6 easy ways to expose your business to ransomware
Ransoms are not the result of an isolated security incident but the consequence of a series of IT missteps. Moreover, it often exposes poor decision-making that indicates deeper management issues that must be fixed.
How big of a problem is ransomware? Two recent reports suggest it’s significant. Verizon’s 2019 Data Breach Investigations Report (DBIR) states ransoms play an increasingly important role in many attacks. They are often used in conjunction with other malware methods: According to the DBIR report, ransoms were part of 70 percent of total malware infections for the second straight year. Recent research from Malwarebytes also shows an increase in frequency.
The city of Baltimore has become everyone’s favorite ransomware poster child. The city IT infrastructure experienced a series of ransom attacks over the past 15 months. The first two occurred in March and April of 2018; the others began almost a year later.
The first attack happened because of the SamSam ransomware and took down a number of city services, including emergency 911 services, online bill paying, the water department, and court systems. However, the city was able to make its municipal payroll, and the city-owned airport continued operations uninterrupted. The city refused to pay, and the water department website was hit by a second attack a month later. The city refused to pay again.
New attacks began in early May 2019, when hackers infected more than 10,000 computers with the RobbinHood ransomware and demanded the equivalent of $100,000 in payment. Again, the city refused to pay, according to news reports.
Baltimore isn’t the only city to experience a ransomware attack: Atlanta was hit last year by SamSam and paid millions of dollars to restore its various systems. Nor were these attacks the most disruptive. Two years ago, WannaCry brought hundreds, if not thousands, of businesses to a standstill. More recently, the city of Riviera Beach, Florida, was hit by ransomware and agreed to pay $600,000, according to the New York Times. Also, this week, Lake City, another Florida city, voted to pay a ransom demand of 42 bitcoins, worth nearly $500,000. Here is a partial list of other similar attacks.
Ransomware attacks have evolved. Initially, most demands were for relatively little money. Today’s ransoms are more targeted and higher because attackers carefully case victims and find their weak spots.
While ransomware attacks receive a lot of coverage, the focus is often on the wrong things, including:
- Did the victim pay the ransom? A study detailed in a Recorded Future blog shows some do, and Forrester has been “tracking a notable increase in ransom payouts,” although it doesn't provide specifics. “Organizations should never have to think if paying the ransom is a better way out than restoring data compromised by ransomware,” says Rick Vanover, senior director of product strategy at Veeam Software, meaning that ultimately, it doesn’t really matter whether the ransom is paid. The ransom is always less than the cost of restoring the data, especially when an enterprise isn’t as well-prepared as it could be. Ironically, last year Veeam itself was hit with a cyberattack (although not ransom-based) that leaked millions of email addresses.
- How much did it cost the organization to restore service and data? Government-based attacks are usually easier to calculate. Government agencies must post the procurement and other fees paid to resolve its problems and restore service. Still, it is difficult to estimate hard numbers, because in many cases, in the process, the organizations replace outdated systems that should have been scrapped long ago. Baltimore estimated its recovery will cost at least $18 million. The numbers are somewhat misleading, as they account for all sorts of lost revenue, delays, and estimates on financial impacts. Certainly, the $18 million figure is more than the city's entire annual IT budget. Baltimore may ask for federal disaster aid from FEMA, according to one report. That would be the first time any city has tried that approach.
- What data was deleted or lost? This is a common question as customers and taxpayers are trying to access their lost data post-attack.
- How long were the organization’s servers and networks out of commission? Usually, there is little to no follow-up on what led to the attacks when everything is back in service.
Six bad IT decisions
Instead of asking the tired questions listed above, it’s time for a new trope and a different focus. As a Malwarebyte blog post points out, ransomware is “going to take advantage of weak infrastructure, configuration issues, and ignorant users to break into a network.“
To better understand where to find these weak spots, consider these bad decisions that lead to potential risk:
1. Enabling sloppy security practices to continue making ransomware’s root cause challenging to track. The usual cause is a single employee clicking on a phishing email. An attacker gets a foothold to enter and exploit the enterprise, and it's often the reason why many organizations don’t know how long an attacker has been inside their network before discovery. Understanding this root cause is critical to examining the defensive posture of an organization and how thorough the incident response could have been to prevent an attack. These questions get to the heart of the overall quality of IT security efforts in an organization. Victims of many ransomware attacks had sloppy security practices, including open network ports all over the place, few or no multifactor authentication logins in place to protect access for critical users, and open Server Message Block (SMB) network and FTP shares. Rendition Infosec documents these issues in a post about how Atlanta could have done better.
2. Failing to provide consistent ownership of IT infrastructure. Frequent management changes are a related problem. Baltimore has had a series of CIOs come and go, which hobbled its decision-making. Two of the CIOs recently resigned over fraud and ethics allegations. Consistent management is key to preventing future attacks.
3. Delaying patching and deploying system updates. By far, the single biggest issue is when organizations delay patching systems. Baltimore's IT department has come under fire for taking more than two years to patch systems from the known issues exposed during the 2017 WannaCry attack, for example. Equifax suffered its own breach in 2017 (although not ransom-related) that could have been prevented if it had applied patches on a timelier basis. This requires management to enforce the patching schedule and ensure that appropriate resources are available to handle problems that result from systems that aren’t immediately patched.
4. Failing to test data recovery processes and procedures. An organization must carefully vet its backup and recovery procedures and examine what data is and isn’t protected. Many ransomware victims never truly tested their recovery processes until it was too late. IT must analyze its own workflows and ensure that they are still relevant and accurate, too. Organizations must understand the weak spots in disaster recovery (DR) plans. That means spending time and deploying personnel to ensure that regular DR planning and drills happen, and that hiccups from these drills are analyzed and eliminated before an actual disaster occurs—ransomware or otherwise. Drills must be scheduled regularly to be effective, especially as network configurations, server orchestration, and other elements change when new systems and applications are brought online. Part of DR planning should be installing email protection tools and performing regular security awareness training so that users can better recognize phishing lures. Phishing is a problem particularly for municipal and other government agencies, often due to a lack of overall IT resources.
5. Not planning for disruptions in staff communications (i.e., email, phone calls, and texts). Email systems for many ransom victims were knocked out. In Baltimore’s case, IT staff tried to obtain a series of private Gmail accounts, but Google quickly shut them down because the city should have created business accounts instead. In short, it should have understood Google's policies in advance and planned to obtain accounts ahead of time.
6. A mismatch between most valuable assets and their protection. It's critical to segment your network and enforce least-privileged access policies so that no single user can access everything. One organization (that will remain unnamed) sets up every user with admin rights to its entire network, creating a ticking time bomb. In another example, which wasn’t ransomware, a heating contractor for a large retailer had access to the retailer's point-of-sale and financial networks because there was a single network segment for everyone. Malwarebytes offers additional suggestions on how to protect your assets.
The Forrester report has a ransomware incident flowchart. It starts with pre-incident planning and offers suggestions on various responses, including assembling your team and perhaps including ransom security specialists, pre-purchasing bitcoins in advance (in case you choose to pay the ransom), and validating and recovering from backups. That is a good starting place.
We have a long way to go before we eradicate ransomware. The better your overall IT governance is, the lower the chance you will be ransomware's next victim.
Better IT decisions lead to better ransomware protection: Lessons for leaders
- Beef up your IT security practice so you can track the root cause of any potential ransomware attack.
- Maintain IT management continuity and consistent ownership of IT infrastructure.
- Implement a solid patching program to deploy regular system and server updates.
- Create and verify appropriate data recovery processes and procedures.
- Plan ahead for potential disruptions in staff communications (i.e., email, phone calls, and texts) during an attack or outage.
- Match your plans to identify and protect your most valuable assets.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.