticated math skills to run and to write an encryption code.
You can go buy off the shelf encryption code, and also even if you’re not willing to do the rest of the job yourself, as I said, you can go buy a ransomware as a service program, and actually, they do, they share 40% of the profits with the owners of the code. They say, “Hey, I know this guy, whom I know is really dependent on his computer networks, he has just made a little bit of profit, and I think I can extract some money out of them, but I have a very limited computer skills and programming skills, so what do I do?”
I go on the internet and find one of these services and say, “Hey, I’m going to get $10,000 from this guy, and you take $4,000, I’ll keep $6,000.” Is a really good business for a person who really wants to do you harm. So because of those reasons we’re expecting to see a rise in the number of the ransomware attacks going forward. Finally, ransomware is as strong as its encryption algorithm.
The more difficult it is to crack that code, the more valuable that ransomware will become, and as we go forward, these encryption algorithms become more and more sophisticated, meaning that it will become much more difficult to crack them, therefore, victims will be more willing to pay the ransom because otherwise, they cannot unlock their computers. All these reasons combined, I think, shows a future that will see a much higher number of ransomware, and I think there would be much more attention in this area.
That’s why I said it need to be much more exciting because it’s a chasing game. They come up with a new method, and then the security community will come up with the solution to that, and then there is the next thing, and then the security community comes with the next patch. So there’s going to be a lot of development in that field very soon.
Eric: These are all fantastic points, especially the point you made about cryptocurrency and the ease of use of making that payment. I know, back in the day, I got burned a couple of times by the Prince of Nigeria, so it’s definitely easier for me to make those donations now, but I do have one final wrap up point here and question for you, and I think you’ve done an amazing job of illustrating the small business perspective and how ransomware is so relevant to them but doesn’t get a lot of the attention in the news.
I think the car to- as morbid as it was, the car to airplane crash analogy, really highlights of like, “Hey, you don’t see these day to day attacks, but they’re there, and they’re actually larger than hitting a big corporation.” What can we do to educate the small-medium size business about this? Since it’s not headline news, what can we do to make sure they’re aware, and they’re taking the proper precautions, whether that’s within their own internal IT department or using someone like a managed service provider to outsource their IT needs?
Niam: I think the first step is already taken by the media. Although you do not hear about the attacks in small businesses, you hear about the attacks on large businesses, so people have an idea of what ransomware attack is. Now, what remains for you to do is to go to the person and say, “Hey, did you hear about that big attack on that large insurance company? You know that could also happen to you, and here are the numbers, and here are some of the examples of the ransomware attacks on small businesses just like you.”
I think that is where as an industry and community of you’re lacking, I really wish that there was some sort of database that showed the attacks on small businesses, what happened and what was the experience of the victims, so that people could share those experiences with each other, that will not only put similar people in organizations and businesses on alert to prevent such attacks but will also help them to solve those attacks, because most of the time there is a single wave of one single type of attack.
So as soon as one person finds a solution, if they share it with others, then the rest of the community can immunize themselves against it, but that does not exist, or at least as far as I know, it does not exist. That is one thing that could happen. As thought leaders in this field, I think one really helpful step that you can take is to try to somehow distribute the news and experiences of small victims of these ransomwares with other members.
Rather, it is the security community or in general, the industry and the clients that you’re working with or your potential clients so that they know that, “Oh, there was this business in another state, but they were doing exactly what I am doing, and their size seems to be the exact size and the size, the number of the clients they have is exactly the same so it could be me.”
You could be the next victim of ransomware attacks, those that have already experienced it were not some kind of different human or it’s not that they deserved it, or you’re better than them, or you’re different from them. No, they are folks just like you and me, and they didn’t take care of it, and they had to go through this horrible experience, so what can I do in order to prevent myself? I think that is going to be very valuable.
Eric: Yes, and it’s essentially almost like selling insurance, “It may not happen to me now, but am I protected when something does happen when there is a flood, when there’s a fire and I need some type of insurance for my house.” I always relate it back to that example. To your point that you just made there. One more question is, in terms of getting these statistics and research and case studies out there, do you have a particular resource, guide or publication that you go to find this information?
I think when you’re able to provide the different statistics, and the cost and different examples of, “Hey, an eight employee business just like yours got hit with an attack like this, is there a good source of information for people to go to find these numbers?”
Niam: Yes, unfortunately, as I said, no, I’m used to getting this information from here and there scattered all over the internet. Let me just, there is one other example I really want to talk about following and combined with last point, and this is a personal experience. I as a male I was always under the assumption that heart attacks happen on for older folks, not the people at my age, it’s not really cautious about my cholesterol levels, and I saw a close friend of mine, who was in the same age, unfortunately, experience a heart attack, and that was a wake-up call for me.
From that moment forward, I saw, “Hey, he is just like me. The same age, the same type of weight. It’s not that he’s obese and I’m not, you just look the same.” He had to go through this horrible experience, so what can I do to just mitigate the chances of a heart attack for myself? That was when I went to the doctor and took my cholesterol much more seriously. You see similar efforts in the healthcare domain.
For example, there has been a lot of media campaigns to increase the awareness of women that heart attack is not a male-only disease. It actually has many female victims, so you’d better take that seriously and talk with your doctor to see what you can do in order to prevent it. I think a few years back, if you had asked women, many of them would have thought that, “Oh, heart attacks is for males,” because most of the people that they saw had heart attacks were males, not females, but with campaigns like that, I think now they know that they’re also at risk.
Some similar effort I think is really wanted within our community to let other people know that, “Hey, ransomware attacks are not only for Target or for Athena or for large organizations and government agencies. It happens much more than you think and you are also much likely to be a victim of it unless you take precautions against it.”
Eric: Niam, this has all been extremely fascinating and interesting to me. I know I’ve learned a lot just in this brief conversation we’ve had and I’m sure we can talk about this for days, especially going over the different use cases and examples. I think for our audience specifically, that’s what’s very helpful for them. I think a common challenge is presenting why you should buy these different layers of security and reselling that to their end customer.
Also realized I may be in the wrong line of work here seeing how much money people can make from ransomware as a service. That’s a pretty fascinating stuff, but I’m very appreciative of the time that you’ve given us today. Unfortunately we have to break now, but very excited to see your future research and different things that you publish. We would love to have you back on the show at a later time with some more examples. As you said, this gets more and more exciting.
Niam: Thank you very much. I really enjoyed our discussion.
Eric: Awesome. Likewise. All right, we’re going to wrap here, remember to subscribe to us on iTunes, give us a review while you’re there. Also follow us on Twitter, Facebook, LinkedIn, and like I said, all other social media stuff if I’m missing something. Special shout out to Justin Harp who is one of our sales development reps over here. He actually created the music to our intro and outro, so Justin, I’ll let your music play us away. Thank you, everybody.[music]
[00:43:56] [END OF AUDIO]