Ransomware: honey, someone is at the door
In 2021, a ransomware attack hit the U.S. hard. The Colonial Pipeline was targeted. As a major fuel pipeline, it stretches over 5,500 miles. It transports 2.5 million barrels of fuel daily, from Texas to the East Coast. On May 7, DarkSide, a cybercriminal group, struck. Operations halted.
Who is DarkSide? DarkSide, a notorious hacking group, crept onto the scene in August 2020. Skilled and ruthless, they targeted large organizations with ransoms soaring from $200,000 to a staggering $2 million or more. Employing a double-edged sword of data encryption and exposure threats, they cornered victims into submission. As a testament to their chilling efficacy, nearly half of those ensnared between late 2020 and early 2021 reluctantly surrendered to their demands.
CNN headline read: "Colonial Pipeline cyberattack: Panic buying intensifies." Fox News reported: "Gas shortages worsen as fuel prices spike."
Chaos ensued. Lines formed at gas stations. Prices soared. President Biden declared a state of emergency.
The White House monitored the crisis. It had economic and national security implications. Biden held Russia partly accountable. He urged Putin to act against cybercriminals in Russia. Biden said, "We're taking steps to...disrupt their ability to operate." He announced plans to strengthen cybersecurity.
Colonial Pipeline paid $4.4 million in cryptocurrency. They hoped for a swift system restoration. Later, the FBI recovered part of the ransom. They tracked the hackers' digital wallet.
Biden on the ransom payment: "The private sector has a responsibility to harden its cyber defenses." He further added, "I cannot dictate that the private companies declare cyber attacks." The attack was a wake-up call. The U.S. needed stronger cybersecurity. International cooperation was crucial.
Why are we so mad about malware?
Because it is literally killing businesses.
An encounter with malicious software (or malware) is the unfortunate norm when running a modern, digital enterprise. Today, malware takes various forms, but among the most notorious is ransomware, an intrusion method that yields devastating results.
Your IT teams have no doubt written extensive reports on creating ransomware response plans. It’s not a standard virus or simple spamming. Ransomware is a multi-level penetration game of whack-a-mole that can cost a business millions, tens of millions, or even hundreds of millions to a business in both the short and long term.
In 2020, IBM’s Incident Response reported 1 in 4 cyber attacks were ransomware related. Ransomware attacks are increasingly common because they take minimal risk and provide maximum payouts. Malicious third parties weave compelling phishing campaigns or utilize effective intrusion methods, identify precious troves of private info, and lock it behind their paywall. Companies pay that ransom to stay in business.
An economy of destruction
Ransomware works because it forces its targets into a corner. There is no removal of ransomware. It’s not a simple anti-virus scan away from disappearing. Often times, the malicious software lurks in the shadows to rise up again from another vector/server when the victim organization is done paying for the first attack. Again, the only solution is a flexible defense.
The FBI’s official stance is to refuse payment to hackers so as not to encourage them. Not every business and network can abide by these terms. From schools to health organizations to smaller companies, the obligation to protect user data takes precedence. Ransomware criminals have bolstered their efforts to force a payout by threatening to publish stolen credentials. These range from personal info like addresses, phone numbers, emails, and even home addresses. Additionally, they affect numerous industries resulting in thousands of financial damage.
Your IT teams put together risk portfolios for these reasons. Ransomware hurts on multiple levels: financial damages, harming consumer trust, and tarnishing the brand.
Viral allies
Exacerbating the problem, ransomware wasn’t the only virus proliferating. COVID-19’s burst and infection rate forced a habit change, businesses included. As such, said organizations rapidly adopted remote working solutions, but in doing so, exposed their networks and infrastructure.
Working in tandem and happy to exploit the pandemic, ransomware attacks and remote solutions went together (and still do). We’ve discussed this at length before regarding the attack surface increase in relation to remote solutions, so combined with ransomware, the problem greatly worsens. As ransomware relies on social engineering to achieve successful infections, at-home workers were subject to the numerous schemes implemented by attackers.
The ransomware chain of infection is a devious and slithering threat, affecting nodes and wreaking havoc as it encrypts information.
Remote workers sometimes lack the same understanding of viral threats as opposed to their IT specialists counterparts. Mixed with distance-based cybersecurity management, 2020 observed one of the highest ransomware attack rates in recent years. In the third quarter of 2020, there was a 40 percent increase in ransomware attacks related to COVID-19. Cybersecurity Ventures, an IT security firm, also observed an increase in attacks and predicts a ransomware strike will occur every 11 seconds in 2021. Furthermore, they estimate in 2021 cost of said attacks will reach around $20 billion.
Different strains, different targets
One primary ingredient capping off the lethality of ransomware is its erratic implementation. Ransomware comes in a variety of strains from different software packs. Attackers have demonstrated that they hunt down major enterprises, small companies, social accounts, university networks, and even healthcare networks.
It cannot and should not be assumed ransomware won’t target a vector of data because it's “immoral” or “too complex.” Ransomware attacks range from simple service suites to organizational efforts, and there are readily available suites to purchase on the Dark Web.
The uninvited guest
Any competent IT consultant can construct a battle plan for ransomware vulnerabilities, but how do you ultimately prevent them and what’s the ideal response?
There’s no answer for that. Like cyber threats, a business cannot and should not operate under the fallacy its cyber teams can prevent all attacks, disasters, and intrusions. Even the best of experts know that because it takes only one point of intrusion to upend network security. So how does ransomware arrive at your doorstep?
Your first thought should be about remote working solutions and the security infrastructure in place. Your second thought should relate to social engineering and spear phishing. Your third should be regarding what policies your organization has in place regarding these potential vectors. You must start thinking of ransomware as an eventuality. Even Randstad, owner of Monster.com, receives ransomware strikes.
The problems caused by a ransomware attack
If you believe the end result of a ransomware strike is a matter of simple data recovery and damage payout, you’re not grasping the entire scope of what ransomware can harm.
If you feel the heat, that’s because money burns fast during a ransomware infection. The infection results in downtime, which can take 7-14 days to recover from in the best of scenarios. Meanwhile, data is ransacked, demands made, and sometimes malicious parties publish information anyway. As we mentioned before, the hack damages the targeted company’s brand (a reason why firms often underreport their compromised credentials after an attack).
It gets worse. While not universally adopted, paying a ransom could potentially violate cybersecurity regulations, which adds to the turmoil and cost of an already strained network. How is it, then, the hypothetical law works against you in that scenario?
Every situation is unique, and in various cases, networks are given no choice or, desire to protect their user data above all else. But even then, is it that simple? Imagine a list of affected individuals developed by your IT teams. Do you have an “acceptable loss” threshold? What if 10,000 users were affected? What if the hackers accessed the emails of 50,000 users? Where do you draw the line?
Some organizations, like healthcare networks, have little choice in the matter. The same goes for education networks. However, a business entity must make their decision regarding their bottom line. If you pay the demanded ransom then the user and network data may be “safe.” While you reestablish control of your network, you assume in this scenario the attackers won’t publish the stolen data. Whether or not to pay the ransom is a risk your organization must ask if it can afford.
A future tested by gambles, bluffs, and introspection
Make no mistake, ransomware is here to stay. Aggression combined with complexity look to exploit pandemics and disasters, leaving organizations in a bind. The nature of dealing with ransomware presents challenges and creates a litmus test for your business. As we move forward, the battle against ransomware will require a combination of strategic planning, risk management, and technological innovation. It will require organizations to be proactive in their approach to cybersecurity, rather than reactive, and to invest in the latest technologies and best practices for protecting their data and networks. At the same time, it will require a deep introspection and assessment of your organization's risk posture, vulnerabilities, and contingency plans. The truth is that ransomware attacks will continue to evolve and become more sophisticated, and it's up to every organization to be prepared for the worst. In this future tested by gambles and bluffs, organizations that take a proactive and strategic approach to cybersecurity will be better equipped to weather the storm. They will be able to detect threats early, respond quickly and decisively, and minimize the impact of any potential ransomware attack. Make no mistake: ransomware is a serious threat, and it's not going away anytime soon. But with the right mindset, tools, and expertise, organizations can rise to the challenge and protect themselves against this growing menace. The litmus test for your business is answering the question: “How well are we are prepared for if when the ransomware attack comes?”
Takeaways
It’s coming. Get ready for it. Here’s the short list of what you can do.
- Stay on top of infrastructure updates
This is the main one. Do this first, and make it the top security priority: Update all firewalls, servers, computers, antivirus software, early and often. Then do special events to engage employees deeper into compliance. - Deploy password policies
The cheapest, most basic, and yet, most effective step: make every password expire every few months, and enforce complexity and length requirements. - Data backups and data security
One of the most effective ways to protect against ransomware is to maintain regular backups of important data. This ensures that if data is locked by ransomware, it can be restored from backup without paying the ransom. If you have a full, nightly backup, across the entire organization, you are usually going to be ok. - Train employees
Educate employees about the risks of ransomware and how to recognize phishing and social engineering attempts. Regular training and awareness campaigns can help employees identify suspicious emails or links, reducing the likelihood of a successful attack. - Implement more advanced security controls
Use the security controls available for your firewalls, antivirus software, intrusion detection and prevention systems, and access controls to prevent and detect ransomware attacks. - Incident response plan: create one
Develop an incident response plan that outlines the steps to take in the event of a ransomware attack. This plan should include communication procedures, steps for containing the attack, and recovery procedures. - Do not pay the ransom*
*Unless you have to. Paying ransoms does stoke the malicious fire. In any case, law enforcement should be informed.
In 2021, a ransomware attack hit the U.S. hard. The Colonial Pipeline was targeted. As a major fuel pipeline, it stretches over 5,500 miles. It transports 2.5 million barrels of fuel daily, from Texas to the East Coast. On May 7, DarkSide, a cybercriminal group, struck. Operations halted.