February 23, 2021

Ransomware: A Pain in the Derrière

Ransomware: A Pain in the Derrière Cybersecurity & Digital Forensics

Ransomware attacks are ubiquitous in today’s business environment. The National Law Review1 projects ransomware attacks to occur every 11 seconds in 2021. Who could have predicted one of the most significant risks to organizations in business today would be clicking a mouse? Unfortunately, that is our current operating reality.

In just one recent example, Pan-Asian retail chain operator Dairy Farm Group was being held hostage by ransomware attackers demanding a $30 million ransom, according to a report by Bleeping Computer2.

What is ransomware?

Ransomware is a type of cyber-attack that requires relatively low sophistication and low financial investment by attackers to deploy. Often, the ransomware attacks are accomplished using open source tools that are low- or no-cost and offer a substantial return on investment.

Usually, attacks involve a threat actor sending a phishing link or attachment via email. While other attack vectors are possible, this is the most common. It is far easier to persuade an end user to click on a link than to bypass strong technical security controls.

Once the end user clicks on the link or opens the malicious attachment, malware (bad software) is executed on the host machine (the end user’s computer) and encrypts the files. Encryption is a strong algorithm that jumbles data, rendering it unusable until the encryption key (password) is employed to decrypt the data, making it readable and usable again.

While the malware executes on the computer, a message is displayed on the screen, informing the user that their files are being encrypted. There is usually a ransom demand along with instructions on how to pay the ransom in bitcoin cryptocurrency in order for the encrypted files to be released.

It is also common for the malware to “pivot” in an attempt to traverse the network to infect other connected computers as well, causing further damage.

Who is at risk?

Unfortunately, all organizations are at risk of ransomware attacks. It is a dangerous fallacy that smaller organizations are safe from cyber-attacks because they do not have as much data or anything worth protecting. From an attacker’s perspective, it is much easier to compromise a smaller organization that may not have the budget to implement a proper security program. And, as mentioned above, virtually all that is required for an attack to be successful is for someone to accidentally click on a malicious link or to innocently open an email attachment.

All businesses have data worth protecting, whether it is intellectual property, employee or customer information, financial records, trade secrets, vendor data, or more. Data has become the life-blood of all businesses. The loss of confidentiality, integrity and/or availability of data can cause significant and sometimes irreparable harm to organizations.

How can we defend against it?

As with all risks, there are precautions that can and should be taken to strengthen an organization’s security posture and defend again ransomware.

Security awareness training is the biggest opportunity to help organizations withstand a ransomware attack, along with developing a culture of security. When employees are aware and know what to look for, organizations are more resilient to attack. Consistent education and positive reinforcement for phishing awareness is paramount. Employees need to know how to identify suspicious emails, links, and attachments, oddities in website behavior, spam text messages, and phone calls.

There are technical controls that can be implemented as well, to help prevent harmful activity, such as enhanced email spam filters, technical scans of links and attachments before they are delivered, and banner alerts that indicate the potential for malicious activity in the email message.

Back-up all data! The organization should have a complete, documented and tested back-up plan for all data. If an incident does occur, there will be a good copy of the data that can be restored in order to continue operations.

What do we do if we have an incident?

As with any threat, there are steps the business can take to reduce the impact of ransomware attacks. The time to prepare these steps is before an incident occurs. The organization should have incident response playbooks that have been tested regularly, which indicate the steps the organization should take and the resources it should have available in case of an incident. A few key immediate actions are:

  1. Stay calm.
  2. Try to contain the attack as much as possible. Disconnect the network cable/turn-off Wi-Fi connections on devices, switches, and routers to prevent the spread. In most cases, it is best not to power-off the device to preserve forensic evidence.
  3. Advise internal stakeholders and leadership of the incident. It is critical to communicate to leadership and activate stakeholders as efficiently as possible.
  4. Contact professionals. Alert the organization’s legal, incident response, PR, and other appropriate specialists to implement the necessary forensic and remediation activity. Ideally, these partners would be identified and retained in advance.

Unsure where or how to start with any of this? Ask Marcum Technology. We can help with gap analysis, roadmaps, back-up solutions, incident response, forensics, security education, or any other security and privacy-related topics your organization may need. Contact us directly at 800.331.6546 or by email at hello@marcumtechnology.com.

Sources

  1. The National Law Review
  2. Bleeping Computer