When 16,000 gas stations lining the East Coast were cut off from the Colonial Pipeline last year and drained of fuel, millions of South Carolinians tuned in as the company teamed up with the FBI and delivered a $4.4 million bitcoin ransom to its hackers.
But few aside from the FBI and the victims realize that South Carolina businesses lost $21 million last year through ransom attacks and other cybersecurity breaches.
By this May alone, that number had almost doubled to $42 million, according to Susan Ferensic, special agent in charge of the FBI's Columbia Field Office.
“Not only is that an outrageous number,” she told SC Biz News, “but, I’m also concerned about the intangible loss of intellectual property. We know that actors from nation states and other countries want our intellectual property; it costs a lot of money to develop new technologies. And by stealing that information, it gives an unfair advantage to another country: that they didn’t have to develop, spend the time and money or have the intellectual property to make a new technology.”
And according to Washington D.C.- based cybersecurity firm PurpleSec, 50% of attacks target small and medium sized businesses.
“That’s something that we can’t put a monetary value on,” Ferensic said.
When asked which type of industry tends to be targeted the most, she said everyone can be a target, particularly businesses that don’t have current patches to their system due to lagged software updates or that have left default passwords in place. Larger businesses may be more apt to have the ability to invest in cybersecurity through a team that ensures that updates and system changes are put in place, she said, but for smaller businesses, that job rests on a multi-tasking management team.
“Criminals have become very savvy,” Ferensic said, adding that they employ software that combs the internet for networks with vulnerabilities before launching an attack. “That’s a few clicks of a button, right? It’s not hard work for them. It’s really easy money on their end and they’ve become very professionalized in giving support.”
Operators with pleasant voices and polite demeanors walk victims through the process of releasing their data or negotiating ransomware amounts.
But before companies get to that point, Ferensic suggests setting up network monitoring tools, obtaining a preventative network evaluation from the Department of Homeland Security and communicating cybersecurity standards to contractors and remote workers. She also suggested reaching out to the cyber supervisor at one of South Carolina’s eight satellite offices.
If a business owner or cybersecurity officer observes suspicious activity or suspects network intrusion, Ferensic prompts them to contact the Columbia field office or the FBI’s CyWatch program at firstname.lastname@example.org or 1-855-292-3937. If the threat escalates, she advises contacting the FBI’s Internet Crime Complaint Center to report losses through fraud and ransomware attacks, which in turn, partners with agency’s Recovery Asset Team.
And time is of the essence. The team works with banks to prevent a ransom from being transferred to criminal accounts. Recovery is much harder to come by after that transfer.
“Once the money is transferred, typically after 48 to 72 hours ... it might be transferred between up to 100 banks internationally,” she said. “The cybercriminals know that the quicker they move that money around, the harder it is for us to track it, freeze it, even through our financial networks. So, the sooner that team has the information, we can put a freeze on that money and then use judicial process to have the money returned to the victim.”
Close to half of the ransom from last year’s Colonial Pipeline attack was returned by the U.S. Justice Department’s newly formed Ransomware and Digital Extortion Task Force the following month.
Ferensic acknowledges that in the past, involvement from the FBI and local law enforcement got a rap for hampering targeted businesses from restarting operations.
Now, she and her team want to rebuild that trust.
“We’re not telling companies that they can’t pay a ransom, because we understand businesses need to be up and running, because that’s foremost of importance for their business,” she said. “But we’re asking [them] to, on the back end, work with us so that we can go after those actors and make sure that we bring consequences to them. They’re not mutually exclusive. Working with us doesn’t mean that you can’t get your business up and running.”