No longer is it just a matter of time until an Upper Valley institution, business or town gets hit with a ransomware attack. It’s already happened. Cybersecurity experts say it will keep happening, and anyone who depends on a computer network to run their business, school or town — in other words, everyone — should be prepared.
“Yes, they’ve happened. Can I talk about them? No. But they happen,” said Ray Coffin, founder of All-Access Infotech, a Fairlee information technology consultant who builds and manages IT systems for small and medium businesses in the Upper Valley. “It’s at the forefront of every conversation we’re having.”
Unless you’ve been living off the grid (and some do in the Upper Valley) and are blissfully unaware, barely a day passes when a business — if not an entire industry — is held hostage by a ransomware attack. It’s a thriving extortion racket: One study estimates that a total of $406 million in ransom money was paid out to perps in 2020, up 337% from 2019.
The M.O. is familiar: A shadowy group — many are said to emanate from inside countries like Russia, Iran and North Korea who are hostile to the U.S. — seizes control of a target’s computer networks and demands money be paid before supplying the “key” that unlocks the seized network.
Prominent recent ransomware examples include the attack on the Colonial Pipeline, which carries gas to the East Coast and was shut down until the operator paid $4.4 million. Another attack on JBS, which processes 20% of the country’s meat supply, led to a payment of $11 million to bring its plants back online.
When I thought about which businesses in the Upper Valley might be smart about mitigating against the risk of a ransomware attack, Hypertherm was the first to come to mind.
The Hanover-based, employee-owned company is a world-class manufacturer of plasma and waterjet cutting technology.
Hypertherm sells a hefty percentage of its products in the international market and relies upon a global supply chain for materials, thereby raising its risk profile because bad actors could have numerous entry points into its networks.
And, I learned, Hypertherm was an early ransomware victim.
“Back in 2010, we were hit three times in less than a year, and it took down production for a half a day,” said Robert Kay, IT chief at Hypertherm. “We did not pay any ransom and were able to use our backups to restore operations, but it became clear this was a problem we had to address.”
The ransomware attack, Kay said, “kicked off an action plan” that reviewed everything from the company’s IT infrastructure to employee interactions with company systems that elevate risk. Kay declined to name specific measures, but one of the actions it has taken is to bring on a security expert with advanced training who has been qualified to join in FBI briefings on cybersecurity threats.
The in-house cyber specialist is also a “certified ethical hacker” that allows them to be trained in the latest hacking techniques and skills in order to penetrate the company’s computer operations to discover vulnerabilities and fix them.
“We get attacked often,” Kay said. But so far, thanks to the seriousness in which Hypertherm has responded to the threat, “we haven’t been impacted.”
The company also carries ransomware insurance, he said.
In a scenario perhaps most relevant for the Upper Valley, the computer system of Leonardtown, a small town in rural Maryland, was shut down after it was exposed to a ransomware attack through the vendor that operated the town’s IT system, which in turn relied on software of a targeted company.
Although the town itself was not directly attacked, the incident destroyed the data files the town used to meet its payroll and send out quarterly utility bills to its 3,000 residents.
Lebanon City Manager Shaun Mulholland said that kind of situation is one of the reasons he prioritized switching IT firms and beefing up the city’s internal IT department shortly after he took over in Lebanon in 2018.
After an assessment of the city’s IT infrastructure found “significant weaknesses,” they had to “totally revamp the whole system,” said Mulholland, a former police chief in Allenstown, N.H.
The city spent $750,000 to upgrade IT security, including a new computer system that operates the city’s water and sewer plants.
“There were a lot of things people could hack into,” he said.
And although Mulholland said Lebanon has not been the target of ransomware attack, the city is “regularly” inundated with so-called “phishing” attacks that attempt to trick city employees into revealing their passwords in order to hack into email and other accounts.
Now that Lebanon’s cybersecurity has been improved — “nobody is 100% secure,” Mulholland acknowledged — the next step will be to conduct “tests” with city employees by a cybersecurity firm that will check how on guard city workers are about protecting passwords and information that could result in a bad actor hacking into the city’s computer networks, Mulholland said.
Mulholland explained the testing will be to ensure city employees are following protection protocols and to coach them if they make mistakes and not to discipline anyone over errors.
“Nobody’s going to get into trouble,” he said.
Most small, mom-and-pop businesses do not have Lebanon’s budget to plug holes in their computer systems, but there are still things they can do to minimize the risk of a ransomware attack, according to IT consultant Coffin.
“Make sure all your data is backed up on a cloud provider and cloud storage,” Coffin said, explaining that if a business finds it is locked out of its data files it can easily pivot to the backup files and will not be compelled to pay the attacker for the “key” to get the data back. The only data the business would lose is the data since the last backup procedure.
Of course, a business has to pay a cloud storage provider like Amazon or Microsoft and, ranging in cost anywhere from less than a hundred dollars per month to $1,000 per month depending on the amount of the data to be stored, that can be a large expense for a small company, such as a farm stand or handcrafts maker with an online sales platform.
But skimping to pay for protection may only lead to bearing a steeper cost later.
“It should be looked at like rent, one of those expenses in the budget line,” Coffin said.
Contact John Lippman at email@example.com.