Evolve Your IT Strategy to Defend Against Ransomware Attacks
Ransomware attacks are increasing in frequency and growing in impact, threatening to put your business at risk — or even cripple parts of our economy.
Here are some examples: In May 2021, an attack against Colonial Pipeline led to a fuel shortage at gas stations across the United States. In early 2020, an attack against SolarWinds’ Orion software allowed hackers to access the records of Fortune 500 companies and government agencies. The U.S. Departments of Homeland Security, State, Commerce and Treasury were all affected, with the attackers removing emails from their systems.
Think hacks like these don’t post a threat to your operation? Think again.
Experts estimate that more than 2,200 cyberattacks occur every day. That’s one cyberattack every 39 seconds. In 2020, 69 percent of American companies reported being affected by ransomware. We believe attacks will increase because they are increasingly lucrative: the average ransom payment increased by 171 percent from $115,123 in 2019 to $312,493 in 2020.
Hackers are also growing more sophisticated — so much so that insurance companies are now refusing to pay premiums for ransomware attacks. Sophisticated hackers have also demonstrated multiple paths to monetization, from auctioning off exfiltrated data to providing only partial recovery of the ransomed data estate after the victim pays the ransom (with only 8 percent of ransom payers receiving all their data, per Help Net Security).
To prevent a major business loss or breach of customer trust, stay ahead of hackers by educating yourself on the possible attack vectors and take steps towards protecting your business.
The Difference Between a Ransomware Attack and a General Cyberattack:
- Ransomware is a type of cyberattack where malware infects a computer or system, encrypts data, disables applications and attackers demand payment for victims in exchange for a decryption utility. Attackers often show victims a clock that counts down to when they will delete all affected data unless the victim pays the ransom. Before encrypting data and making their presence known, attackers also exfiltrate as much data as possible for auction.
- Cyberattacks have transitioned from a distributed denial of services (DDoS) attack, which were less monetizable as those attacks didn’t allow the attackers to gain access to their victim’s systems and data, to ransomware attacks that produce long-lasting effects by jeopardizing the ability of a business, hospital or government to provide essential services.
Worst of all, ransomware attacks can take months (and sometimes years) to detect. For example, experts say that the Cambridge Analytica attack resulted in a massive data leak of 533 million Facebook users and took over 200 days to detect — and was only noticed because Facebook’s engineering team correlated bad API usage to the data leak. And that’s a big tech company with access to many tech resources.
If you’re not FAANG (Facebook, Apple, Amazon, Netflix or Google), what do you do? How can you turn the dialogue from being reactive and defensive to proactive detection?
Design Your Enterprise Strategy to Tackle Ransomware
While there’s no foolproof way to prevent all ransomware attacks as a CIO or security leader of your company, refer to the “Prevent, Inspect, Detect and Recover” (PIDR) framework to create your organization’s ransomware plan and run a drill with all stakeholders to practice this framework at your organization.
1. Prevent and Inspect
An ounce of prevention is worth a pound of cure. To prevent vulnerabilities that could expose your organization to a ransomware attack, follow best practices such as requiring strong passwords, regular password rotation and multi-factor authentication (MFA). Enforce these policies programmatically, so you won’t be like SolarWinds, which secured one of its file servers with the password “solarwinds123,” then published that password in plaintext to the public 18 months before finally removing it.
Another best practice is patching. Make sure your software has the latest patches that include security and detection upgrades. For example, the 2017 WannaCry attack extorted a specific piece of the Server Message Block (SMB) protocol that allows Microsoft Windows servers to communicate. Microsoft caught this and issued a security patch to fix the gap a few months after the attack first surfaced, and as a result, most of the organizations impacted (like Britain's National Health Service) were the ones who did not apply the patch.
Of course, patching is easier said than done. Corporate IT first needs to test the patches for conflicts with existing applications and configurations, which could conflict with application development time. However, you must balance those considerations with the risks of delaying patches.
Anomaly detection is your best bet for ransomware detection. By being able to establish a healthy baseline of activity for your organization’s software applications, you’ll more quickly identify when something has gone wrong.
Existing technologies like antivirus software are able to detect different virus signatures and match them to known ransomware files. Heeding their alerts and taking action is important. For example, ask questions if a vendor does what SolarWinds did and "advised its customers on its website to disable virus scanning for Orion platform products so those products could run more efficiently."
Granted, the process of installing traditional antivirus software can be cumbersome: It requires you to install the client server on every network device. And even then, antivirus software may not catch all the possible ransomware attack permutations and zero-day exploits, leaving you and your organization open to new attack surfaces like browser plugins or using file-less attack methods.
But by choosing a solution that can be dynamic and adaptable to ransomware attacks (e.g., AWS GuardDuty and Amazon Detective), you can better protect your organization as attacks evolve and become more sophisticated. Rather than match signatures to files, monitor file change rate and entropy. Has a file that typically stays dormant (e.g., your board presentation from 2019) been edited and downloaded over 100 times in the past week? Then you probably want to programmatically flag that activity and alert your corporate IT security team.
Backups remain the first line of defense for ransomware recovery. Because even if you pay the ransom, experts say that organizations are usually only able to recover 65 percent of their entire data estate even after they pay the ransom. In the case of Colonial Pipeline, which paid the ransom, the decryption utility they received in return was so slow that they restored from backups anyway, making their ransom payment meaningless.
By taking regular, scheduled backups of your mission critical applications, you ensure you can recover them even if attackers encrypt them. Make sure that your backups are stored in an air-gapped environment, so that the attackers will not have the ability to also infect your backups via the network. For this purpose, offsite and offline backups are best, such as those stored on tape and hard drives. If you are using the cloud to store your backup, store them in other accounts and other regions, protect them using access control and encrypt them using a different key from the one you used to encrypt the primary application.
Finally, if your organization is fortunate enough not to have suffered a ransomware attack recently, it’s never too soon to test your recovery procedures and timeframes by staging a mock attack. Often staged on Friday evenings, these mock attacks will have your IT teams recover critical applications as quickly as possible, while other stakeholders such as a legal prepare communications for your insurer and law enforcement, and the public relations department prepares a statement to the media. Have a ransomware recovery expert observe and assess your team’s performance to maximize your learnings from this exercise.
By staying focused on recovery methods, you ensure that your organization can move past a ransomware attack as quickly as possible — without falling prey to the ransom.
Stay Current on Cybersecurity Trends
As the ransomware landscape evolves, the best strategy to stay up to date on your organization’s response strategy is to stay plugged into the community.
One example is ISACA (a community of over 145,000 audit, governance, and risk professionals in over 180 countries), which regularly publishes best practices for data governance and ransomware recovery. Another is to monitor BuiltIn.com, which reports on resources ranging from the top cybersecurity consulting firms to the COVID-19 Cyber Threat Coalition.
What do you think about my PITR data protection framework? How does it measure up against your current organization’s procedures? Let me know on LinkedIn!