The virus that reportedly infected the Palm Beach County Supervisor of Elections office in 2016 could have meant elections officials shelling out thousands of dollars to get their data unlocked had they not had backups ready to go.
As it was, elections officials say they lost only a few days’ worth of data. But in the swiftly evolving world of cybersecurity, had the attack occurred in 2020 instead of 2016, even that may not have been enough.
Back in 2016, computer security firm Avast called Zepto, the virus that reportedly hit the elections office, a “new player in the ransomware scene,” an evolution of an “infamous” but older ransomware program called Locky.
“Beware the latest arrival on the ransomware scene: Zepto,” wrote computer security specialist Paul Ducklin on the security firm Saphos’ blog, Naked Security. “It’s very similar to the well-known Locky malware, and the consequences of an attack are the same: your files end up scrambled, at which point the crooks offer to sell you the decryption key.”
The basic con game works like this: Someone gets into your computer system, usually through a phishing attempt. In other words, they send an email that looks like it’s from someone you trust. The email has a link that seems as if it goes to a trusted site that asks you to put in your user name and password. But in reality, you’ve just given away your information to criminals.
With any luck for the hackers, the username and password they get gives them access to files not only on one computer but throughout a company’s computer system. Then the crooks upload Zepto, and all of your Word .doc files, your .jpegs, those awesome .gifs you’ve been collecting, not to mention your employer’s sensitive employee and customer data … it’s all locked up, unable to be opened. The files can be unlocked, of course — as long as you pay up, usually by forking over a digital currency like bitcoin after making contact with the thieves through an encrypted email service like protonmail.
“Up until recently, they would encrypt your Word docs, your jpegs, those kind of things. But they wouldn’t encrypt your system,” said Jeff Birnbach, managing director of Sylint, a cybersecurity firm based in Sarasota. The hackers would leave the system operable, Birnbach explained, because they needed to allow people to use their computers in order to receive payment. But as long as people kept regular backups, they would lose only a few days or weeks of data, as the elections office did.
“But then they started getting more sophisticated,” Birnbach said. “They started not only encrypting files, but also deleting your backups. Now, what we’ve seen in just the last few months, not only do they take out your backups and encrypt your data, but they also exfiltrate [extract] your data.”
Even if you have a backup that’s disconnected from the Internet, which you can use to get your data back, the hackers still have all of your data as well. If they can’t get paid to decrypt the files, they’ll blackmail the target into paying — or else they’ll take their copy of the data that they’ve stolen and make it available to the highest bidder.
Ransomware is a booming industry. In the year the Palm Beach County elections office was attacked, ransomware use increased 400 percent and likely became a $1 billion industry, according to security firms and federal investigators.
Last year, cities around South Florida were hit with ransomware. Stuart became a target in April 2019 and relied on backups to get by. Key Biscayne went through the same thing in June. The city of Riviera Beach saw its computer system locked up in late May 2019 by ransomware and eventually agreed to pay 65 bitcoin to regain control — about $600,000.
In order for Zepto or one of the newer, nastier versions of ransomware to get into a computer system, the keys to the kingdom first have to be handed over. And that usually means a successful phishing attempt.
“Most of the problems come from human error — someone clicks the wrong thing, gets phished or what have you,” said Brian Franklin, co-founder of Campaign Defense, a firm that advises political candidates and elected officials on data protection. “It’s important to explore the policies that relate to how people are trained and what they do. Hopefully, they’ve implemented the training procedures to reduce the likelihood of this happening again, but it’s happening to both government and civilian institutions across the country every day.”
It’s unclear how criminals were able to infect the Palm Beach County elections office in 2016. Even if everyone is trained on the issue, Birnbach said he’s seen instances in which people will willingly give away login information.
“We’ve seen ransomware as a service, where you can partner with people on the dark web [anonymous and untraceable websites] who will run ransomware and split the take with you,” he said. “The best thing you can do still is make an encrypted backup of all your data and unplug it from your network.”
By Dan Sweeney