Literally countless life or death situations were at stake.
A large medical provider recently was hit with a ransomware attack request for $3.5 million.
“They had to pay,” explains Ondrej Krehel, CEO of New York-based LIFARS, which managed the response. The medical company’s critical servers for its 300 locations were breached, and recovery from the backup would have taken three to four weeks.
Instead his crippled client opted to be up and running within a day, although obtaining the keys ended up costing $700,000, which the victim negotiated down to a sum the victim negotiated with the attackers. “If you’re crippled, what can you do?” Krehel asks rhetorically.
This attack underscores how vulnerable organizations remain if they don’t practice basic cyber hygiene, such as maintaining offline backups for fast business continuity in case of a paralyzing event, reinforcing endpoints, deploying privileged access containers, employee training to curb social engineering and spearphishing, hiring dedicated and talented cyber professionals to oversee monitoring, and deploying state-of-the-art tools that detect unusual network activity, not to mention cyber insurance, which in the aforementioned example covered the ransom payout.
SentinelOne reported that 55 percent of U.S. businesses suffered a ransomware attack in the past 12 months, and that 39 percent of security professionals feel helpless to defend themselves against ransomware attacks. Centrify reported an 89 increase in ransom demands over the past 12 months.
Large organizations are increasingly lately being targeted with ransomware breaches because attackers assume most will pay at the point of no return. Some businesses consider paying attackers as a cost of doing business. Meanwhile, ransom requesters make adjustments in their game, and get better at wreaking havoc on sitting ducks.
There’s a sense that more organizations are paying ransoms than being publicized since no law compels victims to report such an incident, notwithstanding data breach regulations. Who wants the embarrassment of the media reporting that they did not anticipate a ransom-based attack?
Like with most crisis management, the key to preparing for a ransomware attack is to root it out before the damage begins. And then if the attack happens anyway, quickly respond to mitigate the situation and ensure business continuity.
“What most people struggle with is having a good offline backup not connected to the Internet and maintaining that backup on a reasonable schedule,” says Chris Morales, head of security analytics for San Jose, Calif.-based Vectra AI. How does he define reasonable?
“Backing up daily is really hard to do; every two weeks is more realistic,” says Morales, noting that not everything needs to be backed up, just critical data. Losing two years could be catastrophic for any organization, he adds.
The need for continuous monitoring cannot be overstated because undetected “hackers tend to be inside the network for quite a while poking around looking for the critical servers,” Morales points out. He suggests a small company employ at least one or two dedicated staff members for monitoring, but a large-scale firm should have 10 to 20 people on that function.
In addition, monitoring tools are relatively inexpensive, “costing in the tens and twenties of dollars, not hundreds and thousands,” he adds.
Infocyte, of Austin, Tex., reported in July that dwell time for a ransomware attack like Ryuk average 43 days between infection of the initial trojan (often Trickbot or Emotet) and remediation once the victim was notified.
Vectra concluded the biggest threat from ransomware is malicious encryption of shared network files, so it behooves enterprises to focus on network segmentation, securing credentials of privileged users, and tight monitoring of remote control access. “If you’re proactive, you can find the attacker and remove it before the ransomware attack,” he says, adding that one Vectra client stopped four separate attacks that way.
According to a 2019 report from CyberEdge, 45 percent of organizations that were hit with ransomware paid the ransom (this number is up from 38.7 percent in 2018). Based on Recorded Future’s analysis, only 17.1 percent of state and local government entities that were hit definitely paid the ransom, and 70.4 percent of agencies confirmed that they did not pay the ransom.
Once facing Armageddon, an unhealthy number of organizations are woefully unprepared during those initial meetings,, our experts report.
“They have no plan, don’t know who to call if they’re attacked, and just hoped it didn’t happen to them,” Morales says, adding that doing a pre-attack consultation leads to the creation of a playbook containing such basic information as the phone number and contact for the local FBI office.
Mickey Bresman, CEO of New York-based Semperis, tells his clients: “The assumption is you’re going to be breached.” He advocates against paying because victims still might not get back all of the data and paying encourages the criminals, who might even be nation-states.
Organizations should periodically test that they have verified backups, Bresman advises, “so you know you can restore the environment with enough data to perform the recovery.” Also necessary is a “disaster recovery plan that is tested, verified and [one] that you trust, so when the actual crisis happens and everything is blown away, you need to know how to execute it.”
Speed of recovery is as important, according to Bresman, because “days or weeks become irrelevant. You need automation that provides the ability to bounce back critical infrastructure in 24 hours or less.” He adds that it’s relatively easy to test a plan in a lab environment, and that it should be done preferably every six months or less.
“You also need verification that the backups are actually up and running,” Bresman says, noting that organizations sometimes are under the impression that everything is operating as usual, but is in reality a configuration changed.
If you’re left with no option other than to pay, here’s the good news: the ransom is usually negotiable.
“Only one or two known attack teams won’t negotiate at all,” offers Allan Liska, threat intelligence analyst for Boston, Mass.-based Recorded Future’s Insikt Group. Bargaining typically ensues with a five-figure or above demand. Attackers also care about their reputations, which is why they almost always give back the data once the victim pays.
“If it gets out that they didn’t return the data, nobody (other future victims) will pay them,” he says.
Morales notes the underground market has become hip to the fact that not everyone is familiar with cryptocurrency. “One attacker requesting a ransomin bitcoins explained with instructions: ‘Here’s how to obtain bitcoins, how to use a wallet and send them,’” he adds.
A basic measure Liska suggests that all organizations can do to help guard against ransomware is creating a database of passwords known to have been used by attackers.
Torsten George, cybersecrity evangelist at Centrify, notes in most workplaces a browser can be the gateway to an infection, but the network can still be secured. “It’s better to give targeted access to system, just to areas that access is really needed, such as a specific server or database. Not the entire network, which can be done through a jump-box approach that restricts access,” he says. “Ransomware doesn’t always need elevated privileges, but if it is able to gain it, the attack will be much more damaging. If you put MFA (multifactor authentication) in place, the ransomware can’t spread because it doesn’t have access to the second sector.”
According to George, the biggest return on investment is implementing privileged access management.
“Privileged access abuse makes up 80 percent of today’s breaches,” he says. “So you’re really killing two birds with one stone.” Since most breaches involve a compromise of privileged users’ credentials, stronger verification is needed for access. George suggests organizations: Establish a secure admin environment; secure remote access; zone off access; minimize the attack surface; and limit privilege.
Even after going through a ransomware attack — whether or not the ransom was paid — organizations must figure out exactly how the intruder broke in and make sure it doesn’t happen again.
Government entities are particularly vulnerable because they use old technology and lack the staffing for routine patching, explains Chris Bates, SentinelOne vice president of security strategy.
“On top of that, they have critical infrastructure that has to function, police, fire, essential city services…they can’t afford downtime,” Bates says. Municipal budgets always have their budgets cut, and as a result they can’t afford prime cyber talent, which can get paid double or triple in the private sector. Occasionally, a special type of individual with security skills will take a public service job, but it’s usually on the state or federal level.
Besides government, “small businesses are also getting killed by ransomware,” points out Bates. Most businesses can’t afford being offline a week or three weeks, or operate at only 30 percent capacity, which explain why many succumb to ransomware.
Bates urges that organizations focus on defending their parameters, such as proactively guarding against malevolent email. “Ransomware attacks can be killed in real time,” he says. “Look for behavior before it encrypts and spreads laterally. Automated software is starting to do the work for you, and bridging a skills gap.”
Lavi Lazarovitz, head of the labs team at CyberArk, says he wasn’t surprised at all that 59 percent of respondents to his firm’s recent survey regarded ransomware or malware as their biggest threat and that only half of organizations believe they can stop cyberattacks.
“Many of them struggle to keep their data secure,” he says. Even though many organizations use signature-based security controls, such as behavior analysis and privileged access management, in the last two years attackers have managed to leverage efficiently known vulnerabilities and bypass security controls.
Cybersecurity’s greatest weakness remains humans who fall for social engineering and phishing schemes, he adds.
No doubt extremely sobering is the knowledge that even organizations that think they are prepared to ward off a ransomware attack may be still powerless. Infocyte reported in July that 22 percent of hundreds of customer networks examined within small and mid-market organizations encountered a ransomware attack that bypassed their preventive security controls.
In situations where a ransom had been paid, attackers are usually helpful with victims in data recovery situations. In fact, Liska knows of a recent ransomware attack on a small town’s police department, which paid a negotiated ransom sum of about $5,000. The decryption keys recovered everything except its officers’ bodycam footage, and the attackers helped to troubleshoot with its ironic victim.
“[The attackers] felt bad about it, but they didn’t give back any money,” Liska says. “There’s no honor among thieves.”