Ransomware & the Public Library

written by Jessica Rodrigues as an assignment in June 2020 for LS 590 at the University of Alabama

Let's start with a short story...

Around February or early March of 2020, I signed up for a free library account with Edelweiss. I decided it didn’t really offer anything I needed that I wasn’t already receiving from other vendors, so I never used the account.

A couple of weeks later, I received an email at work from Edelweiss thanking me for my membership and telling me that my March invoice was attached. I panicked a little. Did I accidentally sign up for a free trial that ended? Did a coworker click on something and authorize a charge?

I looked more closely at the email. It looked legitimate. The sender was the address I received all my Edelweiss correspondence from and there were no typos or other oddities, other than the fact that the attached invoice was a .docx file. (The vendors I do business with that send electronic invoices use a .pdf or a .xlsx file type.) When I tried to open it in Microsoft Word, a little yellow band showed across the top warning me that I had downloaded something from the Internet and I needed to click another button to fully access it.

This is not the email, but it looked very similar. Image source: GreyHatHacker.net

By then, I noticed it was time for me to leave for the day, so I decided to deal with it the next day.

A short while later, I got another email from Edelweiss that said DO NOT OPEN THAT EMAIL, DO NOT DOWNLOAD THE INVOICE, and DO NOT CLICK TO EDIT IT IN WORD, because doing so would install ransomware. Someone had hacked the Edelweiss Constant Contact email lists and sent out a phishing email. If I had clicked to allow access to that supposed invoice, I would have opened up the library server to a ransomware attack.

Thank you, five o'clock, for stopping me from running that script.

Ours wouldn’t have been the first library to be attacked by ransomware.

A growing number of public libraries have recently been targets of ransomware attacks.

This is especially concerning for libraries because it puts private data at risk and can be a significant financial burden.

What is ransomware?

The United States Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as

a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. ... there is no guarantee that individuals will recover their files if they pay the ransom.

Who are the victims?

So many public libraries have been victims of malware that it is difficult to keep track of just how many. Through my research I was unable to find a comprehensive list. However, even a simple Google search or search of a librarian group Facebook page will turn up hit after hit of libraries having to either pay a large sum of money for the encryption key or going back to outdated server backups.

While there have been several places targeted, we’re going to look a bit at two cases from the last year - Onondaga County Public Library System in Syracuse, New York, (in July 2019) and the Volusia County Public Library in Daytona Beach, Florida, (in January 2020) which were both hit by a particularly nasty attack by Ryuk ransomware, which is generally believed to be of North Korean origin but currently used by a Russian crew.

Both libraries have been hesitant to say how the breach occurred or how much money was spent on resolving it. It is difficult to find information about recent cases, as there are active FBI investigations.

What happened?

At Onondaga and Volusia Libraries, patrons and staff were initially unable to use phones, computers, WiFi, the catalog, and any e-resources. Each attack was discovered at the beginning of the business day, and forensics suggest that the attack began overnight.

Volusia County was able to quickly restore fifty computers for use in day-to-day business and handling circulation, but the rest of the 600 computers remained inaccessible for over two weeks.

Onondaga Libraries did not have computer access for over three weeks.

What is the motive?

Greed. While this is a cybercrime, it is not cyberterrorism, and there's no reason to believe it is being done for ideological or strategic reasons. Scammers do this because it pays handsomely.

There is no evidence that scammers have ever sold or used the data they held hostage, but it is always a possibility, and is especially worrisome considering patron privacy concerns.

Heimdal Security has a list of some significant recent ransomware payouts, including Riviera Beach City, Florida, which paid about $600,000. (This was a small town and not a library, but was the victim of the same kind of attack.)

There is cyber insurance you can buy against this, so you only have to pay a deductible.

What technology is used?

Ransomware victims are often hesitant to admit what behavior caused the security breach. It is believed that many of these attacks are the result of user error, such as lowering firewalls or antivirus features in order to boost system performance, or clicking on a phishing email. Many effected libraries had up-to-date antivirus protection, suggesting it may be a result of phishing scams.

image credit: MyAlignEdit

MyAlignEdit.com offers an excellent explanation of ways to suss out phishing scams. However, bear in mind that hackers may also gain access to legitimate email addresses and send mail from them, making it look like a normal email. Be suspicious of receiving an attachment from senders who do not usually attach files, or receiving odd requests from known senders.

(I once received an email from a scientist at the Museum of Science and Industry in Chicago with whom I had met a few times in passing at continuing education events. The email included an attachment and said she wanted my collaboration on a research project, and to download the file and familiarize myself with it. Why would she reach out to me for assistance on project outside of my field? It was indeed a phishing scam perpetrated by someone who gained access to her email password.)

It can also find its way into a system using preexisting malware.

Libraries are particularly vulnerable to email phishing scams because it is not only trained staff that uses library computers -- the public uses them, too. It is difficult to determine where the breach occurred because it could have been a staff member tricked into opening a dangerous attachment or it could have been a patron clicking on a suspicious link. There are several access points.

Ryuk ransomware begins by disabling antivirus processes, then invades the system and encrypts all files except those needed to maintain system stability. Affected files have their file type changed to an .ryk extension. It will also try to disable any backups that are stored on the server.

Recovering the encrypted data requires an encryption key, which costs money in the form of Bitcoins. The encryption is specific to each victim, meaning that even if a former victim were to publicly post the encryption key they paid the ransom for, it wouldn’t work for others.

No publicly available tool can decrypt Ryuk files without paying the ransom fee. Other forms of ransomware contain vulnerabilities that make it possible to restore the system without paying the fee, according to a 2019 interview with Brett Callow, a New Zealand based threat analyst, but Ryuk has no such vulnerabilities.

A text file is often left with instructions providing an email address where they can reach out to negotiate a release of the encryption key. While no library has released the text of the demand letter, here is another Ryuk ransom letter released by Malware Bytes.

image source: Malware Bytes

What was the local response?

The attack at the Onondaga Libraries was covered by local news media, especially because it coincided with another attack on the Syracuse City School District. (Syracuse is part of the Onondaga system.) The school district wound up paying $50,000 (the cost of their insurance deductible) to reinstate access, but the library reportedly never received a ransom note. Little information has been released concerning the library's case, as it is part of an active FBI investigation, but officials stressed that no patron data appeared to have been accessed.

Volusia County was very quiet about the attack and released very little public information other than announcing to patrons what was accessible and what was not.

Both libraries, while remaining rather tight-lipped, repeatedly stressed to patrons that at no point was their private data at risk and that the libraries did not even store sensitive patron data.

What is the wider response?

Ransomware isn't just hitting libraries. Small municipalities are easy victims because they generally have a small IT staff and a solid insurance policy that may be willing to pay a ransom.

The most recent large appropriations bill in Congress included language creating DHS Cyber Hunt and Incident Response Teams to assist organizations who find themselves the victims of these kinds of attacks. While the specifics of what these teams may look like and what they may do have yet to be released, my reading of the bill suggests library systems could qualify, which may have been helpful for the St. Louis Public Library system when it was hit back in 2017. Originally drafted as a standalone bill and passed in the Senate, it had bipartisan support and can be expected to be supported despite the current hyperpartisan climate.

Prevention, moving forward, and what does this all mean?

The US-Cert website has a simple list of ways to prevent falling victim to ransomware. In sum:

  • allow computer users only the bare amount of user permissions required for them to fulfill their job functions. (ie: The entire circulation staff does not need the admin login.) This lowers the amount of damage that can be caused by limiting the amount of people who can accidentally cause it.

  • allow only approved programs on the network. (Anyone who has worked in a public library with children knows that they can download Roblox regardless of what protections you install on the computer. This is tricky when it comes to public access computers, predatory software, and unsophisticated users.)

  • Use strong email filters to block phishing spam and to scan emails for malicious ware.

  • Additionally, create frequent backups of the system and store them offline, so that your institution has the option of a system backup in the event of a ransomware attack.

Libraries have an additional duty of care to safeguard patron data. Only store the required minimum amount of patron data, avoiding saving credit card information, drivers license numbers, or social security numbers. (Honestly, there is no reason for a library to store any of these in any medium, and if your library does keep this information, I strongly advise against it.)

It would be unreasonable to try and conduct major library business offline, but consider storing patron information as paper files in a locked drawer somewhere. It is much harder to take a file cabinet hostage from overseas, and in the event of a hostile data takeover, that is one less thing to worry about.

Ultimately, libraries are easy targets by their very nature as a place of access. A system closed too tightly is difficult for patrons to navigate and staff to use, and any computer system is only as strong as its weakest link. Users with a very basic understanding of computer security use public access terminals everyday and potentially open up the library to attack.

Libraries should be vigilant, maintaining good security practices, seeking out ways to educate staff and patrons about internet safety, and developing contingency plans with IT professionals for what to do in the event of an attack. They should also not be surprised to find themselves targeted.