About seven or eight years ago, I was sitting at my desk one morning when I received an urgent text from my then-boss.
She was holding a meeting, according to the text, and needed me to purchase $1,000 in electronic gift cards as a giveaway to the attendees as soon as possible.
Needless to say, this text didn’t pass the sniff test. For one thing, it didn’t sound at all like something my boss would request. For another, I wasn’t aware she had a meeting that morning. Then I checked the phone number it came from — it wasn’t hers, though the text had spoofed her name.
Soon thereafter, I started hearing from co-workers who received the same spurious text claiming to come from our organization’s executive director. To our credit, none of us were fooled, but not long after, I heard about another organization that did get scammed by this con.
Whether at work or in our personal lives, we are constantly barraged with relentless attempts to dupe us into handing over credit card or bank account numbers or sensitive login information. In the worst cases, bad actors can hold critical systems or data captive for increasingly large ransoms. Last year, the Southeastern U.S. saw the real impact of these cyber assaults in the form of long gas lines, panic buying and fuel shortages following the May 2021 ransomware attack on the Colonial Pipeline.
Criminal syndicates and hostile nation-states sponsor sophisticated cybercrime operations encompassing everything from ransomware hacker networks to scam telemarketing centers, corporate espionage and cyberattacks aimed at critical systems and infrastructure. Many of these attacks originate from China and Russia, as well as Turkey and even Brazil, often with government support.
In this issue’s cover story, “Cyberwar zone,” freelance writer Emily Freehling reports that the average ransom payment to cybercrooks has rocketed to a staggering $541,010. Plus, President Joe Biden and federal officials are warning businesses that Russian President Vladimir Putin is likely to retaliate against U.S. sanctions on Russia and support for Ukraine by launching cyberattacks on U.S. interests.
If you’ve been whistling past the graveyard, thinking that your business will escape the notice of the bad guys, maybe it’s time to take out a life insurance policy in the form of a cybersecurity review. Freehling’s article offers some expert suggestions for where to begin with hardening your company’s security measures.
Also in the May issue, we have an exclusive interview with 92-year-old media mogul, televangelist and Regent University founder Pat Robertson about his legacy and Regent’s impact and influence in producing hundreds of conservative leaders across politics, government, law and academia.
But before you read on, I just want to offer a friendly alert that our editorial staff and freelancers will be contacting many of your businesses over the next month or two to collect information about your top executives for our annual Virginia 500 issue, which compiles the state’s most powerful leaders in business, government and education.
Earlier this year, Kwabena Konadu received a call from one of the small businesses he advises on IT and cybersecurity.
The company’s chief financial officer had received an email from a purported ethical hacker — cyberspeak for “good guy” — who had found the official’s username and password for accessing company data on the dark web, says Konadu, who has a side business as a cybersecurity consultant in addition to his duties as chair of Northern Virginia Community College (NOVA)’s cybersecurity and cloud computing program.
Konadu traced his client’s breach to a phishing campaign. The executive had received an email that looked like a legitimate request from a bank. Clicking a link in the email prompted a request for a Microsoft 365 login.
“Unfortunately, the CFO clicked on the link and supplied their username and password,” Konadu says. “The same password was being used to log into company financial systems, email and critical resources.”
Konadu has been spending time with the company’s executive team going through the compromised account to determine what sensitive information might have been accessed. So far, he says, the company appears to have gotten through the incident with minimal damage, but Konadu sees the incident as a cautionary tale.
From weak passwords to vulnerable backups to logins that can still be accessed by former employees, many businesses are crawling with access points waiting to be exploited by cybercriminals.
Ransomware — a form of malware that locks down a computer system until a sum of money is paid — has increased in recent years, according to industry and law enforcement experts.
The FBI’s Internet Crime Complaint Center received nearly 850,000 complaints of U.S. cybercrimes in 2021 — a 7% increase from 2020 — resulting in more than $6.9 billion in losses to victims.
But many cybercrimes go unreported, and private sector numbers paint a far worse picture. Cybersecurity firm SonicWall reports that its researchers recorded 623.3 million ransomware attacks worldwide in 2021 — a 105% increase from 2020.
Cybersecurity Ventures, publisher of Cybercrime Magazine, last year projected that cybercrime would cost victims $265 billion by 2031. This steep growth rate — the firm pegged 2015 losses at $325 million — is fueled by increasingly sophisticated methods used by cybercrime operators, many of which mirror the legitimate business world. Just as software as a service is a highly successful legitimate business model, “ransomware as a service” (RaaS) is helping even small-time bad actors scale up their operations.
Palo Alto Networks credited RaaS with helping to fuel a 78% increase in the average ransom payment to cyberextortionists in 2021 — $541,010. The cybersecurity firm’s study found that nearly 60% of victims reported taking more than one month to recover from an attack.
Closer to home, the Virginia Information Technologies Agency (VITA), the state government’s IT arm, reported that state agencies experienced more than 66 million attempted cyberattacks in 2020, with VITA blocking more than 50,000 pieces of malware.
The Virginia legislature’s Division of Legislative Automated Systems was hit by a ransomware attack in December 2021, cutting lawmakers off from critical bill-filing and management functions just one month before the start of the 2022 General Assembly session. That same month, the state Department of Behavioral Health and Developmental Services experienced a ransomware attack that shut down its payroll system.
Figures for 2021 are still being compiled, says VITA spokesperson Stephanie Benson, but “in general, threats have continued to increase in volume and complexity over time.”
Public awareness of the threat is growing, especially after the high-profile May 2021 Colonial Pipeline ransomware attack made a tangible impact on people’s daily lives, causing fuel shortages in 17 states from Texas to New York.
Cybersecurity experts say that for every headline-grabbing attack, there are hundreds of breaches of smaller organizations that can cause considerable damages and headaches for the businesses and their workers, customers and suppliers.
The names and Social Security numbers of some of Fairfax County Public Schools’ employees and students were released on the dark web in 2020 after a ransomware attack on the school system. The school system offered credit monitoring and identity restoration services to staffers as part of its response to an attack that hit amid pandemic-driven virtual learning.
Richmond-based OrthoVirginia — an orthopedic medical practice with 32 locations around the state — reported a cyberattack last year that disrupted its phone and communications systems. Staff found workarounds such as using social media to maintain contact with patients. The practice said it was not aware of any patient or employee information being compromised.
Health care organizations have been a popular target for cybercriminals. The Wall Street Journal reported in March that a criminal group with connections to Russian intelligence agencies planned a coordinated attack to cripple U.S. hospital emergency rooms at the height of the pandemic in 2020.
For a cybercriminal, targets are everywhere, and no individual or business should consider themselves too small to be impacted, says Babur Kohy, who teaches cybersecurity courses at NOVA and runs cyber research organization CyTalks.
“Everyone is compromised, whether we know it or not,” says Kohy. “Detection is the new prevention.”
Russian threat escalates
Following Russia’s invasion of Ukraine in late February, the Biden administration and federal agencies urged businesses, individuals and critical infrastructure operators to take immediate steps to lock down their networks, as intelligence agencies have seen evidence that the Russian government has been exploring options for retaliatory cyberattacks against the U.S. and NATO member nations.
“The more Putin’s back is against the wall, the greater the severity of the tactics he may employ,” President Joe Biden said during a March 21 appearance at the Business Roundtable’s CEO Quarterly Meeting in Washington, D.C. “One of the tools he’s most likely to use … is cyberattacks. … The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”
In April, the FBI, the NSA, the Department of Energy and the Cybersecurity and Infrastructure Security Agency released a joint federal advisory warning companies about the existence of a new malware suite designed to attack industrial control systems that run electric and water utilities, oil refineries and factories. Federal officials said the toolkit was developed by a state-sponsored hacker group but would not state which nation was behind it. Cybersecurity experts said the toolkit is most likely Russian and apparently was intended to target liquefied natural gas production facilities.
Regardless of industry or whether they’re located in Northern Virginia or hours away from the Beltway, Virginia companies are heeding the federal warnings.
“The technology available to hostile actors has evolved, and the reality of nation-states leveraging it to conduct devastating asymmetric warfare is more clear than ever,” says Adam Lee, vice president and chief security officer for Richmond-based Fortune 500 utility Dominion Energy Inc. “Critical infrastructure in Ukraine was impacted by major cyberattacks in 2015 and 2016, and government sources tell us similar attacks are underway in the current Russia-Ukraine conflict. Dominion Energy partners with federal and state agencies to share information, improve our cyber defenses and ensure attacks like the ones in Ukraine won’t happen here.”
Now is a time for all businesses to be extra vigilant, says Virginia Tech cybersecurity professor Luiz DaSilva, director of the Commonwealth Cyber Initiative, an organization coordinating higher education cybersecurity research efforts in Virginia.
“We already are seeing supply-chain disruptions and increased gas prices. Cyber-criminals could take advantage of this very delicate time that we are going through right now to launch major cyberattacks,” DaSilva says.
Companies that operate in industries most affected by the sanctions the U.S. and other countries have placed on Russia are perhaps the most obvious potential targets of attacks, says Luke McNamara, a principal analyst with Mandiant, a Reston-based cybersecurity firm that entered into an agreement in March to be purchased by Google for $5.4 billion.
“Certainly, energy and financial services but media and entertainment and transportation are also sectors that, because of historical patterns of targeting and where these sanctions are landing, would be a little more at risk,” he says.
But McNamara says the fact that so many businesses from different parts of the economy are depending on the same major companies for software and cloud-based services means there may be no such thing as an unlikely victim.
For instance, the 2020 SolarWinds attack impacted more than 18,000 customers of the IT management software company after Russian state-sponsored hackers installed malicious code in a widely issued software update. Victims ranged from the U.S. departments of Defense and Homeland Security to technology giants such as Microsoft Corp., Intel Corp. and Cisco Systems Inc. to hospitals, local governments and schools.
“It’s very important for organizations to think about, even if you are a smaller organization, where do you fit within the ecosystem?” McNamara says. “If there are certain sectors that may be more at risk right now, how does that risk translate to you and your specific business?”
An interconnected world
Thinking about cybersecurity beyond the walls of your own business is an important mindset, says Bobby Turnage Jr., an attorney who leads the cybersecurity and technology team at Richmond-based Sands Anderson PC. Businesses also need to consider the security of vendors that have access to their systems or data, he says.
“Depending on your circumstances, you might have to provide notification to impacted individuals” in the event of a data breach, he says. “You also might have to — or decide to — provide identity theft and credit monitoring services” due to the compromise.
Requirements to notify authorities of a cyberattack are receiving increased attention from regulators.
In recent months, the U.S. Securities and Exchange Commission has proposed tighter cybersecurity reporting rules for public companies and investment advisers and funds.
Federal budget legislation signed by President Biden in March includes a new requirement for critical infrastructure operators to report cyber incidents to the Department of Homeland Security within 72 hours, and to report ransom payments within 24 hours. The directive covers public and private owners of utilities, health care facilities, critical manufacturing, communications and many other industries.
“We don’t want to hold the company [that reports an attack] accountable. We do want to go after the malware actors,” U.S. Sen. Mark Warner, D-Virginia, told an audience at the Center for Strategic and International Studies in March as he spoke about the new legislation. “This is a giant, giant step forward.”
Only about 30% of cyberattacks on the private sector are currently being reported to the government, Warner said. More information sharing can allow the government to better communicate potential threats to infrastructure owners.
This kind of communication is ongoing, says Lee of Dominion Energy.
“The FBI, Department of Homeland Security, Department of Energy, and even the TSA for our natural gas business, have worked with us to help us understand the threats we face and to provide us with the latest threat intelligence — even to highly classified levels — to stay ahead of sophisticated attackers,” he says.
In Virginia, he says, the Youngkin administration has promoted constant communication between Dominion and the Virginia National Guard, state agencies and members of the governor’s team to better protect the electric grid.
Employees on the front lines
NOVA’s Kohy says it’s helpful to remember that cybercrime is ultimately a human enterprise.
“Technology is used as an enabler,” he says.
Most breaches rely on an employee clicking a link, sharing a password, keeping sensitive information in a vulnerable place, or failing to set up safety nets such as multifactor authentication.
And cybercriminals are getting progressively better at exploiting these weaknesses, says Sharon Nelson, president of Fairfax-based cybersecurity firm Sensei Enterprises Inc.
“This moves at the speed of light,” she says. “You wake up and there is something new out there every single day that you haven’t seen before.”
Nelson and Sensei Vice President John Simek say criminals are increasingly using social engineering to gain victims’ trust and get them to turn over sensitive information. For example, a bad actor may do research to discover who a company’s IT services provider is, then call that person and claim they’re with that company and need login credentials.
In addition to email, criminals may use texting or other means of communications to try to breach systems. While automated filters are important and can help, they don’t block everything. That means frequent employee training on how to recognize malicious actors is an essential piece of any cybersecurity plan, says Chris Moschella, risk advisory services senior manager with Keiter, a Richmond-based accounting firm that performs IT audits and cybersecurity services.
“Employees need to really change their thinking and need to think of themselves as part of the security apparatus within a business, and not just a consumer of the security apparatus,” he says.
Simple actions are important
But there’s even more low-hanging fruit that those who work in the field say businesses of all sizes should think about when assessing their security.
Simek says he’s yet to work with a company that doesn’t have old administrative accounts left active after former employees have left the company. A 2022 survey by software provider Beyond Identity found that 83% of employees admitted to maintaining access to accounts from a previous employer.
As employees work in an increasingly hybrid world, accessing company networks from home, work and locations such as coffee shops, cybersecurity experts emphasize that multifactor authentication — a process requiring an individual to receive a unique code via text or email to access an account — is a must, despite the inconvenience of extra sign-in steps.
“It’s not just for businesses but for everybody, even in your personal and daily life,” Simek says. “Multifactor authentication will stop the vast majority of compromises, even if they get your password.”
Backups can be an important defense against ransomware, but Moschella points out that many businesses fail to secure them. “The thing people miss is that ransomware does spread to backups,” he says. “It’s good to have a recent backup that is not persistently connected to the network.”
While the list of potential vulnerabilities facing a company can seem overwhelming, Turnage encourages businesses to start by looking at the security threats and vulnerabilities that are applicable to them, and to then prioritize security adjustments in light of available resources and associated risks.
Making data security a priority from the board and executive levels down should be a necessity for all businesses going forward, Turnage and other experts say.
“The cyberthreats that we face are not going away,” says Mandiant’s McNamara. “It really is a marathon.”
Best cyber practices
In a national survey of 600 business leaders released in March by New Jersey-based Provident Bank, just 50.17% of respondents said their businesses were fully prepared for cyberattacks, and 50.64% said that cyberattacks are something they worry about daily. Here are some suggestions to fortify your workplace against cybercrimes:
Make sure your business is installing software updates on a regular basis, as the vulnerabilities these updates fix are a popular door for criminals to get into a system.
Require strong passwords (15 characters or more, with a mix of numbers, letters and symbols) and multifactor authentication on all company accounts.
The Internet of Things (IoT) and operational technology, including everything from connected HVAC systems to security systems and smart locks, are increasingly being exploited by cybercriminals. A common weakness is failure to reset the factory password on connected devices.
Keep multiple backups of your data, and make sure at least one of those backups is disconnected from your network at any given time. Test your backups regularly to be sure you’ll be able to restore your data.
Take the time to create an incident response plan for cyberbreaches. The faster your team can start responding, the more likely you’ll be able to contain the damage.
Consider using geo-blocking as a way to limit the range of countries that can communicate with your corporate network. This can prevent employees from downloading harmful attachments based on overseas servers.
The federal Cybersecurity and Infrastructure Security Agency (CISA) provides many free resources for businesses, including evaluation tools and best practices that can help businesses start to understand their cybersecurity needs. Find them at cisa.gov/uscert/resources/business.
Herndon-based online education provider K12 Inc. announced Tuesday that the company was the victim of a ransomware attack that may have compromised its corporate back office systems.
“We do believe that the attacker accessed certain parts of our corporate back office systems, including some student and employee information on those systems, but it will take further time to determine the scope of the information accessed,” according to a company statement.
The company has cyber insurance and has worked with its insurance provider to make a payment to the ransomware attacker to ensure information will not be released, according to a statement.
The attack did not directly impact the nearly 165,000 students in kindergarten through 12th grades enrolled in K12’s online programs, according to a company statement. Based on the company’s investigation, the attack also did not affect its learning management system and its client schools (charter and district online schools) are still open, operating and secure, according to K12.
“Stride considers the security and integrity of our systems and network among our top priorities, particularly considering the large shift this year to remote learning and work due to COVID-19,” according to a company statement. “While no company can ever eliminate the risk of a cyberattack, we are working extensively with an industry-leading third-party forensics firm to ensure that we are taking all appropriate steps to prevent any incident like this from happening again.”
The company has assembled an advisory team for the incident including:
Catherine Hanaway, former U.S. attorney for the Eastern District of Missouri
William Lockyer, former California state attorney general
John Byron “J.B.” Van Hollen, former Wisconsin state attorney general and former U.S. attorney for the Western District of Wisconsin
The team will help K12 with its response to the incident, including state and federal law compliance.
Arlington-based threat intelligence company GroupSense on Tuesday launched a new service to help companies dealing with ransomware attacks.
The ransomware negotiation service will allow GroupSense to help during the negotiation process with hackers. During ransomware attacks, rogue software can block access to programs and data until a payment is made to hackers.
“Enterprises need to take a more sophisticated approach to ransomware – most victims wind up suffering far more damage than is necessary, whether by overpaying threat actors, incurring brand damage and compliance violations from online data dumps or spending extended periods of time with no access to their critical data,” GroupSense co-founder and CEOKurtis Minder said in a statement.
Services will include threat evaluation, threat actor engagement, ransomware negotiation and post-transaction services. GroupSense will evaluate attacks for legitimacy, verify the claims of the threat actor, negotiate ransomware demands and monitor the threat actor to prevent repeat attacks, among other offerings.
“Many companies turn to their cybersecurity partners for help, but very few of those organizations have experienced ransomware negotiators and strategists who know the history of various threat actors and can effectively negotiate with them,” Minder said in a statement. “Fewer still can provide comprehensive plans for mitigating the potential business damage caused by these attacks, which can include losing data, compliance violations, sabotaging customer relationships and degrading corporate reputation.”
Founded in 2014, GroupSense provides services including dark web monitoring, ransomware negotiation, threat investigations, social media monitoring, intel as a service and third party risk to enterprise, government and law enforcement agency customers.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.