You are using your computer, checking email, visiting websites, doing everyday tasks when all of a sudden, something goes wrong. Really wrong. Not “control, alt, delete” kind of wrong. More like “here’s my credit card, save my data” kind of wrong.
And that’s what the people behind ransomware are hoping.
In a world where everything from your watch to you car to your medical devices could be attacked by accessing your phone or computer, where precious pictures of your family are more likely to live than in a photo album, people can feel like they are the ones taken hostage if someone takes control of their electronics.
Penn State understands what it is like to be targeted. The university announced two separate attacks in 2015 — one on the College of Engineering and one on the College of Liberal Arts.
Donald Welch is the university’s chief information security officer. He’s the guy whose job it is to try to plug all the cracks where hackers might try to wriggle into the Penn State system. The problem? There are thousands and thousands of people who have legitimate access to the system — students, faculty, employees and more. Just like every large organization, like a company or a governmental department, that means a lot of people who can make good or bad choices about security.
Whether you are affiliated with Penn State or not, Welch said you can be the real gatekeeper of your system.
“If you do smart things, it helps a lot,” he said.
And that’s true. Common sense might be the best antiviral program.
“There are a few main things to do,” Welch said.
The first one? Never trust a link or an attachment that you aren’t expecting. That is because phishing — using a fake email to bait you into giving information — or spearphishing — using a fake email that has just enough real info about you to seem genuine — are favorite ways to slither into a system.
“They are primarily motivated by being able to steal money from individuals and families,” Welch said.
That might mean getting enough info to file your tax return and steal the cash. It might mean tricking you into giving your credit card numbers. Or, like with ransomware, it might mean getting you to pony up the money to unlock your device.
The attacks on a company or other organization isn’t really different.
“With a larger organization, they are looking for a bigger payoff for the amount of effort they put in,” he said. “Obviously we have a lot more money than most families. They take a series of steps, but it’s really the same steps. It’s a drive-by attack, in some way that they get that malicious code on one laptop and move from system to system until they get into a position where they can do some kind of damage. But the first steps are usually the spearphishing.”
So don’t fall for it. Question things. If you get an email from your bank, don’t click the link. Go to the bank’s website directly, or call your branch. Hover over a link with your cursor without clicking on it and look in the bottom left of your screen where the URL for it will show up. If it doesn’t make sense, don’t trust it. If your friend sends you a link that doesn’t seem right, call and make sure there wasn’t a hack on the account.
“Be suspicious,” Welch said.
And not just about the mail you get. Be cagey with the links you see online, too. If a sale seems too good to be true, don’t click on the ad. The same for a truly unbelievable celebrity story that is tempting you to click. It could be unbelievable for a reason, and the reason might be more than fake news. And then there are the things you download on purpose like apps or games.
“If you’re going to have this paranoid point of view, which is what I think you need right now in cyberspace, you have to think ‘how are they paying for what they’re doing?’ ” Welch said.
But what if it’s ransomware? What if you have already been caught? Should you play along to get your data unlocked?
“(The U.S. Government) does not encourage paying a ransom to criminal actors,” the Department of Justice website says. “However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”
Paying isn’t a guarantee the computer gets unlocked.
“Just anecdotally, talking with peers, it appears less than half who pay get it back,” Welch said.
It also leaves the door open for the hackers to come back for more ransom in the future.
“The best thing is to have an offline backup,” Welch said. “You can buy a USB hard drive to plug in once a week and backup. If you do get hit with ransomware, you can restore your system. It’s not fun, but it has a higher probability of success and is cheaper.”