Ransomware attacks are on the rise, and several libraries have been hit by opportunistic criminals.

According to the 2021 midyear Global Threat Landscape Report by FortiGuard Labs, a division of the multinational cybersecurity corporation Fortinet, ransomware attacks increased nearly 1,100 percent between June 2020 and June 2021. Separately, in the company’s 2021 survey of 455 businesses worldwide, two-thirds of respondents (67 percent) said that they had been targeted by a ransomware attack at some point in the past.

Ransomware is a form of malware that encrypts files on a computer or an entire network of computers. In many cases, the attackers do not attempt to steal data. Instead, the encryption renders the affected files and systems unusable, and the attacker demands a ransom—often thousands or even hundreds of thousands of dollars to be paid to a difficult-to-trace cryptocurrency account—to provide a key necessary to decrypt the files.

Two factors are driving the growth of these attacks, according to Fortinet’s survey report. “First, tools like Ransomware-as-a-Service and selling the names of companies that have already been compromised have commoditized the process.... Novice criminals, acting as a sort of franchisee for a cyber-criminal organization, can now successfully target organizations with little or no technical skills.... The second is that the enormous paydays that ransomware delivers have been broadly discussed in the news.”

“I hate to say this, but everyone actually needs to be concerned about this,” says library technology consultant Carson Block. “The ransomware industry, I’ll call it, is essentially organized crime with a profit motive.... They don’t care who they hit, or what they’re taking down, as long as they can make money.”

Libraries would seem to be an unlikely target for cybercriminals looking for a payout. As Block puts it, “We don’t have money to begin with, and the money we have, we can’t get to very quickly.” Also, while the majority of ransomware attacks to date have not involved data theft, this is always a point of concern after any network breach. But libraries store much less personal information on their customers than many other organizations. “We do the right things,” Block says. “We don’t collect too much data on purpose. It’s part of our culture, and in many states there are legal statutes to protect privacy and confidentiality. Most folks I know of have decided that the best way to do that is to not collect [personal] information that they don’t need to run the library.”

But many ransomware attacks are indiscriminate and opportunistic. Last fall, the U.S. Government Accountability Office released a report noting that throughout the country, K–12 schools—which are also not likely to have quick access to large sums of money—have “increasingly reported ransomware and other types of cyberattacks.”

RECENT ATTACKS

A ransomware attack shut down the Toledo Lucas County Public Library’s (TLCPL) network on the morning of October 31, 2021. Executive Director Jason Kucsma explained how disruptive an attack can be, noting that it took about two weeks to fully recover functionality to all systems. “That includes hand-checking items out,” he says. “We couldn’t check items back into the ILS.”

The two-week disruption was despite a rapid, coordinated response to the attack. The library’s IT department confirmed the attack in the morning, and by the end of the day TLCPL executives had engaged a team of attorneys and contracted cybersecurity incident response and forensic analysis company Tetra Defense to help restore the network and investigate the source of the attack, explains Mike Graybeal, director of operations and deputy fiscal officer for TLCPL.

And “fortunately—or unfortunately—the pandemic forced us in March 2020 to build a continuity of operations plan, which we did not have in place before,” Kucsma says. “That really gave us marching orders about what roles and responsibilities each person had in the event of a disaster like this.”

Shifted workflows due to the pandemic also somewhat mitigated disruption during a ransomware attack at the Central Piedmont Community College (CPCC), NC, library in February 2021. “The cyberattack occurred when we were still doing limited in-person operations and services,” says CPCC Director Jennifer Arnold. “So, in the immediate aftermath, we just pivoted to going back to fully online [with third-party services that had not been impacted, such as chat] and fully working from home. We closed the libraries physically until we could get essential services back. We felt that students would be more frustrated about the limited things they could do without computer access.”

According to news reports, other libraries that have been victims of ransomware attacks during the past couple of years include Contra Costa County Library, CA, in 2020; Daviess County Public Library, KY, in 2019; Kokomo-Howard County Public Library, IN, in 2020; and Volusia County Public Library, FL, in 2020. Numerous other systems have been indirectly impacted by attacks on city governments, local schools, and other civic institutions.

BEST PRACTICES

The Federal Bureau of Investigation’s (FBI) 2021 “Ransomware: What It Is and What to Do About It” fact sheet lists three of the most common ways that attackers are currently infiltrating systems:

Email phishing campaigns: The criminal sends an email with a malicious file or link, deploying malware when clicked by a recipient. In some cases, they may first compromise the email account of someone within the organization, so the files or links appear to be from a trusted internal source.

Remote Desktop Protocol (RDP) vulnerabilities: Users might be familiar with this feature if they’ve ever had tech support take over their computer remotely to install a software license or fix a problem. If a criminal obtains a user or administrator’s credentials or exploits an unpatched vulnerability, they can use RDP access to deploy a range of malware, including ransomware.

Other software vulnerabilities: Criminals can exploit security weaknesses in widely used software programs to gain control of a victim’s system and deploy ransomware.

To minimize ransomware risks, the FBI recommends the following best practices:

• Regularly backup your organization’s data, system images, and configurations, test the backups, and make sure the backups are not connected to the network.
• Have staff use multi-factor authentication to log into their work email and other work accounts.
• Update and patch your systems whenever updates are issued.
• Keep all security solutions up to date.
• Create an incident response plan and test it.

The FBI discourages organizations from paying ransomware attackers to unencrypt their files, contending that doing so encourages criminals to target additional victims. Also, the agency points out that there is no guarantee that the attacker will actually unlock an organization’s system after they are paid. And unless the vulnerability that enabled the attack is fixed, there is no guarantee that the attacker won’t strike an organization again—even if the ransom is paid.

CONSIDERING INSURANCE

Cyber insurance, whether purchased separately or added to an organization’s existing policy, offers an additional way to mitigate the damage from ransomware and other types of cyberattacks. For example, TLCPL’s insurer connected them with Tetra Defense, and their assistance in the immediate aftermath of the attack, as well as the forensic investigation that continued after TLCPL’s systems were restored, were paid for as part of a claim.

“One thing that we did learn after the fact was that if you don’t have a cyber insurance policy in place and you have an incident like this, the likelihood of you getting someone in this role—on the fly, in 24 hours—is probably slim to none,” Graybeal says. And, as cyberattacks of all types are becoming more common, “it seems like all of these kinds of things are being peeled out of general liability policies,” he adds.

According to a recent study by New York–based small business consulting group AdvisorSmith that used quote estimates and rate filings from over 43 insurance companies nationwide, the average cost of a cyber insurance policy with a liability limit of $250,000 is $739 per year. A post about the study also notes that those that don’t store sensitive information about customers “usually have the lowest cyber insurance premiums.”

PLAN IN PLACE

Small libraries may lack the funds to pay for additional insurance, and may not have extensive IT experience on staff. But organizations of any size or budget can prepare by making regular backups of important data and having a plan in place in case a library’s computers and technology systems are down for a week or more.

“Frequent offline backups—in other words, backing up data and not letting [the backup storage] be plugged into any connection to the network or internet where it could be accessed remotely—that is still a good strategy for not losing data,” Block says. “That doesn’t necessarily protect other areas of an operation, but unique data has a priority.... That’s followed by looking through the scenario. What would happen if our computers were not working…what is our plan for public services?”

Having ways to contact staff other than work email, such as having alternative contact information stored either in print or off the library’s main network, is also important, and is generally a good practice for any emergency planning scenario. CPCC has a Webex account, and was able to use the platform’s instant messaging features to reach all staff who had not logged off prior to the attack, Arnold says. “Some people were in the habit of logging off at the end of their work day, and if they had done that, they did not have access,” she says. “We had about 13 staff members in that boat…but I had their cell phone numbers, and just created a group text. All of the information I was sending out in Webex, I copied and pasted to send to that group to keep them connected.”

Arnold also suggests having a single point person communicate with staff during such a disruptive event. “Someone who is trusted, who is a good communicator, so that information is coming from one voice,” she says. “I think when staff get communication from different people who have different communication styles, that information can seem confusing and often overwhelming.”

Outreach to patrons is also important, and in the event of an attack, libraries should have an outreach plan that is not dependent on email lists or its website. Terri Carroll, TLCPL director of communications, innovation, and strategy, notes that “our website was disabled as part of this, and of course that is one of the main ways we [normally] communicate with the community, so we used our social media channels to let people know that our systems were not available temporarily.” Kucsma adds that with the help of their legal team, the library was as transparent as possible with the public during the days immediately following the attack and beginning the investigation.

“We have such great community goodwill,” says Carroll. “They knew we were doing everything we could to get back online, and they were sympathetic.”

Having a printed or offline list of direct contact information for key vendor reps can also be very useful if a library’s network goes down. “We belong to a statewide consortium, and we were still able to access [those resources] with our usernames and passwords. But the databases we buy ourselves, we reached out to our account reps and said, ‘Can you help us with access during this time period?’” because the attack had taken down the library’s proxy authentication, Arnold says. “That’s harder to do when you’re calling a generic customer service line.”

And having “redundant copies of very critical bits of information tied to continuity of operations” stored in multiple accessible locations, including locations not tied to the library’s main network, is crucial, Graybeal says, citing insurance policies as an example.

“I think, also, having a close relationship with whoever your financial institutions are, and to know in advance what are their expectations should you find yourself in this situation” is important, Kucsma says. The attack on TLCPL happened just before payroll. “Fortunately, we have good relationships with the banks that we work with, and we were able to reach out to them directly and say, ‘We need to do payroll, here’s the situation, what do you need from us to make this work?’”

GOVERNMENT RESOURCES

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) offers numerous resources at cisa.gov/stopransomware, including a recently published guide, created in partnership with the nonprofit Multi-State Information Sharing and Analysis Center (MS-ISAC), that includes ransomware prevention best practices and a comprehensive ransomware response checklist. The site also includes a page with regularly updated ransomware alerts from CISA, the FBI, and the U.S. Department of the Treasury; training resources; links to CISA’s free software “CSET” Cyber Security Evaluation Tool and its Ransomware Readiness Assessment to help guide users through a step-by-step process to evaluate their organization’s cybersecurity practices; links to more than a dozen webinars from CISA and other government agencies; and links to CISA’s free testing services designed “to help organizations assess, identify, and reduce their exposure to threats, including ransomware.”

The FBI encourages all victims of ransomware attacks to contact their local field office at fbi.gov/contact-us/field-offices, file a complaint with their Internet Crime Complaint Center (IC3) at ransomware.ic3.gov, report it to CISA at cisa.gov/uscert/report, and/or report it to the agency’s National Cyber Investigative Joint Task Force via the 24/7 support line at 855-292-3937 or CyWatch@fbi.gov. According to the agency, reporting attacks provides FBI investigators with critical information needed to track and apprehend the groups or individuals behind these attacks and new variants, and potentially prevent future attacks.

In addition, several states—including North Dakota, West Virginia, Washington, and North Carolina—now have state laws requiring public agencies to report cyberattacks (in addition to the security breach notification laws in all 50 states). Last year, Indiana also passed a law requiring government-funded entities to report cyberattacks to the state office of technology; the bill was authored by state Rep. Mike Karickhoff after his local library, the Kokomo-Howard County Public Library, was temporarily shut down by a ransomware attack in September 2020.

“This was not a red or blue thing,” Karickhoff told Stateline, a publication of The Pew Charitable Trusts, following the unanimous passage of his bill. “Everyone understood that this could do great harm quickly, and it’s nobody’s fault if they’re taking security measures and they still fall short.”