By Lynn Goodendorf
Evolving and expanding since 1989, ransomware attacks are not new. However, by 2013 ransomware attacks became more frequent and aimed at individual consumers. Cybercriminals used scams to get payments for non-existent software fixes. Then, the attacks shifted and we saw a new trend as ransomware focused on businesses. Attacks impacted entire servers rather than individual devices and ransom demand messages were left on compromised machines.
The cost estimates for ransomware are not trivial. In addition to ransom payments (on average $83,000 and reported as high as $600,000 in 2019), other cost impacts may include downtime, specialized consulting resources, and device replacement. While many organizations do not pay the ransom, many significant ransom payments have been reported.
In the past year, we have seen varied attack techniques such as phishing email campaigns and stolen remote desktop protocol credentials. While no one is immune, we are also not helpless and can defeat these attacks.
Some organizations rationalize that it is more expedient to pay the ransom. However, the underlying basis for that decision often occurs when an organization is unprepared and unable to recover from an attack.
The rationale for a policy to not pay ransom is based on the following:
1. When the ransom is paid, no guarantee exists that criminals will return your data. These are criminals! The notion of honor among thieves is wishful thinking in the cybercriminal world. There is no recourse available if you pay the ransom and the criminals do not return your data or provide decryption keys.
2. Ransomware is typically an opportunistic strategy using tactics such as botnet distribution or email phishing sites. As a result, attackers may not be aware of an organization’s identity until a response is made to a ransom demand. Once the criminals know who they successfully hit, they may ask for a much higher ransom or make increasing demands while never returning the data or providing decryption keys. After all, their motivation is to make as much money as possible.
3. If criminals provide decryption keys, the technical complexity of implementing decryption across an enterprise infrastructure may be difficult and expensive to accomplish.
4. Ransomware payments fund and encourage the further development of new and more sophisticated attacks. Even worse, ransom payments may fund terrorism, human trafficking, and other serious threats as described in a Department of Homeland Security public-private document: “Counterterrorism Futures, A Whole of Society Approach.”
The key to a successful policy of not paying ransom requires a high level of confidence that defensive and preventive measures are in place. These risk control measures also apply to other aspects of data protection and as key risk controls for other types of cyberattacks such as those that lead to the data loss of personally identifiable information (PII) (including payment card data, social security numbers, medical insurance details, etc.).
Creating frequent and consistent backup processes for all critical data is the best way to prepare for recovery from a ransomware attack. Plus, data backups are needed for other scenarios such as data corruption or physical damage to computing infrastructure. Best practices include:
1. Using remote storage. Ransomware incidents have occurred where backup data was also stolen because an organization stored it on the same or a connected network.
2. Frequently conducting backups. The effectiveness of recovery will heavily depend on how much time elapses between when data is stolen and the time of restoring data.
3. Testing and practicing. IT operations staff needs to practice data restore procedures to become proficient. Well-written procedures ensure that no one must act on memory when under pressure, and they serve as an aid in training new team members.
Application whitelisting in a high enforcement mode is a powerful preventive measure and should be implemented on all critical servers and endpoints. This defense tool is effective not only against ransomware but also against all malware. The conceptual logic of whitelisting involves controlling what is authorized rather than trying to detect what is malicious. We have seen traditional signature detection techniques (such as antivirus) overwhelmed, with limited effectiveness. Application whitelisting in a high enforcement (rather than monitoring) mode will block any unknown, unauthorized software executables. Some whitelisting products have the capability to block fileless attacks as well.
Some organizations have relied on advanced detection capability and rapid response while taking the position that application whitelisting is not a priority. As an example, the City of Lake City, Florida did an exceptional job of detecting and responding to a ransomware attack. They disconnected their network within 10 minutes of detection. Unfortunately, the ransomware had already spread and infected almost their entire network. Application whitelisting would have blocked the ransomware so that it would never have executed. Sadly, the city agreed to pay the equivalent of $460,000 in bitcoins in June 2019.
Another plus for application whitelisting is that unnecessary legitimate utilities (such as Windows PsExec) can be delisted to prevent Living off the Land (LotL) attacks exploited by advanced persistent threat attackers. These LotL attacks are anticipated in new ransomware attacks. General guidance about application whitelisting is available in US NIST SP 800-167.
Multi-factor authentication (MFA) is a necessity for everyone with IT administrative rights and privileges along with those authorized to use remote desktop protocols. Ideally, MFA should also be deployed for all email users because of increased business email compromise (BEC), another avenue of attack for ransomware and various fraud schemes.
The need for MFA stems from weak and commonly used passwords. Despite security awareness training and education, a persistent mindset exists in individuals who think they are not at risk and do not want to make the extra effort to implement stronger password best practices. Password manager solutions can help ensure strong passwords and prevent the use of the same password across multiple systems. But the hard truth is that automated programs can crack all passwords—it’s just a question of how much time and resources an attacker wants to spend.
The above steps are part of a sound information security program based on best practices, established standards, and compliance requirements. Don’t become the next victim. We can stop ransomware.
Lynn Goodendorf is a retired CISO and Chief Privacy Officer with over 20 years of experience in data protection leadership.