“Ransomware Just Encrypts My Data—No One Steals It” and Other Ransomware Myths

February 3, 2020

Adrian McWethy, Network Infrastructure Consultant, Sophicity

This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.
As ransomware daily ravages organizations, the struggle often involves working to contain the damage. It’s bad enough that ransomware encrypts files, rendering them useless unless a municipality restores its data from a backup or pays the ransom. Sadly, the damage of ransomware goes so much deeper.

For example, a common misconception is that ransomware only encrypts data. The thinking goes, “I simply pay the ransom and get my data unencrypted” or “I just restore my data through a backup, and everything is fine.”

Wrong.

Let’s take the recent case of Pensacola, Florida. Falling victim to the Maze ransomware virus, the City of Pensacola experienced the usual ransomware playbook: the virus encrypted files and cybercriminals demanded a $1 million ransom. Yet, another significant event happened. According to Bleeping Computer, “The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack. […] In a discussion with BleepingComputer, the Maze actors stated that they released the stolen data to prove to the media that they steal more than just a few files during a ransomware attack.”

How would your municipality react to the threat of ransomware differently if you knew that everything encrypted—all confidential, sensitive, and personally identifiable information—would end up accessible to anyone on the internet? That means all information about personnel, police investigations, and property taxes. Would this make you plan for a possible ransomware attack differently?

If so, we want to review a few more myths and misconceptions about ransomware viruses that may affect your security strategy.

1. Cybercriminals use ransomware viruses to connect to your data and systems through the internet.
A ransomware virus runs as a program and connects the cybercriminals to your systems through the internet. This isn’t just a random software program isolated on your computer that only encrypts your files. The virus is a gateway—like a virtual tunnel—that opens up your data and systems to cybercriminals.

2. As your data is held hostage, cybercriminals also have access to it.
Once someone has unauthorized access to your data, they are inside the tent and can do much more than simply encrypt your data. It’s the difference between someone locking you out of your house but never entering it versus someone locking you out of your house with the added fact that they’re inside with access to all your possessions. And even worse, in cyberspace it’s as if this person still has access to everything in your house after they let you back inside!

Yes, your data is encrypted and held hostage through ransomware. But you also don't know what cybercriminals are doing with your data. What would stop them from uploading your data and selling it on the dark web? The City of Pensacola example shows that cybercriminals can literally steal all your data and publish it in a public forum where everyone can access it.

3. If I pay the ransom, I’ll get my data back.
So, you’re trusting the kindness of criminals? Certainly, even criminals have an incentive to unencrypt your data—otherwise no one would pay ransoms. But if we look at the data, criminals do not always give back access to your data after you pay a ransom. Bottom line: Paying the ransom isn’t a sure bet. For more details, read our post “Why You Should Never Pay a Ransomware Ransom.”

4. With data backups, I’m fine.
Data backup alone will not protect you against ransomware, as various problems may arise including:
  • Ransomware encrypting the data on your backup servers, rendering your backups useless.
  • Disrupted operations as backups take weeks or months to restore data after an attack.
  • Failure to comply with laws and regulations from poor security policies—leading to legal and financial penalties.
  • Cybercriminals stealing your data—and possibly sharing it with the world.
We encourage you to read two of our posts: 5. We’ve got antivirus software, so we’re fine.
It’s true that the majority of known and/or amateurish viruses are usually caught and prevented by most best-of-breed antivirus software. However, many ransomware viruses get past antivirus software through the following means:
  • Sophisticated ransomware: The most potent forms of ransomware are built by nation states and organized cybercriminal rings—and ransomware evolves quickly with new variants. Many forms of ransomware can get by even best-of-breed antivirus software.
  • Relying on people to click links and attachments: A person clicking on a malicious link or attachment may bypass an antivirus software’s warnings—which is why so many ransomware attacks begin with a person clicking on something bad.
  • Holes in your security: At the server or network level, a cybercriminal can gain access to your network and upload ransomware, bypassing antivirus software and even the need for an employee to click something. If your servers, network, and other access points are misconfigured, secured poorly, and lack oversight, then you open yourself up to ransomware.
It’s good that more municipalities are aware of ransomware, especially after so many towns and cities have been attacked. However, it’s critical that you educate yourself about the deeper impacts of ransomware and challenge any assumptions you’ve picked up along the way about how ransomware operates. We hope this post clarifies a few myths and misconceptions, spurring you to better secure your municipality.

Back to Listing