Let's Talk Ransomware

While it’s not surprising that a quick Google search brings up quite a few jokes on the topic, ransomware is definitely not funny and you’re surely not laughing if you’ve ever been impacted by ransomware.

Where did the hacker go? I don’t know, he just ransomware.

Ransomware attacks gained national attention in 2021 due to highly publicized attacks such as the Colonial Pipeline Ransomware Attack. The attackers have shown that they are willing to target critical infrastructure, hospitals, and any organization that they believe has the ability to pay large ransoms. Ransomware isn’t going anywhere anytime soon. According to the 2021 Verizon Data Breach Investigations Report, “ransomware was present in 10% of the breaches identified which is about double the 2020 number.

What is Ransomware?

In short - ransomware is a form of malware that infects your computer, encrypts your files, and often provides a ransom note stating that you must pay the ransom in order to get the key to unlock your data.

Best case scenario, your organization has sufficient backups and ransomware is reduced to an inconvenient annoyance. More often, we see smaller organizations lack adequate preparation and the impact is devastating. It’s important to note that ransomware attacks don’t seem to discriminate; organizations of all types and sizes have been impacted.

Ransomware is Evolving

There used to be a ‘simple solution’ to ransomware: Have good data backups, a well-defined Disaster Recovery Plan (DR) and Business Continuity Plan (BCP) with acceptable Recovery Point & Time Objectives (RPO and RTO respectively). Now I know what you’re thinking, “You call that simple?!” Yes, it’s simple, not easy (or cheap) but simple, linear, logical, and navigable with a pragmatic approach. In most cases, cost and resource availability, keep many organizations from having such resiliency to ransomware, which is why it continues to be so effective, despite having such a clear answer. But unfortunately, even that plan might not work going forward.

New variants of ransomware are engaging in data exfiltration before encrypting your files and that data is then used to extract additional extortion dollars from the organization. This has been shown to increase the efficacy of the attack because it turns an otherwise [recoverable] availability impact* into a complex data breach—which, almost always, carries more severe consequences.

Impact of Ransomware

In the Security Industry – fear sells, but we don’t like to participate in fearmongering. That said, ransomware is a serious problem that warrants careful thought and preparation. The impact of unavailable data and systems varies by organization, but may include:

  • Revenue Loss due to downtime of revenue generating systems that may include but may not be limited to e-commerce sites

  • Reduced Employee Productivity cause by downtime of impacted systems

  • Compliance Issues could result on multiple fronts, from the lack of availability of data required for compliance, inability to meet contractual requirements, and also HIPAA compliance issues as the Department of Health and Human Services (HHS) considers data that’s been encrypted to be a breach

  • Reputation Risk that may result from either not being able to service your customers or worse - being in the news

How does it Work

Ransomware often gets into the environment through phishing where the attacker includes ransomware as an email attachments or provides a link to malicious websites where the ransomware is hosted (and then downloaded and executed). In other cases, bad actors gain access via password guessing attacks on Internet-accessible services or login portals and then once they obtain a foothold into the environment, they deploy their ransomware.

Once the ransomware is deployed, it attempts to spread everywhere it can—network file shares, other computers on the network, even backup files when possible. In more sophisticated cases, ransomware will spread as far as it can and lay dormant for months and then detonate at a particular date and time so that restoring to a recent back-up will not eradicate the malware from the environment.

Paying the Ransom

Should you pay the ransom? Most of us have a philosophical and ethical issue with paying criminals not to commit crimes (or paying them to undo them). The government may impose fines on organizations who elect to pay the ransom (as indicated by the US Treasury Department). As security professionals, we’d prefer to see organizations not pay the ransom. If organizations stop paying altogether, these attacks are no longer lucrative and there is less incentive for these criminal organizations to continue targeting businesses with ransomware. Easy for us to say, right? Unfortunately, the decision to pay or not isn’t a philosophical or ethical decision, it can be necessary to keep from going out of business.

If your organization is faced with paying the ransom or going out of business – what would you do?
Pretty easy question to answer, despite what the government and security professionals say.

Yes, when organizations pay, criminals are likely to return data. Their end goal, in most cases, is to get paid. If organizations think that paying won’t work, they will stop paying, which isn’t good for the criminal’s business. In reality, people pay because it generally gets their data back and organizations are usually able to recover their files after paying the ransom. However, at the end of the day, you are dealing with criminals and you need to approach the situation with eyes wide open. In other words, paying the ransom does not guarantee that you will be able to recover your files.

Bottom line, avoiding ransomware and having to make decisions on whether or not to pay a ransom should be the ultimate goal. Prevention is the best approach. Ensuring the ability to recover if infected is a must!

What Should You Do

As mentioned above, prevention is the critical first step to protecting your personal data. Some prevention is basic security hygiene such as:

  • Email filters and spam detection / prevention

  • Reduce Internet-accessible services and login portals and apply multi-factor authentication wherever possible

  • Web filtering to prevent employees from going to malicious websites

  • Anti-virus protection

  • Patch and vulnerability management

  • Security Awareness training and phishing exercises

Other things that make sense are

  • Examine Network File Shares (NFS) for sufficiently restrictive permissions

  • Network segmentation that restricts the ability of the ransomware to move laterally within the organization

  • Lock down workstations so that malicious software cannot be downloaded / installed

  • Whitelist applications to keep malware from running

On the recovery side,

  • Regularly backup files in a manner that would not allow the same form of malware to impact the primary and backup versions of your data / software

  • Keep incident and disaster plans up-to-date

  • Training and testing of backups, recovery plans, and incident response plans.

Lastly, independent testing of your approach, procedures, and security controls is always a good idea to test the effectiveness of what you have in place and to understand what you may be missing.

Questions, comments, concerns? Feel free to reach out. Let's chat.

Previous
Previous

Shopping Black Friday and Cyber Monday Safely

Next
Next

Phishing, Ransomware, Breaches: Protect Your Organization