Ransomware: Prepare and Don’t Panic
On this episode, Darren dives into ransomware with Stephanie Sabatini, Sr. Director, Professional Services, Hitachi Systems Security.
Although a ransomware attack begins for most organizations with a ransom request of some sort, the full story has typically been brewing for many months.
The ransom demand happens after the attackers have encrypted information from compromised systems and locked down whatever they could, or they have stolen sensitive information and now threaten to release it publicly. In either of those cases, they request a sum of money to stop the release or to reinstate the information.
The amount of money can be targeted because the attackers know how much the company can afford, and they will ask for a massive amount. Less targeted attacks will ask for a random amount and hope they get a hit. More and more, however, the attacks are sophisticated, and the attackers have done their homework. They may have gained significant traction, moving laterally through the environment and compromised multiple domains. They know it will cost the organization a tremendous amount to reinstate their services, so they can ask for more.
But before the attackers demand the ransom, they have been inside the system for some time, on average just under 300 days, until they fully execute their plan. They try to get as far as they can within the network to make it as impactful as possible. For example, they will blow away the backup exec so that they cripple the organization, leaving corrupted, unusable backup data. They will also spend time compromising credentials for privilege escalation to move laterally throughout the network and ferret out any vulnerability.
Each attack is different, so it’s difficult to name the most common vulnerability. The attackers find any inroad they can, whether it’s a weakness in vulnerability management or even in people, for example, phishing attacks or social engineering tactics. They will make phone calls and impersonate executives, or use executive- type names to glean information and data from employees online.
Many in the industry will say it’s not a matter of if, but when, you will be attacked. Stephanie, however, does not believe this is the case because with due diligence, locking down appropriately, and taking the necessary steps, you won’t be targeted.
Due diligence is what security experts have been preaching for decades: do vulnerability management and patch management, change passwords, and lease privilege if possible. Train your people. Admins should not be on the internet with the administrative accounts posting on forums, for example. It’s all about understanding what the attack surfaces are and managing them.
What should you do if you are the victim of a ransomware attack? Stephanie says that what people should do and what they actually do are two different things. The first knee-jerk reaction of IT ops is often to reboot or patch or change the environment in significant ways. This will only alert the attackers that their time is up. For forensic investigation, it’s extremely important to go easy on those environments. Make as few keystrokes as possible, and definitely don’t reboot.
Some companies will panic and perform denial of services on themselves, going into full lockdown mode, shutting everything down. Rather than panicking, they should depend on their incident response policies and realize that the issue can be worked out even though it’s not going to be pleasant.
Obviously, every company should have these incident response policies that can be enacted quickly to manage communications internally and with the media and keep business going if possible. Security professionals can help set up these response plans and can come in and help during an attack.
Their first step in preserving the information is to observe some of the questionable activity that is going on in the network. The ransomware attacks don’t begin with encrypting or stealing information; there are many attacks beforehand. It’s important to identify where they are coming from, where they originated, and where they have been. To do that, security professionals need evidence and information and it needs to be properly preserved. A good start is getting the right people in the right place to manage what’s going on.
Next is to properly manage the environment. Unfortunately, once there is ransomware or any kind of breach or incident, the organization is highly vulnerable. One hundred percent of the time, when environments have undergone successful ransomware attacks, publicized or not, they are targeted by the same group or a different group. It’s like a wounded animal with the vultures circling. Attackers know you are wounded and vulnerable. There is another attack coming.
Most often, when security professionals are doing their investigation, they find other indicators of attack and compromise in different parts of the network. They must determine whether it is part of the same attack or a different attack. This investigation is a critical part of recovery from malware because even when you think you have an attack cleaned up and the business is now running again properly, there is still the potential for these other attacks.
A typical attack costs an average of four and a half million dollars to clean up, and that doesn’t include the ransom. The amount can be much larger and is proportional to the size of the organization.
It is impossible to be certain how many organizations pay the ransom. Many of the ransoms come with threats not to contact law enforcement or disclose the attack. For this reason, the available statistics about how many organizations pay are varied.
Some organizations’ decision-makers respond by saying that they will not pay under any circumstance, even if it costs more to rebuild, hence destroying the ability to negotiate. This is an emotional decision that can cloud judgment. At the end of the day, if the objective is to continue to do business and make money, paying a low ransom of maybe ten or twenty thousand dollars is going to be cheaper than the forensics and the rest of the process. On the other hand, there are documented cases where the ransom was paid, and the data was not fully restored. In addition, the organization has no surety in the security of its environment. There is no guarantee when you pay a ransom; you are asking criminals to act in good faith.
Many governments around the world have made it illegal to pay a ransom because the attackers are considered terrorists, and you aren’t allowed to negotiate with terrorists. Another wrinkle is that the attackers will sometimes refuse to deal with professional negotiators. They will often name someone at the organization as the only person with whom they will negotiate, hoping that person will make emotional decisions.
The threats are communicated in a variety of ways: email, phone, and even on a desktop background.
The best strategy to avoid or mitigate an attack is to not wait until your organization is in that situation. Rather, engage in due diligence. Do assessments at least annually to find the gaps in security. The threats and attacks are constantly changing and becoming more sophisticated, so your organization’s security must keep up. Continually monitor and patch. Do vulnerability management, continually change passwords and remind and educate users of the threats. These are not new strategies. Security professionals have been recommending these steps for decades; organizations are just failing to do them properly and evolve.
It’s also smart to call in the experts to guide the process of incident response plans and exercises. Everyone at the organization should know what to do and who to call in an attack scenario to avoid further damage.
If your organization is attacked, hopefully the impact will be minimal, or at least contained and manageable if there has been preparation. Whatever time, energy, and money a company invests in preventative measures is a small fraction of the cost of an attack.
Notices and Disclaimers
Intel® technologies may require enabled hardware, software, or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
Intel does not control or audit third-party data. You should consult other sources to evaluate accuracy.