FBI officials are warning Arkansans about how ransomware can affect them both through businesses and direct attacks.
With the Colonial Pipeline ransomware attack earlier this year, the United States saw the first case of an attack that affected many people by targeting the supply chain for gasoline.
Jason Van Goor, assistant special agent in charge at the FBI's Little Rock field office, said last week that federal authorities have been looking for solutions and fighting against ransomware attacks for a long time.
"Ransomware's always been a big problem," Van Goor said in an interview Thursday at the Little Rock field office. "People are getting better at it, and it's getting easier to do. The biggest problem becomes when ransomware attackers target critical infrastructure."
Ransomware is a type of malware that will lock computer data behind a wall, with the perpetrators usually asking for some form of payment, a ransom, to unlock the systems.
Some perpetrators may threaten to delete critical data or release it to the public if the payment is not received within a certain period.
Federal authorities have seen growing numbers of individuals and businesses in the United States, including in Arkansas, affected by ransomware attacks.
According to FBI Internet Crime Complaint Center data, the losses from ransomware have dramatically increased yearly.
"IC3.gov is like the clearinghouse for the FBI for these types of cyberthreats," said Connor Hagan, spokesman for the FBI's Little Rock office. "They come out with a report yearly."
In 2020, the center received 2,474 complaints, with losses at an estimated $29.1 million, more than three times the amount lost in 2019.
In Arkansas, 21 victims lost $150,000, just over $7,000 each on average.
"In the past three years, we've seen the total reported losses to us triple each year," Hagan said. "It just keeps getting bigger and bigger and bigger."
The reason for the increase, according to Van Goor, is how easily a criminal can find a ransomware specialist to launch an attack.
"It used to be you had to know a lot about the dark web and a lot about computers to do this," Van Goor said. "There's something now called ransomware as a service. If you know where to find it on the dark web, you can pay somebody else, tell them your target and they can launch a ransomware attack for you for a set fee."
Several instances that have affected everyday Americans' lives have brought ransomware attacks to a new level as an issue.
"We've had a couple of instances recently where they're attacking the food chain and where they're attacking critical infrastructure," Van Goor said. "That doesn't just impact the business being attacked; that impacts society at a greater level."
Ransomware can target both businesses and individuals. Technically, those attacks operate the same way, but companies with critical infrastructure are going to be more vulnerable, according to Van Goor.
"Really on a technical side, nothing separates it," Van Goor said. "The difference is a critical infrastructure company will be much more willing to pay and to pay a lot of money. The FBI recommends that companies not pay ransoms because it encourages further ransomware activity, but, of course, businesses and industries have to make a business decision."
The cost of the system being locked down and causing a company to have major losses, coupled with the potential stock price losses or other consequences if people find out about the hack, may outweigh the benefit of not paying the ransom in a lot of cases.
"We understand at the end of the day, if you need your systems unlocked, it may be worth the risk of paying the ransom to get your systems unlocked particularly if it's impacting millions of Americans," Van Goor said.
According to Van Goor, any victims should contact authorities, who can share information privately without risking a leak to the public.
It is a risky decision for an individual to communicate with a cybercriminal who has already locked down systems. The individual might just pay the criminal a multimillion-dollar sum, but the key given to the victim may not unlock the system, Van Goor said.
"When you pay the ransom, there's no guarantee that you're actually going to get your systems unlocked," Van Goor said. "There are numerous cases where they just don't give you [a decryption] key even though you've paid the ransom. They just disappear, or they give you a decryption key and the decryption key doesn't work. So you're taking a risk when you pay the ransom."
According to the FBI Internet Crime Complaint Center, the primary ways ransomware gets into systems are either through email phishing, remote desktop protocol vulnerabilities or software vulnerabilities.
The simply way to fight against the first is to never click a link to an unexpected email, Van Goor said.
"We always say, 'Think before you link,'" Van Goor said. "If you get an email and you didn't expect it, but it has a link or has a download, don't click the link. Don't download the file unless you are 100% sure it is legitimate."
People networking into the office while working from home may also be adding to the problem through remote desktop vulnerabilities, according to Van Goor.
"We're seeing that a lot more because of what people use when they work from home," Van Goor said. "If you're working from home, networking into the office, and they're not using two-factor authentication, that's a vulnerability for the system."
Van Goor said the advice he would give businesses would be like advice he would give to any American, and that starts with a good "passphrase."
"No. 1 is you have to have a strong passphrase," Van Goor said. "We don't even use the term password anymore. It should be a phrase, multiple words strung together."
Van Goor said to never use the same phrase as a password for multiple devices, because if one login is discovered, then all log-ins could be compromised.
"It should be unique," Van Goor said. "You shouldn't use the same passphrase for your bank as you do for your email account."
Two-factor authentication, according to Van Goor, is also a good idea to require when logging into accounts online. This adds a layer of security by requiring a second set of credentials to log in, often from a phone or email address.
"Businesses and people need to use two-factor authentication or multi-factor authentication whenever possible," Van Goor said. "If it's available, use it. It's not that burdensome once you get it up and running, but it goes a very long way to prevent ransomware attacks."
Businesses should use a patch management company to keep systems updated, and individuals should always keep their devices updated to have the latest security updates as an additional defense, according to Van Goor.
Other good ideas, Van Goor said, include keeping an offline backup of data and becoming educated about how ransomware attacks happen.