Posted by Jim Craner on July 15, 2019

As a kid, one of my favorite stories was O. Henry's "The Ransom of Red Chief," about a ransom plot gone awry: the kidnappers are so overwhelmed by the young "victim's" mischievous antics that they end up paying the child's parents to take him back.  And readers of a certain age might associate ransom with a comedy of errors, perhaps John Goodman's character throwing a satchel of dirty laundry during a fake ransom drop gone awry in "The Great Lebowski."

But the latest victims of ransoms aren't characters in a farce -- instead, government agency servers and data are being virtually "kidnapped" by criminals and locked away until a ransom is paid, sometimes by insurance agencies but often by the taxpayers themselves.

This phenomenon -- known as "ransomware" -- isn't new by Internet standards, but the rise in the number of these attacks over the past few years has made it more visible to the public.

How Does a Ransomware Attack Work?

A typical ransomware attack might occur like this:

  • A user opens a malicious link or app that infects their computer with the ransomware.
  • The ransomware encrypts the user's data so that the user can't access it; in many cases, the computer can't be used at all.
  • The infected computer displays a message like "Your data has been encrypted. Send us $1000 via untraceable Bitcoin in 3 days or your data will be permanently deleted."
  • If the victim sends the money, the attacker sends back a decryption key to restore the victim's data.  Otherwise, the victim's data is deleted.

Obviously this is problematic even for a single user -- but more sophisticated ransomware attacks can spread over a corporate or government network and take out virtually all of an organization's data.

Read more: this Ars Technica article provides in-depth descriptions of two ransomware attacks - one on a large city and one on a small city - and compares their responses and the impact on operations.

How Bad is the Ransomware Problem?

The problem is bad - and getting worse!  A quick search for "ransomware" in the Google News search service while researching this article returned more results than I was willing to scroll through.  It's hard to find specific numbers, since many government and corporate victims quietly pay the ransom without informing anyone, and vendors can't provide comprehensive data.  But high-profile attacks on large governments, such as the city government of Baltimore, are making the news more often.  In just two weeks last month, two cities in Florida were each attacked, paying a combined ransom of over one million dollars to get their data.

The 2017 attack on the St. Louis (Missouri) Public Library is one of the more high-profile incidents affecting a public library: over 700 public access and circulation computers were locked.  Because the library had a solid disaster recovery and operational continuity plan, they were able to restore circulation at every branch within two days, and all systems were operational a week after the incident began.  

Read more: Article about SLPL ransomware attack and recovery

How Can We Prevent Ransomware Attacks?

Like any security threat, there is no 100%-effective silver bullet to protect against ransomware attacks.  However, there are several steps you can take to significantly lower your risk and increase your ability to respond if attacked.  Because every library faces different technology, policy, and personnel constraints, some of these options won't be suitable for your particular situation.

  • Basic data and Internet security precautions can help prevent attacks, especially spearfishing or automated attacks.  Intensive email and network scanning, educating users about clicking links and opening attachments, and other traditional practices can significantly reduce your risk.  Keep your servers and client computers up to date and fully-patched.
  • Outsource the risk to a cloud provider when possible: attackers can't take over your Exchange server if you've outsourced email hosting to Google or Microsoft.  This is obviously more of a "big picture" consideration when weighing cloud vs. local deployment decisions, and cloud infrastructures have their own set of challenges, of course.
  • Offline backups are critical: since so much data has been moved from the data center to the cloud, many organizations have offline backup strategies that are lacking, if they have any at all.  But electronic attacks are the number one reason to implement offline backups, so that you are not just distributing your backups across a live network where they can be targeted by ransomware.
  • Backups are just one part of a full disaster recovery and operational continuity plan -- the data doesn't help without a plan to restore services and operations quickly.

Responding to Ransomware Attacks

If you've been attacked, the first step is obviously to call law enforcement.  In the United States, libraries will want to contact their local law enforcement agency and the FBI, which investigates computer crime and extortion.  

Do you pay up?  The FBI says no: paying blackmailers is no guarantee your data will be restored, and it encourages further extortion and cybercrime efforts.   Those are big-picture concerns, though, and many officials have decided to pay the ransom and regain access to their systems.  That may change, however: the United States Council of Mayors resolved last month that none of their governments will pay cyber ransoms from now on.

Even if you pay the ransom and the data is restored, a lot of work will remain.  There is no guarantee that the data wasn't tampered, replicated, shared, etc.  Whatever vulnerability allowed the original infection, whether human error or a software vulnerability, will still need to be fixed.  The extra work and time required by staff, the loss of service during the incident, and other headaches should push the importance of prevention and mitigation up your priority list.

Read more: American Libraries article about libraries facing ransomware attacks and the results

Read more: PLO article about ransomware in libraries