Ransomware: What dealers need to know


John Osinga

The massive WannaCry ransomware attack highlighted just how deep the tentacles of cyber criminals can reach. The virus, launched in mid-May in over 150 countries, infected hundreds of thousands of systems by locking files and demanding money be paid for encryption codes.

While Canada appears to have been relatively unaffected by the malware, it attacked everything from Spain’s telecommunications to Germany’s rail system. One of the most notable victims was Great Britain’s National Health Service as roughly 70,000 computers were locked causing disruptions at hospitals across the country.

To get a handle on things and explain what this all means to dealers, Canadian AutoWorld spoke with its resident computer security expert, John Osinga, to find out the details and what every dealership should be doing to protect itself.

Canadian AutoWorld: The WannaCry ransomware attack made headlines around the world. What was it and what happened?
John Osinga: It was a massive and coordinated attack on computers and systems across the world. While we have seen ransomware attacks in the past, this was one of the largest to date.

What also made WannaCry unique was a new capability we haven’t seen on ransomware previously. This virus reportedly had what’s called worm capability, meaning once it was on a computer connected to a network, it could tunnel through the system. That means not only did it infect the local computer, but it could spread across networks to other PCs.

What is ransomware?
Much like the name suggests, it is a type of computer virus that will either scramble the file names or append them with a new name and encrypt it. In other words, it locks the entire file structure of the computer so a user cannot use it without a release key. The release key is usually a very long, complicated password.
A message will usually appear on the screen informing the user their files have been locked and that they have to pay a ransom in bitcoin to get the release key. The message will have instructions on where to go to pay the ransom, but there is no guarantee you will get the release key if you pay. It can be 50/50.

There are many thousands of variants of ransomware and they are coming out with new stuff all the time. Some new versions will analyze if it is on a local PC or a server. If it is on a server, it can figure out how many users are on that system and will automatically calculate what the ransom should be based on how much damage it can do. The intelligence is built right into the software.

How does bitcoin fit into this and where do you get it?
Bitcoin is a cryptocurrency and digital payment system. It is available in machines that look like ATMs in more and more cities around the world. There are also brokers who will trade cash for bitcoin. It can be set up like a PayPal account where users can integrate their own bank account with bitcoin.

Hackers want to be paid in bitcoin because of anonymity. When sent to the Dark Web, the black market of the Internet, it is virtually untraceable. It is sent to virtual wallets and because of the encryption and the routing that it takes across the Dark Web, even the most sophisticated tools cannot trace it.

What if you don’t pay the ransom?
There are some unlock keys available on the Internet for some ransomware variants that are provided by the different antivirus companies that may unlock specific infections.
Generally, you will have to reformat everything, get rid of all your old files and restore the computer and the system from the backups. It is key to have backups of files and make sure it is isolated and protected in some way or physically not connected to the main system. If the backup is plugged in with no protection, those files will be encrypted, too.

Pay the ransom or not, time is usually of the essence. In most cases, there is a countdown timer on the locked screen explaining how they have a predetermined number of hours to pay the ransom. The price will go up at certain intervals and, if a victim doesn’t pay within the allotted time, the hackers might wipe the system entirely.

We have heard a few dealerships in Canada have already fallen victim to ransomware attacks in recent years. What damage is done in these cases?
It is not talked about a lot, but there are dealerships in Canada that have been hacked with ransomware. It’s happened on a local PC and on an entire network. You lose all access to your files and it has a dramatic impact when trying to service customers. A lot of dealers have had tunnel vision about their operations for a long time. They focus on sales and service because those have always been their main profit centres. These dealers may have looked at network security and digital security as a hassle. If WannaCry and similar attacks that we don’t hear about prove anything, it’s that security has to be an integral part of their operations – from rank-and-file straight through to upper management.

We regularly write about the increased use of tablets in car dealerships. Are tablets susceptible to ransomware?
Yes, anything that runs a Windows-based system can be infected. And don’t think because you’re on iOS that you are safe. Even though the majority of viruses are Windows-based, there are some that target Apple systems as well.

Coming up the ranks is a new ransomware targeting phone systems, too. Cellphones are now being infected with ransomware and owners have to pay to unlock their own phone.

What can Canadian dealers do to prevent or limit this type of attack?
The best place to start is to train your staff and management group. Knowledge is the key to helping you understand risks of the technological society we live in. You have to be aware about the people and what they are doing that might bring harm to your systems. It’s not just about selling cars. Educated staff members are a major level of protection.

The best advice really starts with the basics: don’t open emails from unknown senders, don’t open attachments in emails from unknown senders and don’t go to websites you shouldn’t. It is also important to have several layers of security and support the IT team and their goals.

Have antivirus at the entry point to the dealership that scans everything that comes into your store.

Dealers should also have in place an alternative secondary protective antivirus provided on every desktop that provides layered protection and redundancy.

Make sure that your computers are up to date with all software patches from the vendor (Microsoft, Apple), as these security updates will help protect your systems. The ultimate protection is in having recent secure backups of all the critical data files on your various systems. If there is a disaster, files can be restored quickly and reliably. The question is not if you will be infected but rather of when and how well you are able to weather the turmoil caused by the fallout of having a ransomware virus attack in your business.