Almost all organizations depend on computer systems to fulfill their services and to manage their day-to-day operations. Libraries fit into a complex technology ecosystem, comprised of applications and services provided by many vendors in addition to their locally implemented networks and systems. Each of these many components must be deployed with all reasonable measures to defend against security threats and intrusions by malicious entities.
The volume, intensity, and sophistication of potential attacks continually increases. Any lapse in security defenses can lead to serious ramifications. Even the largest tech companies that devote enormous resources to computer security are not immune to breaches that disrupt services or involve the capture of sensitive data.
One of the most insidious forms of computer attack takes the form of ransomware. This issue of Library Systems Newsletter covers the attack that recently disrupted the services of Baker & Taylor, the dominant provider of books and other materials to libraries. This attack was costly not only for Baker & Taylor, but it also impeded thousands of libraries from placing orders for needed materials for more than two weeks.
Libraries themselves have also been targets of ransomware attacks. Some of these incidents are outlined in this issue, in an resource that will be updated as previous attacks are discovered or new ones transpire.
What is a ransomware attack?
Ransomware is an attack on the computer systems of an organization or an individual based on malware that disables applications through encrypting essential files. These files include both program files needed to operate services as well as their associated. The files are encrypted with a digital key, where the private key needed to decrypt them is known only to the attacker. As soon as the files are encrypted, the related systems fail. Given the efficacy of modern digital cryptography, the files cannot be decrypted without access to the private key used for the encryption.
A ransom is demanded in exchange for the key needed to decrypt the files. In recent years, the attackers require the ransom be paid in Bitcoin or other cryptocurrency, which makes it difficult to identify the person or organization receiving the funds.If the ransom demand is paid, the attackers will provide the digital key necessary to decrypt affected files and systems. Payments made through cryptocurrencies are usually done with layers of anonymization so that the attacker cannot be identified.
Acquiescing to a ransom demand can lead to a faster recover in some cases, though considerable work must be performed to ensure that all remnants of malware are eradicated. Paying ransom also incurs the risk that the attacker will not ultimately provide the key needed to decrypt the files or that other complications may impede successful restoration. Most security experts caution against paying ransom demands since it may perpetuate other attacks.
If the organization refuses to pay the ransom, systems and data must be recovered through a lengthy restoration process from backup files that may be available. Restoration can be a lengthy and complex process, given that software must be reinstalled and any associated data stores have to be reloaded. Organizations that have comprehensive disaster recovery plans may be able to recover within a few days. Recovery must also include multiple layers of safeguards to ensure that the recovered files are free from any malware or security concerns. In some cases, the ransomware can also encrypt backup files further complicating recovery.
Ransomware attacks exploit any vulnerability in the organization's network and computing environment. These vulnerabilities include individuals that may open an email message with a malware payload. The malware can also enter through any network-exposed component or application that may have some security vulnerabilities. Once activated, the malware can quickly crawl through the organization's network and attack critical systems.
In the case of a ransomware attack impacting major systems, the organization may engage the services of security firms that specialize in cyber security and systems recovery. These experts are able to perform an analysis to develop the fastest path to recovery and to address any security issues that may have failed to defend against the successful attack.