As an information security professional with DLD Lawyers, cybersecurity threats often keep me up at night. One of those threats, ransomware, has been receiving a large amount of press lately for claiming public victims in Georgia and our own corporate home state of Florida.
Ransomware is a kind of malicious software, or malware, that uses an abstractly good thing – encryption – for nefarious purposes. It surreptitiously encrypts, that is, makes unreadable without a decryption key, data on a computer it infects. Perpetrators are purportedly the only parties with possession of the key, but they are more than happy to give it to their victims for a price, of course.
In just the past few weeks, the cities of Riviera Beach and Florida City announced they would be paying $600,000 and $460,000, respectively, in bitcoin in response to a ransomware attack. In just the last few days, another Florida area, Key Biscayne, fell victim alongside the state of Georgia and its court systems. Although there is little reason to believe these attacks were perpetrated by the same malefactors, there is clear reason to believe ransomware attacks are still on the rise.
How did it happen?
As is frequently the case, the ransomware attacks described above originated with simple email phishing scams. It is generally difficult and time-consuming to penetrate an organization’s internet-facing defenses, such as firewalls and intrusion prevention systems. Email in a sense bypasses those defenses and makes for a potentially more lucrative attack vector by virtue of its efficacy.
Security company ProofPoint publishes a State of the Phish report each year using tens of millions of data records from its Security Education Platform. According to its 2019 report, on average nearly 1 in 10 end users across all industries clicked hyperlinks in ProofPoint’s phishing simulations. Nearly half of those who clicked submitted all requested information.
All it takes is a single user double-clicking a single email attachment to infect many or all computers on an organization’s network. That is because the kinds of ransomware one reads about in the news contain a payload that targets specific, often well-known vulnerabilities they exploit to propagate the infection to interconnected computers.
Once a ransomware infection has taken hold, the only real options are: restore from a backup, pay the ransom or continue forward without the affected systems or data(base).
Should you pay the ransom?
The simple answer to the question of whether or not to pay a ransom in response to a ransomware attack is: no. While paying the ransom is typically a less costly recovery option, only about 1 in 5 are able to recover their data after paying according to multiple sources including Kaspersky. Further, payors are branded as easy prey, ripe for future targeting.
While no may be the simple answer, it is perhaps not the easiest answer. The option to restore is only an option if the victim’s backup and recovery system was not affected by the ransomware infection. In a situation where the backup and recovery system is affected, the available recovery options dwindle to two: pay or lose the affected data.
In situations where restoration is an option, the cost to recover data, including downtime of operations and lost opportunities, may and in many cases is greater than the ransom. To add insult to injury, some portion of data will be inevitably lost in restoration.
Best practices in ransomware prevention, detection and response.
“My data is backed up, so I don’t need to worry.” This useless mantra detracts from a very real, even existential threat to an organization. Organizations need a culture of security that extends to their vendors to bolster their overall security posture. Below are a few things to consider with your security team to mitigate the risk and impact of a ransomware attack.
- Have we performed a risk assessment and business impact analysis to ascertain our exposure to and the possible effects caused by the threat?
- Do we have written policies and procedures in place that are reviewed regularly and clearly spell out how to prepare for, prevent, detect, respond to and follow up on security incidents?
- How are we training and testing our employees to make them more resilient to social engineering attacks like email phishing?
- Do we have a routine in place to ensure we always have the latest virus signatures in our antivirus software and our computer systems are maintained and patched?
- Do we have a security baseline for our computer systems that defaults to secure settings?
- How do we manage and extend security protections to laptops and mobile devices?
- How about our cloud infrastructure?
- Have we had an independent company conduct a vulnerability assessment and penetration test to ensure known vulnerabilities cannot be exploited to spread malware infection?
- Do we have a security information event management platform in place to detect active malicious activity on our organization’s networks and hosts?
- How often do we review our computer and network logs?
- Have we clearly defined our incident response initialisms, such as RPO (recovery point objective), RTO (recovery time objective), WRT (work recovery time), and MTD (maximum tolerable downtime)?
- Do we have a backup strategy that considers those initialisms; keeps our backup systems protected and segregated from our other systems; and includes a backup for our backup system?
- How often do we test our backup and recovery systems?
- Do we have a cyber liability insurance policy that covers incidents caused by social engineering and is coverage sufficient?
Where do we go from here?
Ransomware can be extremely destructive without controls in place to mitigate its risk and impact. The mechanisms by which it and other malware is instantiated and propagates are becoming more and more complex, making security engineering ever more difficult. Even a trusted vendor can be a viable attack vector.
Predictably, small and medium size organizations are slower to respond to the pressures of modern cyber security challenges, but even large organizations can have trouble keeping up. It helps to have open and frank discussions about cyber security and privacy with a security specialist as part of a holistic business strategy.
A functional security strategy requires a top-down effort. I am fortunate to have the full support of senior management at DLD Lawyers, with representation from all departments. Although we are a mid-size firm, we can compete with the biggest of them. If you have any questions or concerns, please feel free to contact us at (305) 443-4850 or by email at email@example.com.
Update (7/16/19): The FBI has made publicly available the decryption keys for ransomware named GandCrab, versions 4 through 5.2, here. Tools to decrypt certain other ransomware can be found here.
About the Author
Roger Jimenez is a certified information systems security professional with more than 15 years of experience in information systems and security management. He serves as DLD Lawyers’ director of IT and security. Roger has a BBA with concentrations in management information systems and marketing and MS in information technology. Two of his favorite pastimes are making things like sensor-laden, raspberry pi-remote-controlled rovers and applications (full stack); and legally breaking [into] things like algorithms and applications. He can be reached at firstname.lastname@example.org