SALT LAKE CITY — There's a simple task available to all computer users that can allow them to laugh in the face of even the most malicious ransomware attack.
Back up your data.
Those words, however, are likely of little comfort to the hundreds of thousands of victims in 150 countries impacted by the WannaCry ransomware attack.
The scam, which exploits a vulnerability in older Windows operating systems, locks up users' data files, then offers a "key" or code to unlock them for a ransom payment in hard-to-trace digital Bitcoins.
Several European news outlets have reported that while the attacks have been widespread since they started Friday, perpetrators have only earned about $30,000 to $40,000 so far.
Two factors seem to be contributing to the relatively low cash haul: low ransom requests of $300 to $600, and many victims refusing to pay — which is the advice proffered by most law enforcement agencies, including the FBI.
In a posting on cybercrime on the bureau's website, FBI Cyber Division Assistant Director James Trainor said agreeing to pay only serves to perpetuate the activity.
“Paying a ransom doesn’t guarantee an organization that it will get its data back. We’ve seen cases where organizations never got a decryption key after having paid the ransom," Trainor said. "Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
"And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Thus far, the U.S. appears to have been much less impacted by the attacks than other countries.
As of Monday morning, cybersecurity officials with the Utah Department of Public Safety had not received any reports of Utah targets of the malware, though DPS Sgt. Jeff Plank, who works with the FBI Cyber Task Force, said it's not uncommon for victims, particularly businesses, to opt out of self-reporting such incidents.
"We've learned that, in the private sector, there tends to be concern that news of a cyberattack can be damaging to a brand," Plank said.
Despite the apparent lack of impacts by the WannaCry attacks to this point, ransomware targets in Utah are on the rise, he said, with cybercriminals collecting around $22,000 from 22 victims in the state last year. So far this year, 11 Utah victims have been extorted of $15,000.
Utah Valley University professor Robert Jorgensen, director of the school's cybersecurity program, said ransomware and other cyberattacks are likely going to be a continued part of the landscape for a world now intrinsically linked with, and lived on, digital networks.
Jorgensen also noted that this particular ransomware strategy, using stolen information about a Microsoft operating system vulnerability allegedly discovered by a U.S. intelligence agency, could lead to some deeper and necessary societal conversations about how to approach and address digital security issues.
"The goal of our intelligence community is to have a stockpile of tools to attack high-value targets," he said. "The goal of Microsoft and every other software developer is to create the most secure systems they can design.
"Unquestionably, it was criminals who unleashed this malware to make money. But do Microsoft and the National Security Agency share the blame? I think that's open for debate."
Jorgensen, who worked for 20 years as a private sector cybersecurity expert before joining UVU, said that debate is already being engaged by his students.
"I think the students' positions break down much like our society in terms of this issue," he said. "If you're hawkish, then you believe we should do anything and everything necessary to defend our nation.
"And then there are those who believe there are essential things that should not be given up in the name of security, even if that extends to inadvertently creating protections for the bad guys."
Microsoft President and Chief Legal Officer Brad Smith waded into the middle of the ethical dilemma in a blog post Sunday.
Smith wrote that his company was obligated to take responsibility for addressing vulnerabilities when they are made known, as Microsoft did in this case. But consumers bear a responsibility of their own to stay current with critical patches, he said, and the spread of the WannaCry attack was exacerbated by the volume of machines that had not had the patch installed — two months after it was issued.
Smith also noted that a fundamental rethinking of tactics in addressing cybersecurity issues is in order.
"The governments of the world should treat this attack as a wake-up call," he wrote. "They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.
"We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
Jorgensen said it likely behooves all involved, regardless of their interpretation of who's responsible, to engage in a productive dialogue.
"The tide is turning toward the necessity of having this conversation," he said. "These kinds of threats are going to continue, and we need to address the question: How did we get here, and where are we going?"
* * *
How to prevent a ransomware attack
• Back up. Have a recovery system in place to protect data — ideally, one in the cloud and one physical, such as a portable hard drive or thumb drive.
• Use robust antivirus software.
• Update software. When your operating system or software programs release a new update, install it.
• Trust no one. Never open attachments in emails from someone you don't know.
• Enable the "show file extensions" option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions such as .exe, .vbs and .scr.
• If you discover a rogue or unknown process on your computer, disconnect it immediately from the internet or other network connections — such as home Wi-Fi — to prevent further infection.