While there’s no silver bullet to preventing a ransomware incident, following security experts’ recommendations will greatly reduce your vulnerability.
Thousands of Americans experienced the trickle-down effect of a ransomware breach in early May following the Colonial Pipeline attack, which shut down the oil supplier’s operations and left many scrambling to find gas and waiting in huge lines when they did.
The attack originated from DarkSide, a Russian-linked criminal group, who threatened to leak the utility provider’s sensitive data unless the company paid a $4.4 million ransom.
In July, another Russian-linked cybercriminal organization, REvil, launched the single most prominent global ransomware attack on record. The breach infected thousands of victims in more than 17 countries and demanded $70 million in cryptocurrency to unscramble all the infected machines. Swedish supermarket chain Coop closed hundreds of stores after becoming part of the REvil ransomware attack that originated with its IT solution provider’s Kaseya VSA software. At least 200 other organizations were also part of the attack.
Earlier this month, international consulting firm Accenture became the latest target in a string of high-profile ransomware attacks when the LockBit group claimed to have breached the company’s servers and threatened to release its data.
These attacks represent just a few of the thousands that occur each year, many of which go unnoticed even though millions of dollars are cumulatively spent on ransoms.
In its most recent quarterly Threat Assessment Report, the Cisco Talos Incident Threat (CTIR) team observed various attacks, with ransomware being the most dominant threat. Per the report, ransomware accounted for almost half (46%) of all incidents and more than triple that of the next most common threat.
Actors targeted a broad range of verticals, including transportation, utilities, healthcare, government, telecoms, technology, machinery, chemical distribution, manufacturing, education, real estate and agriculture. Among all the verticals, healthcare was targeted the most for the third quarter in a row, with the government being the second most targeted.
Why Ransomware? Why Now?
Industry experts say the rise in attacks is due to a confluence of factors, including the increase in hard-to-trace cryptocurrency, the work-from-home trend and a political climate marked by tensions between the U.S. and Russia, where the majority of ransomware attacks derive.
Besides the abundance of low-hanging fruit, ransomware has proven to be highly profitable for cybercriminals. “Cybercrime is estimated to cost the global economy in the neighborhood of $6 trillion—that’s equivalent to some of the largest economies in the world,” says Dave Trader, Cybersecurity Practice Lead at Presidio. “Reports show in 2020, ransomware was the top attack type in North America and is a lucrative business that will continue to evolve and proliferate. Ransomware as a Service (RaaS) is now a business model for distributing ransomware variants to subscribers offering the same benefits associated with legitimate Software as a Service (SaaS) providers such as regular updates, technical support, access to communities, and documentation.”
Step One: Plan for the Possibility of an Attack
When end users consider ways to defend themselves against the latest cybersecurity threats, topics such as security, data backup and recovery and employee training often are cited. All these things are good and necessary, but they’re not the first thing companies should be thinking about. The first step entails creating a plan that details how your company would handle a security incident. Here are some of the pitfalls that happen if you skip this vital step:
Pitfall #1: Hitting the panic button and word-vomiting
“When there’s an incident, people within an organization often panic,” says Jennifer Beckage, managing director of Beckage, a law firm focused on technology, data security and privacy matters. “They may call their spouse, other family members or even a peer who may have experienced a similar incident. But, unfortunately, once the toothpaste is out of the tube, there’s no putting it back in. So, the first call should be to a lawyer who understands data security and privacy and who can help sort things out. The other benefit of engaging a lawyer in the tricky data security space is that all communications are privileged, meaning they’re confidential.”
The panicked calls Beckage describes above are often followed by assumptions of a worst-case scenario and the bandying about of terms like “cyberattack” and “breach,” when in fact, it may be an incident. “You have to be very careful what you say,” warns Beckage. “If you use a certain word, it may start a clock somewhere.”
Trader concurs and adds, “The clock starts ticking when you say certain words for GDPR (General Data Protection Regulation), for example, especially concerning when you have to report an incident.”
Pitfall #2: Jumping the gun to data recovery
When someone sees a threatening message on their screen telling them their data is locked and demanding money, their immediate thought is, “How can I make this go away and get my data back?” But, skipping to data recovery before consulting with an incident response expert can make things worse, warns Beckage. “We’ve seen situations where a company’s network was compromised, and they continued using their corporate email to communicate sensitive information while the threat actors were observing,” she says. “In one scenario, a stakeholder tried negotiating with the criminal, saying he could only afford a smaller ransom fee. The criminal responded, ‘I saw the email with your insurance policy limits. I know you have more money.’”
Pitfall #3: Giving in and paying the ransom
Another knee-jerk reaction to a ransomware attack—especially for companies that don’t back up their data—is to pay the fee in the hope that things can quickly get back to normal without anyone knowing. The problem with this strategy, says Beckage, is that it could put you in a bad situation with the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC). “OFAC issued an advisory last year that warns against paying threat actors on the U.S. sanctions list because it funds activities that impact U.S. national security interests. Those who do pay threat actors could face additional fines and penalties from the U.S. government unless certain risk mitigation steps are taken and evaluated.”
Pro Tip: Create an incident response plan—and practice it
To avoid adding unnecessary complexity, cost and stress to an already difficult situation, it’s imperative that companies create an incident response (IR) plan. The National Institute of Standards in Technology (NIST) has readily available resources that can help you build a plan. However, NIST also acknowledges there’s no one-size-fits-all approach. For example, some organizations may prefer a central IR plan where a central body such as a computer security IR team (CSIRT) handles the response. Other companies may require a distributed plan involving multiple response teams responsible for a location or affected systems. There’s even a coordinated option where a central team or body conveys response plans to the affected groups.
Once the IR plan is created, it’s essential to test the plan regularly, advises Presidio’s Trader. “The best way to prepare for a ransomware attack is to run practice drills to identify areas of improvement in the environment. We do this through table-top exercises (TTX), attack simulations and ransomware readiness assessments. Our team will systematically go through the components necessary to protect an environment and review current configurations to protect the client’s environment from these attacks.”
Must-Have Security Technologies for a Zero Trust Strategy
While there’s no single technology solution to defend against cyberthreats, a few specific security solutions can help significantly. The CTIR team recommends the following:
Use multifactor authentication—such as Cisco Duo, which will help prevent adversaries from accessing users’ accounts and spreading malware deeper into networks. CTIR frequently observes ransomware incidents that could have been prevented if MFA had been enabled on critical services.
Use email security—such as Cisco Secure Email (formerly Cisco Email Security) to block malicious emails sent by threat actors as part of any business email compromise (BEC) campaigns. You can try Secure Email for free here.
Prevent ransomware execution—with Cisco Secure Endpoint. Try Secure Endpoint for free here.
These security technologies are critical parts of a Zero Trust strategy, which encourages organizations not to trust any entity outside or inside their parameters. In addition, a zero-trust network adheres to the principle of least-privilege access: giving users only as much access as they need and minimizing their exposure to sensitive network resources. To learn more about Zero Trust, check out our on-demand webinar, “What Does Zero Trust Actually Mean?” featuring input from three cybersecurity experts with over 60 years of collective experience.
Backup and Disaster Recovery’s Role in Beating Ransomware
Backup and disaster recovery (BDR) solutions can be an invaluable resource in the event your mission-critical data files get locked up—if you practice good BDR hygiene. This entails adopting Veeam’s 3-2-1-1-0 rule for backing up data:
- 3 different copies of data
- 2 different forms of media
- 1 off-site copy
- 1 copy that’s offline, air-gapped or immutable
- 0 errors after backup testing and recoverability verification
The last bullet point on the list, testing, is where many BDR strategies fail. This step used to be a massive pain with image-based backups and bare-metal restores. You had to build another server using identical hardware components and drivers before starting the time-consuming restore process. In the modern era of virtual machines (VMs), you can reduce the 8-hour recovery window to less than 15 minutes with a good solution.
Companies need to take a comprehensive and holistic approach to ransomware. “There isn’t one silver bullet for ransomware, but when we combine our defenses and sync them in harmony, that unison provides a best practice platform that can combat these attacks,” says Trader. “In the event you discover you’ve been attacked, our Incident Response Team is ready to rapidly engage and assist with triage, stabilization and recovery efforts. Our experts know how to mitigate, remediate and encapsulate forensic evidence working alongside cyber insurance and legal teams. Attacks like this can be disruptive, and our teams respond with a sense of urgency to get you back up and running more securely.”