Ransomware attacks are not the result of an isolated security incident but the consequence of a series of IT missteps. Moreover, it often exposes poor decision-making that indicates deeper management issues that must be fixed.
But how big of a problem is ransomware? Two recent reports suggest it’s significant. Verizon’s 2019 Data Breach Investigations Report (DBIR) states ransoms play an increasingly important role in many attacks. They are often used in conjunction with other malware methods: According to the DBIR report, ransoms were part of 70 percent of total malware infections for the second straight year. Recent research from Malwarebytes also shows an increase in frequency.
Ransomware attacks have evolved. Initially, most demands were for relatively little money. Today’s ransoms are more targeted and higher because attackers carefully case victims and find their weak spots.
While ransomware attacks receive a lot of coverage, the focus is often on the wrong things, including:
A study detailed in a Recorded Future blog shows some do, and Forrester has been “tracking a notable increase in ransom payouts,” although it doesn’t provide specifics. “Organizations should never have to think if paying the ransom is a better way out than restoring data compromised by ransomware,” says Rick Vanover, senior director of product strategy at Veeam Software, meaning that ultimately, it doesn’t really matter whether the ransom is paid. The ransom is always less than the cost of restoring the data, especially when an enterprise isn’t as well-prepared as it could be. Ironically, last year Veeam itself was hit with a cyberattack (although not ransom-based) that leaked millions of email addresses.
Government-based attacks are usually easier to calculate. Government agencies must post the procurement and other fees paid to resolve its problems and restore service. Still, it is difficult to estimate hard numbers, because in many cases, in the process, the organizations replace outdated systems that should have been scrapped long ago. Baltimore estimated its recovery will cost at least $18 million. The numbers are somewhat misleading, as they account for all sorts of lost revenue, delays, and estimates on financial impacts. Certainly, the $18 million figure is more than the city’s entire annual IT budget. Baltimore may ask for federal disaster aid from FEMA, according to one report. That would be the first time any city has tried that approach.
This is a common question as customers and taxpayers are trying to access their lost data post-attack.
Usually, there is little to no follow-up on what led to the attacks when everything is back in service.
Instead of asking the tired questions listed above, it’s time for a new trope and a different focus. As a Malwarebyte blog post points out, ransomware is “going to take advantage of weak infrastructure, configuration issues, and ignorant users to break into a network.“
To better understand where to find these weak spots, consider these bad decisions that lead to potential risk:
The usual cause is a single employee clicking on a phishing email. An attacker gets a foothold to enter and exploit the enterprise, and it’s often the reason why many organizations don’t know how long an attacker has been inside their network before discovery. Understanding this root cause is critical to examining the defensive posture of an organization and how thorough the incident response could have been to prevent an attack. These questions get to the heart of the overall quality of IT security efforts in an organization. Victims of many ransomware attacks had sloppy security practices, including open network ports all over the place, few or no multifactor authentication logins in place to protect access for critical users, and open Server Message Block (SMB) network and FTP shares. Rendition Infosec documents these issues in a post about how Atlanta could have done better.
Frequent management changes are a related problem. Baltimore has had a series of CIOs come and go, which hobbled its decision-making. Two of the CIOs recently resigned over fraud and ethics allegations. Consistent management is key to preventing future attacks.
An organization must carefully vet its backup and recovery procedures and examine what data is and isn’t protected. Many ransomware victims never truly tested their recovery processes until it was too late. IT must analyze its own workflows and ensure that they are still relevant and accurate, too. Organizations must understand the weak spots in disaster recovery (DR) plans. That means spending time and deploying personnel to ensure that regular DR planning and drills happen, and that hiccups from these drills are analyzed and eliminated before an actual disaster occurs—ransomware or otherwise. Drills must be scheduled regularly to be effective, especially as network configurations, server orchestration, and other elements change when new systems and applications are brought online. Part of DR planning should be installing email protection tools and performing regular security awareness training so that users can better recognize phishing lures. Phishing is a problem particularly for municipal and other government agencies, often due to a lack of overall IT resources.
Email systems for many ransom victims were knocked out. In Baltimore’s case, IT staff tried to obtain a series of private Gmail accounts, but Google quickly shut them down because the city should have created business accounts instead. In short, it should have understood Google’s policies in advance and planned to obtain accounts ahead of time.
It’s critical to segment your network and enforce least-privileged access policies so that no single user can access everything. One organization (that will remain unnamed) sets up every user with admin rights to its entire network, creating a ticking time bomb. In another example, which wasn’t ransomware, a heating contractor for a large retailer had access to the retailer’s point-of-sale and financial networks because there was a single network segment for everyone. Malwarebytes offers additional suggestions on how to protect your assets.
The Forrester report has a ransomware incident flowchart. It starts with pre-incident planning and offers suggestions on various responses, including assembling your team and perhaps including ransom security specialists, pre-purchasing bitcoins in advance (in case you choose to pay the ransom), and validating and recovering from backups. That is a good starting place.
We have a long way to go before we eradicate ransomware. The better your overall IT governance is, the lower the chance you will be ransomware’s next victim.