If 2020 was the Year of the Rat, 2021 may go down in history as the Year of the Ransomware Attack. The rate and ease with which this nasty strain of malware has been wreaking havoc on the world economy is mind-boggling.
Topping the charts was an unprecedented $50 million haul that crooks demanded from Taiwanese PC manufacturer, Acer, on March 18. Only days later, on March 21, insurance giant CNA Financial got hit with a $40 million ransom, which it seems they paid.1 The interruptions to CNA’s systems lasted well into June.
The list of victims goes on: school systems, hospitals and healthcare systems, oil pipelines (you might as well add the entire East Coast to this list), and the DMV. Grifters got so cocky in 2021 that they even threatened backup storage vendor ExaGrid — the very folks who protect us against ransomware attacks — for a cool $7 million. (ExaGrid ended up paying $2.6 million.)
So there’s no doubt, ransomware is shaping up to be the decade’s perfect cybersecurity storm, and businesses and governments are clearly the main targets. But if you think you can’t fall into the clutches of these sleazy data bandits, think again.
There are viruses that hijack your operating system and put your laptop to work for an army of bitcoin-mining zombies when it should be sleeping (botware). There are viruses that steal your sensitive details (spyware) or shower you with phishy ads (adware).
Ransomware worms itself onto devices, usually via a bad link or attachment, and then spreads like wildfire – encrypting and locking files, folders, and hard drives. The only way you can “free” your personal data is by paying the crooks responsible a “ransom.”
Just like movie villains, ransomware hackers usually give you a zero hour when, if their demands aren’t met, they’ll delete your data forever. Some of them might even threaten to sell your sensitive details on the dark web if you don’t pay up, which actually happened in the massive Buffalo Public Schools ransomware attack in March 2021.
And don’t be surprised if they don’t return what they stole even after you pay the ransom. They’re criminals after all. Which is what makes dealing with ransomware hackers so tricky.
Just remember how you felt the last time your mobile phone locked you out because you’d botched your pin four times. Imagine how you’d feel if it wasn’t Android locking you out, but a teenage thief halfway around the world who had a $5,000 favor to ask.
As the name suggests, ransomware is uncomfortably personal, and it can be a real financial burden for individuals who don’t have the money on hand to make it go away.
For companies and government organizations, the damage is always worse. In fact, it was serious enough to hobble global shipping giant FedEx and shut down Colonial Pipeline for days. Smaller businesses that cross a ransomware hacker’s path often don’t stand a chance.
And if you think it’s only a matter of time before we find a “vaccine” for this virus, the stats say otherwise. Ransomware attacks have mushroomed by a sickly 350 percent since 2018,2 and us cybersecurity experts aren’t expecting the situation to get rosier any time soon.
It’s almost unthinkable, outside of a DC comic book, that criminals would target hospitals, and yet, over the past year or so, it’s become more or less standard.
It started with the monstrous Universal Health Services ransomware attack in September 2020, when ICUs at UHS’ 400 hospitals were flooded with critically ill COVID-19 patients, and staff, resources, and hopes were already stretched thin. Ransomware hackers struck and in the blink of an eye, patient records were gone and medical applications were inoperable. UHS reported $67 million in damages.
Fast forward to March 14, 2021, when criminals hit Ireland’s Health Service Executive. Like with CNA Financial, it took weeks for the HSE to finally get its online registration system back up and running again. It isn’t clear how much sensitive data the hack compromised.
And cyberattacks aren’t just getting darker. Cyberthugs are getting more patient, more organized, and more professional.3 There are online support networks now where thugs-in-training can shop for stolen credentials (to break into your devices) and apprentice in the “ransomware arts.”
With the extra expertise and resources on their side, hackers have gotten more skilled at what they do. The stakes have risen, too. Instead of striking randomly and often for penny ante hauls, grifters have developed a taste for bigger, fatter victims, identifying network vulnerabilities, then sitting back and watching until an organization’s defenses are down — like a hospital flooded with life-or-death cases — before going for the jugular.
While the data says that ransomware specialists have moved onto higher stakes,4 households aren’t immune. In fact, the vast majority of ransomware attacks (90 percent) still involve sums under $5,000.
To make matters worse: while a company like UHS can survive a $67 million hit and fall back on a hefty insurance policy to cover their losses, even a $5,000 ransom is more than many American households can afford to pay.
Given the stakes, it makes sense to take precautions immediately to throw ransomware hackers off your scent, instead of paying the bill when they strike.
The good news is that most of the time, despite the very personal nature of individual ransomware attacks, you aren’t a personal target. Crooks throw a wide net and wait for someone to bite. (Remember, with most malware, one sloppy click is all it takes.)
And because many ransomware attacks aren’t tailor-made, you have a good shot at avoiding them, as long as you follow basic digital hygiene best practices.
The companies that make our devices are on the front line against hackers. One way they stay one step ahead of the next serious bug is by fortifying their software and operating systems constantly, and then passing on those security enhancements to us in the form of updates.
So don’t get lazy with your updates. The most basic defense against ransomware is just keeping your device security up to date.
If you’re like me, and you actually like to take a look at any updates before you install them (rather than having your devices install them automatically), that’s fine, too. Just don’t let them pile up. Remember, those updates are timely.
Even if your devices are armed with the latest security patches, you still need to back up your files. For maximum protection, consider these two precautions below.
Bad actors deliver the vast majority of their malware via email, and now SMS. In the case of ransomware, 91 percent of attacks happen via phishing emails.5
Sounds easy to avoid? It isn’t always, even if you’re armed with the facts. These days, criminals will go to incredible lengths to get inside your devices. Like inviting you to a Google doc via a push notification that sends you to a malicious website instead, or pretending to be the USPS.
What can you do to avoid falling victim to a sophisticated ransomware phishing attack?
Many cybersecurity experts would actually place a VPN at the top of any ransomware defense list. If this is new vocabulary in your home security lexicon, a VPN creates a secure connection between your devices and the open web. And, again, if “secure connection” is making you wonder what you’ve had up to now, it’s likely a lot less secure than you thought. Here’s why.
Unprotected, your home or company network is an open book for cyberjackers, who can literally swoop in and swipe up your DNS requests (the urls you enter into your browser) and lure you to fake websites crawling with malware.
If you’re on the go — and connect to the web at cafés and airports — the risk is significantly worse. In fact, if you regularly connect to untrusted networks and haven’t been hacked already, it’s only because you got lucky.
While most ransomware hackers do their dirty work via corrupt emails, notifications, and websites, sneaking in through a network’s backdoor is always an option. A quality VPN seals off those backdoors, and does a lot more than just that to protect you.
VPNs Have Built-in Malware Protection
All top-tier VPNs come with advanced malware detection that will warn you before you visit a bad site. Some come with ad blockers and content filters. These are major advantages in the fight against cybercrime. Just be warned that if it’s a question of avoiding bad emails — the preferred MO of most ransomware thugs — it’s on you to shore up your defenses.
Combining an Identity Monitoring Service With Your VPN
Usually, a VPN would go hand-in-hand with a quality identity theft protection service. However, while ID monitoring definitely would have helped a lot of folks (over 40 million, in fact) who just lost their Social Security numbers in the latest massive T-Mobile data breach, with ransomware you’ll know what hit you fast. In fact, you’ll get a personal note from the thief the minute you boot up, just like in the movies.
Ransomware is literally gobbling up huge tracts of the world economy. But it’s wrong to assume it’s a business problem just because it hits businesses most heavily and maliciously. When FedEx gets cleaned out to the tune of $300 million, those losses will eventually come out of consumers’ pockets. When a hospital is brought to its knees by malware in a time of crisis, our loved ones may die.
At a household level, as with any other type of crime, if a hacker really wants to make your life miserable, chances are they’ll succeed. In the case of ransomware scams, it will likely be because you got complacent and clicked on a bad email.
Which might just be a blessing in disguise. While ransomware trends say we’re in for a lot more bad weather as a society before the storm clears, anyone can get smarter about their digital hygiene. If you do, chances are you’ll stay one step ahead of the crooks angling to take control of your personal data.
Mehrota, Kartikay and Turton, William. (2021, May 20). CNA Financial Paid $40 Million in Ransom After March Cyberattack. Bloomberg.
PurpleSec. (2021). 2021 Cyber Security Statistics: The Ultimate List Of Stats, Data & Trends.
Newman, Lily Hay. (2020, Dec 29). Ransomware Is Headed Down a Dire Path. Wired.
EMSISOFT. (2020, Feb 11). Report: The cost of ransomware in 2020. A country-by-country analysis.
Federal Trade Commission. (2021). How To Recognize and Avoid Phishing Scams.