WASHINGTON—With ransomware attacks on the rise, schools, hospitals and commercial businesses are learning the hard way that they need to take extra precautions to protect their files.
They are at high risk because their records are critically important, and IT administrators are willing to pay high ransoms rather than risk the loss of their data.
In February, Horry County Schools in South Carolina experienced a district-wide ransomware attack. After a third school reported an intrusion, the district was forced to shut down more than 600 servers to help stop the attack.
By then, though, a digital ransom note had popped up on every computer infected. The ransom: 1.5 bitcoin per computer, or $580 apiece – and $8,500 for all computers across the network.
The school was given a week to pay, and quickly did, according to Charles Hucks, the executive director of the technology team at Horry County Schools. He said the district concluded that it would be far more expensive to lose even temporary access to all of its encrypted information, including emails, educational content and key administrative records.
All of the data was ultimately recovered. But during the week-long ransom period, students were unable to access their schoolwork, and administrators couldn’t access their network and cloud-based storage.
Afterward, the school district underwent a comprehensive effort to review its security protocols and procedures to reduce the likelihood of another attack.
“Needless to say, the event and recovery were a learning experience for all involved,” Hucks said at a May 18 Congressional subcommittee hearing held to hear from ransomware experts – and victims.
Lawmakers on the Judiciary Subcommittee on Crime and Terrorism were told that an increasing number of hackers are going after these kinds of soft targets to extract money or other forms of ransom from their victims.
“I think is going to get a lot worse for three reasons,” said Sen. Sheldon Whitehouse, R-RI, at the hearing. “One, more people are figuring out how to do it. Two, the infrastructure for doing this is getting more accessible and easier and three that means there’s more money in it.”
Medical centers also have suffered a rash of ransomware attacks, with more than a dozen hospitals hit in 2016, according to Whitehouse.
In these cases, more than hospital records are at risk. Doctors and nurses are not able to access patient records, and lab results can’t be processed, Whitehouse recounted the story of a patient being held on a powerful antibiotic for eight hours after it should’ve been stopped as a result of the ransomware attack.
MedStar Health, a hospital system in the Baltimore and Washington D.C. areas, recently experienced a ransomware attack on 10 of its hospitals and 250 outpatient clinics. The hospitals’ daily processes were slowed down and even had to turn patients away.
Attacks on businesses are also on the rise because like hospitals and schools, the states are higher.
Besides losing data, businesses risk losing operational capability, including processing payments and other customer services.
Overall, the threat of ransomware continues to rise. Since January 2015, the FBI has seen a 270 percent increase in identified victims and loss. There have been reports of 17,642 victims and $2.3 billion dollars in losses between October 2013 and February 2016, according to the FBI statistics.
Ransomware is also being used against a broader set of targets, lawmakers were told at the hearing.
Last year, ransomware was used to attack not only Windows-based PC computers but also Mac and Linux systems and even smart phones, the report said.
Even at home, individuals are at risk of losing personal files, photographs, and key financial, school and legal records.
At the hearing, Hucks told lawmakers that all types of businesses – public and private – need to do more to protect themselves.
“The main thing is to keep your operating system patched and everything up to date. Never open attachments from emails and a questionable source. Just beware,” Hucks said in an interview after the hearing. “If you get an email from someone or even if it’s from someone you expect, but it’s not an email you expect, you probably should open it.”