Situated unobtrusively in a CFSC Currency Exchange on Milwaukee’s East Side is a Bitcoin ATM where users can buy and sell the cryptocurrency using cash.
In some instances, business owners have been known to use the DigitalMint ATM, 1407 E. Brady St., when they become the subjects of ransomware attacks, which in many instances lock down a whole business’ important files and demand a ransom for the business to regain access. These criminals’ currency of choice is often cryptocurrencies like Bitcoin because of the relative anonymity of the transactions.
Dan Placek, senior systems engineer at Swick Technologies LLC in New Berlin, helps business customers prevent and address these types of attacks. He’s really good at it, because he used to be on the other side of the proverbial coin.
Placek was previously a black hat developer who helped create Darkode, a marketplace for hackers to buy and sell malware and other malicious online tools. He was busted by the FBI in 2010 and in 2015 was sentenced to two years of probation.
His experience with breaching security gave Placek a unique skillset that helps him fight the hackers now that he’s back on the up and up. At Swick, Placek is responsible for designing, engineering and implementing networking and server security solutions for business clients.
Ransomware attacks have become more common as the cryptocurrency market has taken off in recent years and criminals have been emboldened about their ability to get away with ransomware attacks, he said. And the more frequently companies pay ransoms, the larger the industry gets.
“On any given day, I guarantee you there’s at least one business here in Wisconsin that’s dealing with (a ransomware attack),” Placek said. “We have avoided paying (a ransom). I definitely have encountered people who have paid it, though.”
The key to not paying the ransom is being prepared for an attack.
“The No. 1 piece of advice that I could give, oddly enough, is not really around security so much, but about backups,” Placek said. “Usually the businesses that ransomware is most damaging to are ones that do not have working or current backups in place.”
Critical business data should be backed up at least once every 24 hours so if files are encrypted during a malware attack, most of the data can be recovered.
Chris Hippensteel, network system administrator for a 200-user network at information technology consulting firm New Resources Consulting in Milwaukee, said he recommends keeping some backups offline and some backups offsite for added security.
Backups are most important, but businesses should also check the other security boxes: installing antivirus software on all computers and at the network level, educating employees about potential malware entry points, and monitoring for suspicious activity, they said.
Placek said he frequently encounters businesses that have installed antivirus software but haven’t kept up with it.
“We regularly find businesses that their antivirus has expired or they’ve got a few computers that it wasn’t installed on,” he said, pointing out even broken or unused computers could be an access point to the network.
A next generation firewall, such as Cisco’s Open DNS, can be used to scan network traffic for the business and alert leaders when there’s a work station trying to connect to a malicious server.
“One of the biggest things is to educate your employees about ransomware, how it attacks, letting them know about phishing emails, random websites they might be opening,” Hippensteel said.
At NRC, Hippensteel locks down which programs can write files to the temporary and data folders on each computer, limits which users have administrator and system access, and maintains and updates software and operating systems frequently.
“If you can prevent it, absolutely that’s what we look to do, but 100 percent prevention is pretty difficult to achieve,” Placek said.
“We run daily, weekly and monthly backups of our important data, and even then it can be hard,” Hippensteel said. “Your company might be hit by ransomware and ransomware could be installed on your server for three months before it even starts attacking any files.”
In the instance a company is attacked by ransomware, both Placek and Hippensteel strongly advised not paying the ransom.
“We’d certainly never recommend paying the ransom unless you truly have to,” Placek said. “This has become a multibillion-dollar ‘industry,’ ransomware and all the things related to it.”
The first thing to do is unplug the machine impacted by the ransomware attack to stop the spread of the virus across the company’s network.
“At that point, alert the team and management that there’s been an attack, that we’re working on it, that some data might not be accessed,” Hippensteel said.
Then the arduous process of restoring data and files can begin, while scanning through files that sometimes number into the tens of thousands for any malicious files that may be hiding there.
“You’ve got to go through with a fine tooth comb and make sure you’ve found all the sources of infection and remove them,” Placek said.