AEMP Focus on Technology: Ransomware and Your Fleet

Taking internet-connected computers and equipment hostage has become big business. Here's what you need to know — and do.

Is your fleet vulnerable to ransomware or hacking? The short answer is yes.

Construction companies and fleet managers have embraced and become proficient in the IoT (Internet of Things) that help them manage their business. Unfortunately, internet criminals are just as proficient and have noticed our industry.

In light of well-publicized ransomware and hacking events, we asked an expert if the software and telematics we use in the construction industry is vulnerable to these threats.

Again, the short answer is yes.

Kevin Epstein, vice president of Proofpoint’s Threat Operations Center, said a new ransomware worm is released every two or three days, trolling the internet in search of an unprotected digital device. In fact, according to, ransomware attacks increased 748 percent in 2016.

Why? It’s big money. Cyber criminals made more than $1 billion in ransomware attacks in 2016. Some corporations, with computer systems held hostage, reportedly paid thousands of dollars to get their data back. Small to medium-sized companies are often targeted because they frequently have poor cyber security. Those companies may mistakenly believe they are too small to be a profitable target, but the kidnappers work the percentages. Sending out an attack is cheap and easy, and hackers figure if they hit enough companies, those small $300 ransoms paid start adding up to big money.

The ransomware industry has its own economy. Some hacks are handled directly, but ransomware is also subcontracted out. The proven and more successful worms are sold on the dark web, where computer criminals use the purchased worm code in exchange for a share of the paid ransoms. The crime has evolved into a "ransomware as a service scheme" that allows malware developers to give potential hackers a no-cost point of entry; instead of charging a fee for the ransomware code, the code seller is happy to take a 50 percent cut of the paid ransom.

Epstein responded to our question regarding risks for internet-connected systems in the construction industry. "Yes, connections to third-party systems unfortunately can expose the network to compromises like the ones seen in the WannaCry ransomware attacks. Organizations need to ensure that their network/firewall policies don’t expose their vulnerable services. Security teams can also install an IDS rule set that is tuned to stop the spreader behavior of malware, and detect command-and-control activity."

It is important to understand that ransomware is not limited to Windows-based computers. Apple devices are vulnerable, as are smartphones, tablets, smart TVs … any internet-connected device is a potential hostage victim. In fact, experts fear hackers will expand into holding connected cars, homes, and even medical devices hostage. Because the ransomware code does not need to operate in a browser-based environment, devices that contain diagnostic systems, data collection, or messaging protocols can be attacked. In fact, often a device's browser is left operational so the hostage can send money to the criminal via the web.

How to protect your company's data and devices?

Most importantly, Epstein says that any time your device's system asks to update your system, say yes.

Unplug backup drives. It is not enough to simply shut them down. If your backup is plugged in when the ransomware attacks your system, your backup data will also be encrypted.

You have already established a No-Click policy for all of your employee's devices, right? Now, if a link appears in an email from a familiar institution, such as a bank or other trusted facility, and you did not instigate a dialog with that company, do not click on the link. It can be a trap. Instead, go to the company's website and do a search for whatever they may be contacting you for. If you have a relationship established with that company, you'll find their message to you within your account profile.

Mobile apps can also infect your system. Proofpoint's research found authorized Android app stores have more than 12,000 malicious mobile apps—capable of stealing information, creating backdoors, and other functions—accounting for more than 2 billion downloads. In addition to outright data-robbing apps, apps can be designed to encourage dangerous employee behavior that can lead to sensitive company information leaking to unknown sources. Social media is an example. Have company-owned phones configured to bar app downloads and enforce a strict policy of how data is shared between employee-owned devices and your enterprise system.

Install an email security program that combines deep analysis, content inspection, and robust URL intelligence services, and make sure its coverage extends to corporate VPNs and mobile devices.

Get ahead of malware threats with predictive security programs that automatically "sandbox" suspect URLs. This is very important with accounts you may use to share files and images such as Google Drive, Adobe, and Dropbox.

Do not allow employees to use devices that have been "jailbroken" on your network. Jailbreaking is when the device's code is altered to allow users access to files and services not originally included in the device's operating software.

Add additional strength to your existing security with a custom ruleset. For example, Proofpoint offers a ruleset for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS). It is updated every day and monitors network behaviors, malware command and control, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, and exploit kit activity.