Ransomware at the Library: Time to Boost Your Cybersecurity

by Karen Pundsack on November 9, 2018

Karen Pundsack is Executive Director at Great River Regional Library, a six-county regional public library system in central Minnesota. Contact Karen at karen.pundsack@gmail.com. Karen is currently reading Eleanor Oliphant is Completely Fine by Gail Honeyman.

---

Your computer has been locked! Computer blocked! Your personal files are encrypted! Oops your personal files are encrypted! These are the nightmare ransomware messages libraries, hospitals, and communities are seeing across the country. Whole municipalities and major state departments are seeing attacks. Mecklenburg County in Charlotte (NC), the city of Atlanta, and the Colorado Department of Transportation are recent victims. Public libraries in Spartanburg County (SC), St. Louis (MO), and Brownsburg (IN) have also fallen prey.

It is not a matter of if, but when, your computers or library will see an attempt. Ransomware is a type of malware that encrypts all the files on a server or computer. It can spread through a network in a very short time once executed. The encrypted files are then unable to be opened without the encryption key. The attacker demands payment to unlock the files.

Ransomware can find its way into a network through email or website access. Email phishing is a common way for it to spread. This attack method is on the rise. Impersonation attacks are also on the increase. “Spear phishing” is a particularly dangerous targeted type of email attack. Attackers create a credible-looking spoof email and mimic the address. These attacks can sometimes request wire transfers or access to sensitive information. Driveby downloads from a compromised website are another possible vector. These can sometimes appear as a pop-up window, similar to a system error. Advertisements with embedded malware or hidden JavaScript within a page can download infections just by accessing the page.

At Spartanburg County Public Libraries (SCPL), ransomware gained access to the system through email. The malware infected servers and caused the loss of public computers, wireless services, the ability to borrow materials, holds notifications, as well as loss of some digital services across the entire eleven-library system. Library staff resorted to checking out materials manually for several days. SCPL had experienced a smaller ransomware attack, had systems in place, and still fell prey to the more aggressive strain. “We had a solution in place, but it failed. It was sobering. We said ‘never again’ after the first time,” SCPL Librarian Todd Stephens said.¹

“The attack was a variant of the SamSam ransomware. It hit us January 29, 2018. The variant had been coded and released in late December. It went right through our antivirus. We did hourly updates,” said SCPL Coordinator of Systems Chris McSwain.²

SamSam attackers are targeting government agencies, especially those that appear to have intricate, difficult-to-restore systems. One of their strategies is to offer a ransom demand in line with the institution’s perceived ability to pay. Budgets for government entities are usually publicly available and easy to uncover. Some victims have opted to pay due lack of a current back-up or the time it would take to restore systems. Many versions of ransomware exist, some more aggressive than Samsam.³

In 2017, St. Louis Public Library (SLPL) experienced an attack. “Our protection systems and software were sophisticated and up-to-date, yet we were successfully breached,” Executive Director Walter McGuire said in a public letter. A voicemail server was traced as the point of entry. It was used as a link to other equipment on the system. “Library networks are very different from private or most government networks: our mission is to provide open and free access to information for all. Thousands of St. Louisans depend on our computers and networks every day to access a world of vital information and services. Balancing that demand for open access against the need for protection takes a great deal of staff work and expense,” said McGuire.⁴

Neither SLPL nor SCPL paid the ransom. SCPL was able to recover systems from existing backups. Both libraries worked with the Federal Bureau of Investigation (FBI) to report the situation. The FBI does not support paying a ransom to an attacker. There are no guarantees that the data will be unlocked or that a decryption key will be provided. It also gives attackers incentive to continue this activity.⁵

“The St. Louis Public Library never paid any ransom. Staff brought the demand to me within moments of discovering it, and we were on the phone with the FBI moments later. Although I understand that the decision to pay can be complex for many institutions and companies, SLPL never considered it,” said McGuire.⁶

SCPL opted not to pay the ransom demand: 3.6 to 3.8 bitcoins, an estimated $36,000. “We reported the attack to the FBI. We wanted to get our information straight—what the plan would be and dictating how to respond. People who write this code are a step ahead. It is aggressive and fast,” said Stephens. “We learned afterward that we were being attacked as early as the 26th. Over 30,000 hits were seen on our system.”⁷Increased traffic on the network started on a Friday and went unnoticed by the state officials who oversee it.

How to Prevent Attacks

The human factor is the greatest risk to computer security. Educating yourself and library staff members on how to prevent these attacks is one of the best ways to stop ransomware. The steps that follow will help keep you and your library secure in the virtual world.

Don’t Click

You get an email that looks like a Google Doc from a colleague. You click to open it, and next thing you know, everyone on your contact list is receiving phishing emails from your address. “Just because it comes in an email, you don’t need to click. It’s one that thing that could take care of a lot of problems,” advised Stephens.⁸

Resist the urge to click. Closely check the sending email address. Make sure it comes from someone you expect to be receiving email from. Clicking links within an email is also risky. Links can redirect to websites with executable files. It’s possible the person sending you the email may have been hacked themselves, so even if you know and trust the sender, you should remain wary and on guard. Disabling links in your email application will help prevent errant clicking also.

Train Everyone

People are the weakest link in your cybersecurity defense. Anyone who uses your library computers is a possible entry point for attack. Training staff and volunteers who use library systems is a key way to keep your systems secure. The most advanced antivirus software is no match for the user who is tricked into clicking something they shouldn’t.

Teach your staff not to click an attachment automatically and to watch for file extensions that might contain executable files (such as .exe or .zip). Microsoft’s Ten Immutable Laws of Security is a great resource to use. It provides the whys behind computer security and provides strategies to protect your systems. Two of the most relevant are “Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore,” and “Law #4: If you allow a bad guy to run active content in your website, it’s not your website anymore.”⁹

After the January 2018 attack, SCPL contracted with a vendor to conduct compliance audits. Staff members receive test fake emails to measure behavior. If someone clicks something they shouldn’t, they receive additional training on email security. They also added a section on cyberattacks to their emergency procedures, alongside instructions for what to do in case of a fire or tornado.

Don’t Download

Operate under “the principle of least privilege.” Set up systems so users can only access the programs and functions they need to do their work. Create an administrative account and implement software restrictions to keep programs from installing automatically. Administrative system access should be limited to the least number of people possible.¹⁰

Avoid installing free software. Make sure you know and trust the site if you do need to download. Third party applications, like Dropbox and Google Docs, also allow a vector into your system. Avoid file-sharing sites to minimize the ways attackers can access your computer systems. Usability can also be vulnerability in the cybersecurity world.

Keep Your Software Up to Date

Vendors release updates on a regular basis, providing security patches for known vulnerabilities. Be sure your systems are receiving these updates.

Set your antivirus solutions to automatically update and scan regularly. The FBI also recommends ensuring patches for software, web browsers, and plug-ins like Adobe Flash and Java are applied. Keep in mind, even with good software and backups, you’re still vulnerable. SCPL had top-of-the-line antivirus software. Because the ransomware variant was new, there was no defense.

Back up Your Systems and Files

A ransomware attack can bring all activity to a grinding halt. Patrons depend on technology access in our libraries. Even access to books depends on online catalogs and integrated library systems for checkout. Recovering from an attack means cleaning each device and recovering all the data. Having up-to-date backups makes this process go faster. An outdated backup is a greater liability. Due to an outdated system backup, the Brownsburg (IN) Public Library (BPL) chose to pay the ransom in order to restore their services.¹¹

The FBI also recommends verifying integrity and securing backups. Make sure the backup is not connected to the network. Cloud storage is one option but be aware some ransomware has locked cloud-based backups when they were set to run continuously.¹² Consult with cybersecurity specialists to learn what options could work best for you.

Limit Use of USB Drives

At SCPL, the ransomware hit so quickly, it jumped to flash drives connected to the network. Flash drives from both patrons and staff computers also can be an entry point for attack. “We asked staff to send in all flash drives and scanned them all. We now give each staff member their own flash drive,” said McSwain.¹³ Staff only use these drives for work purposes.

Patron USB access is a risk area. Make sure public computing stations are locked down without network access to other systems. Don’t plug an unfamiliar USB into your computer. It could contain malware.

If You Get Infected

Report to Law Enforcement

If your library is attacked, the FBI asks that you contact them at the local office or to the Internet Crime Complaint Center at www.ic3.gov. Reporting helps the FBI keep a comprehensive view of the threat and impact. They can also provide guidance on how to minimize the risk for attack. When receiving a report, the FBI will ask for details, some of which may appear on the ransom page or in the encrypted file extension. Information they will ask for include the date of infection, the ransomware variant, how the infection occurred, the ransom amount, the bitcoin wallet address, any amount paid, and overall losses from the infection. They will also ask for a victim impact statement.

Crisis Recovery

Response will depend on the scope of impact. In St. Louis, some systems were unaffected. However, voicemail was impacted, limiting communication. At SCPL, the ILS and email system were directly hit, also limiting their ability to communicate. Their financial and payroll services were hosted offsite, so were not impacted. Had these systems been compromised, challenges would have extended beyond providing service and communication.

SLPL restored access to the physical collection and reservable computers within a day of the attack. “For most patrons, the library was functioning normally a day or two after the attack,” said McGuire.¹⁴Printing for patrons was one of the last public services restored.

SCPL worked from their disaster recovery plan to respond. It took the first twenty-four hours to assess the damage. All twenty-three servers had been hit. Recovery included reimaging all 625 workstations across the system. In retrospect, Stephens wishes they had realized more quickly which systems remained available to patrons. All of their third-party services, like Hoopla and Overdrive, were unaffected. Once they realized this, they did promote this to the public. Staff also reached out to a local community college to extend computer access to patrons during the outage. Wireless service was disabled to prevent outside access to the network during the recovery. Patrons could borrow up to ten items during the recovery, down from the normal fifty-item limit.

Having the email system compromised made it difficult to communicate to staff members throughout the recovery. A text message emergency system was used to relay messages to staff across the 811 square miles of Spartanburg County. They used social media to get messages out to the public. They were careful of the accuracy of the messages being sent, so communication was a bit slow at first. It was a tough balance between keeping staff up to date and keeping sensitive information out of the public eye.

Recovering from an attack takes a lot of time and resources but it is possible. It’s the mission of public libraries that kept leaders in both St. Louis and Spartanburg moving forward during the ransomware chaos. SCPL has mostly recovered their services from a January 2018 attack. “I was reading Beartown at the time, and it had a quote, ‘Sometimes life doesn’t let you choose your battles. Just the company you keep.’ I choose to work in a library and serve patrons. It was what I kept in mind,” said Stephens.¹⁵

McGuire echoed these sentiments in his public letter. “Libraries embody the belief that our communities improve themselves by providing open access to the vital world of information and learning . . . Increasingly those resources are digital and accessed online. This attack attempted to hold information ransom. That frightens and angers all libraries and librarians, and it should anger you.”¹⁶

The world of cybersecurity grows more complex each day. Public libraries are vulnerable. We offer technology access to the public and are complex government agencies, making us ripe targets. Staying informed about the risks is a step everyone should take to build a wall of defense. We owe it to our patrons.

References

1. Todd Stephens, interview with the author, May 11, 2018.
2. Chris McSwain, interview with the author, May 11, 2018.
3. Lily Hay Newman, “The Ransomware That Hobbled Atlanta Will Strike Again,” Wired (Mar. 30, 2018), accessed June 11, 2018.
4. Walter McGuire, “An Update on the Ransomware Attack,” letter from SLPL executive director, Jan. 30, 2017, accessed June 11, 2018.
5. “Ransomware Victims Urged to Report Infections to Federal Law Enforcement,” Internet Crime Complaint Center (IC3), “About Us,” accessed June 11, 2018.
6. McGuire, ibid.
7. Stephens, ibid.
8. Stephens, ibid.
9. Roger Halbheer, “Ten Immutable Laws of Security (Version 2.0),” Microsoft TechNet, June 16, 2011, accessed Aug. 10, 2018.
10. “Ransomware Victims Urged to Report Infections to Federal Law Enforcement.”
11. Greg Landgraf, “When Ransomware Attacks: How Three Libraries Handled Cyberextortion,” American Libraries (June 01, 2018), accessed June 11, 2018.
12. “Ransomware Victims Urged to Report Infections to Federal Law Enforcement.”
13. McSwain, ibid.
14. McGuire, ibid.
15. Stephens, ibid.
16. McGuire, ibid.

---

Tags: cyber attacks, cybersecurity, ransomware