Ransomware has long been thought of as an economic nuisance but the recent proliferation of well-publicized cyberattacks has revealed ransomware to be a serious national security threat. Still largely hidden from public view and the headlines, however, are the attacks on small businesses, including many in the sheet metal fabricating and HVAC industries. 

A ransomware attack on Colonial Pipeline led to gas shortages and resulted in a 75-bitcoin ransom payment -– about $4.5 million. An attack on JBS SA, the world’s largest meat processor, was resolved with a ransomware payment close to $11 million.   

Ransomware attacks are neither new nor limited to large, multinational businesses. While ransomware has become a multibillion-dollar threat, the average payment demanded was only $310,000 in 2020, with many payments in the $25,000 to $30,000 range. 

In 2016, the Indiana Business Journal reported that the Sheet Metal Workers Union was the victim of a ransomware attack. Although the union had antivirus protections in place, an unprotected laptop in a satellite office was infected allowing it to spread to the union’s central office. 

What can a HVAC or sheet metal contractor or business owner do to reduce the risk of becoming a ransomware victim? 

What is Ransomware

Ransomware is a type of malicious software, or malware, that prevents a business from accessing its computer files, systems, or networks and demands payment of a ransom for their return. Ransomware can unknowingly be downloaded onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware.

Once the code is loaded onto a computer, it will lock access to the computer itself or to data and files stored there.  More menacing versions can encrypt files and folders on local drives, attached drives and even networked computers. Obviously, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.

In many situations, the sheet metal or HVAC operation is unaware its computers have been infected. It is usually discovered only when data can no longer be accessed or a computer message pops up alerting users to the attack and demanding ransom payments.

Paying the piper, or not

Top U.S. law enforcement officials discourage meeting ransomware demands. The FBI is reportedly doubling down on its guidance to affected businesses and their message remains: don’t pay the cybercriminals. Every ransomware victim faces the question of whether to pay the ransom, thereby funding these cybercriminal organizations, in essence helping them proliferate and grow increasingly more sophisticated? Or, does paying ransom for the promise of restored computer systems and unlocked data a more logical choice?

Ethics and morality aside, while ransom payments vary, paying the ransom does not guarantee that users will get the decryption key or unlocking code needed to regain access to the infected computer system or files being held hostage.  Although the government warns payments fund criminal gangs could encourage even more attacks, failing to pay a ransomware demand can have devastating consequences for any business. Fortunately, successful or not, the government offers a little-noticed incentive for those who do pay: a tax deduction.

Taxes and insurance to the rescue

That’s right, a business that pays ransomware may be entitled to claim a tax deduction on their federal tax returns.  Naturally, there are limits to the deduction. If the loss is covered by insurance – even the increasingly popular cyber insurance – the operation can’t claim a deduction for payments made or reimbursed by an insurer. The question of whether traditional insurance policies provide coverage for losses due to cyberattacks and cybersecurity breaches is, at least temporarily, yes. A federal court in Maryland recently ruled that an insurance company must cover the costs of software, data, computers and servers that were lost or damaged by ransomware under the property insurance coverage of one business owner’s insurance policy.

Since ransomware attacks are becoming easier for cybercriminals to execute, it makes sense for every sheet metal and HVAC contractor to fortify their operation’s digital assets, making sure they have business interruption coverage in the event of an attack. But business interruption insurance can only help the business regain some of the financial loss resulting from a security breach. To protect against these unique risks, a number of businesses are beginning to add cyber or cyber liability coverage to their business insurance policies. Cyber insurance offers broad coverages to help protect an operation’s various technology-related risks.  

So-called “data breach insurance” helps a business respond to breaches and usually offers sufficient protection for most small businesses. Cyber liability insurance, on the other hand, is typically used by larger businesses and offers more coverage to help prepare for, respond to and recover from cyberattacks. It should be noted that most cyber-related policies require permission from the insurer before any ransom amounts are paid. The same requirement also applies to extortion-related expenses. And, while most cyber-related insurance policies reimburse ransom payments and related expenses, they don’t pay these costs upfront. 

Payment mechanics

Although paying ransom in a ransomware attack is not recommended, all-too-often it is necessary. Surprisingly, small scale ransomware attackers will demand payment to be wired through Western Union or paid through a specialized text message. In fact, some demand payment in the form of gift cards such as Amazon or iTunes Gift Cards. But, far and away, most ransomware payments involve cryptocurrencies.

Ransomware attacks usually call for sending cryptocurrency in order to unlock data, with amounts that range from a few hundred dollars to, in an increasing number of cases, millions of dollars. Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies such as Ethereum, Zcash and Monero are also frequently demanded. Although traditional financial institutions have their hands tied when it comes to ransomware payments under the money-laundering and know-your-customer regulations, the operation’s bank should be the first step in any ransomware attack to determine if they can transfer funds to a cryptocurrency exchange and if there are any limits. The attacked sheet metal or HVAC operation then sets up an account with one of the many cryptocurrency exchanges – where U.S. dollars are exchanged for digital currency. Funds held in custodial accounts are usually FDIC-insured for up to $250,000.

The cost of ransomware

Since payment of a ransom does not guarantee the operation’s computers or data will be unchanged after their release, expenditures to restore, replace or reconstruct programs, software and data must be planned for. Those extortion-related expenses, including the cost of hiring a professional for advice on responding to these threats – and ensuring they don’t happen again – deserves attention. Increasingly, the sheet metal fabrication business is the “carrier,” rather than the target of ransomware and other cyber-related attacks. A recent survey by the accounting and consulting firm, Deloitte, found that commercial real estate owners and property managers believe exposure from third party vendors is their biggest cybersecurity threat. In fact, HVAC systems may be exposing businesses to a different kind of threat: cyber-security. In 2014, a cyber-attack, not a ransomware attack, on the retailer Target, was successful because the attackers first broke into the retailer’s network through Fazio Mechanical Services, a Sharpsburg, PA HVAC and refrigeration systems firm. More recently, security researchers found a vulnerability in a building controller used for managing various systems – including HVAC.

Avoid the inevitable 

Ransomware attackers, indeed all malware distributors, have grown increasingly savvy requiring extreme caution about what is downloaded or clicked on. Obviously, the best way to avoid being exposed to ransomware, or any type of malware, requires caution whenever the sheet metal or HVAC operation’s computers are used – by everyone.  

However, even simple steps taken by a small business can take such as basic cybersecurity practices including keeping operating systems, software, and applications up-to-date and patched, or making sure that anti-virus and anti-malware solutions automatically update and run regular scans can significantly raise its defensive posture.

Last year’s attack on U.S.-based software provider was estimated to have affected up to 2,000 organization’s around the world. Obviously, an attack on a third party such as Kaseya doesn’t require paying a ransom although it does disrupt operations. It also illustrates that preparedness only goes so far in protecting against these increasingly more sophisticated attacks.

The end game

The rise of ransomware attacks over the last few years has created an extremely profitable criminal enterprise. Targeted businesses, organizations and even governments often feel paying the ransom is the most cost-effective way to get their data back.  

Hearings held by the Senate Judiciary Committee, revealed that it is small businesses that are bearing the brunt of ransomware attacks. According the committee’s chair, Dick Durbin (D-IL), small businesses make up over half the victims while the committee’s ranking minority member, Chuck Grassley (R-IA), put the number at three out of every four. 

It is virtually impossible to completely eliminate the risk of a ransomware attack. However, if payment is the best option, tax deductions and insurance often offset a portion of those ransom-related payments and expenses.