GDFM - Insights - Ransomware: More often an indiscriminate attacker! #2

By GDFM 23 October 2020

Ransomware: More often an indiscriminate attacker! – Part 2

For Part 1, please click here.

How firms can respond

GDFM provide a comprehensive cyber readiness program which incorporates industry standards including NIST and elements of ISO 27001. The solution is structured around the five areas of the life-cycle of managing cyber security risk: Identify, Protect, Detect, Respond and Recover.

The approach will identify the current state of cyber readiness of the organisation, the target state and a gap analysis. There is an emphasis on staff awareness training to particularly reduce the risk from ransomware. This forms a project plan to achieve the desired level of protection having regard to the organisational risk assessment, risk tolerance, resource and funding.

The implementation of this approach can assist in supporting existing measures and identifying areas where additional measures are necessary to enhance protection to the desired organisational posture.

As the number of examples show, too many firms do not sufficiently consider their cyber readiness or plan for responding to a ransomware attack until they have had their data encrypted and they are faced with the decision of whether to pay a ransom. While firms which have taken no precautions against ransomware are understandably inclined to cooperate with cybercriminals in order to save their business, and 97% of victims report that paying a ransom did lead to the recovery of their data, this is far from an ideal option. [1]

Not only does paying cybercriminals encourage further attacks, making the ransomware business model profitable, it also fails to fully protect against those cybercriminals who have been known to steal data as well as encrypt data. [2] Where groups such as EvilCorp which are subject to international sanctions are involved, firms that pay a ransom also risk receiving penalties from the US Treasury for defying its sanctions regime. [3]

By adopting a cyber readiness program, firms can avoid this undesirable scenario through taking the following measures:

Target hardening

It is never possible for a firm to fully guarantee that it will not become the target of a ransomware attack. In the same way that a responsible homeowner, who takes reasonable precautions such as buying a burglar alarm in the knowledge that burglars will be more likely to choose an easier target over their home, firms can take steps to make their systems less attractive to criminals.

Employee training – Given the role of spam and social engineering in facilitating the majority of ransomware attacks, improved employee awareness is key. Firms must be ready to teach their staff about the techniques used by hackers to manipulate their victims, learning to identify suspicious emails through content such as the promise of an unexpected reward.[4]
Strengthening infrastructure – The best protection against software faults are the updates provided by producers to ‘patch’ or repair gaps in their identified security vulnerabilities. Firms can therefore secure their systems by regularly updating their software. Given that producers only patch the more recent versions of their software, firms should actively ensure that the version of software they own does not become outdated.[5]

Attack mitigation

In the event that an attack does take place, firms can take precautions to mitigate the damage to their activity so as to avoid being forced to pay ransom.

Incident response plan – in the event of a ransomware attack, firms must have a strategy for managing the crisis. By engaging with policy experts, mechanisms should be put in place for rapidly restoring the provision required for key services, as containing data breaches in less than 200 days is believed to reduce their costs by over $1 million.[6, 7]
Communications – A key part of the wider incident response. Firms must clearly communicate the situation to reassure clients and prevent the spread of possibly misleading information, thereby avoiding the confusion seen at Garmin.[6, 7]
Recovery plan – Firms must ensure that they can recover and continue to operate after the attack. As ransomware relies primarily on making data unusable, the harm it causes can be mitigated through regular backing up of data. To gain maximum protection, firms should ‘air-gap’ their backups, meaning that data is stored in separate infrastructure that is disconnected from the internet.[8] Even backing up data on a daily basis requires accepting the risk that data from business on the day of the attack will still be lost, but it ensures that unlike Garmin a firm can continue its essential activities without paying ransom.
Testing – Where back-ups are part of a recovery plan they need to be tested. A corrupted back-up file is of no use should an attack occur. To ‘respond’ to a simulated ransomware attack will provide reassurance that the actions that have been taken achieve the objective of delivering timely business continuity.

Recent reporting suggests that all to often cyber criminals are exfiltrating data before encrypting the systems. It seems the rationale for this activity is to negate the mitigation of air-gapped back-ups. Therefore, if systems are returned to ‘normal’ after a back-up is applied, the criminals can then continue to blackmail on the basis they will offer the data for sale in on-line forums. [9]

With the appropriate target-hardening and mitigation measures in place, firms can take comfort in knowing that they face any ransomware threat as well prepared as possible.

The investment in staff awareness must be a key factor in preventing ransomware attacks.

Subscribe to our Newsletter for similar insightful articles.

Sources

[1] 2018-2020 Ransomware statistics and facts, Sam Cook, Compareitech, 15^th June 2020
[2] US liquor giant hit by ransomware – what the rest of us can do to help, Paul Ducklin, Sophos, 18 August 2020
[3] Garmin Reportedly Paid a Ransom, Doug Olenick, Data Breach Today, 5 August 2020
[4] What is Social Engineering?, Kaspersky
[5] What is WannaCry ransomware?, Kaspersky
[6] Data Breaches, Thomson Reuters
[7] Be prepared: Why you need an incident response policy, Veronica Combs, TechRepublic.
[8] Cyber-Espionage Malware Targets Air-Gapped Networks: Report, Akshaya Asokan, Data Breach Today, 15^th May 2020
[9] 99 Ransomware Problems – and a decryptor ain’t one: Report, Mathew J.Scwartz, Data Breach Today, 8^th September 2020

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.