Ransomware Part Two: Before an Attack

Stephen DeAngelis

November 4, 2021

“Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.” That was the message that appeared on computer screens at Colonial Pipeline last May. Journalists Ellen Nakashima (@nakashimae) and Rachel Lerman (@rachelerman) report, “The extortionists said, ‘you can restore everything by purchasing a special program from us — universal decryptor.’ This program, the message said, ‘will restore all your network.’ The price: $1.2 million. They also had stolen 1 terabyte — the equivalent of 6.5 million document pages — of the company’s sensitive data. If the firm did not pay to decrypt it, the data would be ‘automatically published’ online, the hackers said, according to the note.”[1] Waking up to find your company locked out of its data is a nightmare — a nightmare that is occurring on a more frequent basis. Below are some suggestions about what you can do to protect your business before a ransomware attack.

 

Before an Attack

 

Freelance writer Taylor Machuca-Koniw observes, “The best way to stop a ransomware attack is by preparing for one. Implementing a strong security strategy that includes a layered approach is the best way to protect your network from being held to ransom.”[2] Don’t be fooled, however, into thinking it’s going to be easy. Adam Eckerle (@eck79), Director of Technical Marketing at Rubrik, notes, “Preventing a ransomware attack is hard. Some may say it is near impossible even with the latest technology and a sound defense-in-depth approach.”[3] Nevertheless, doing something is always better than doing nothing. Machuca-Koniw briefly describes six actions a company can take before it falls victim to a ransomware attack. They are:

 

1. Create a cybersecurity response team. Machuca-Koniw explains, “Whether in-house or outsourced, establishing a cyber incident response team will allow your business to respond swiftly to any cyber threat.” A cybersecurity response team generally develops a ransomware response and recovery plan. Eckerle cautions, however, “Within a ransomware recovery plan there lies many decisions and nuances. For example, what should the priority be — quick recovery and return to operations, forensics to determine the cause of the attack, or minimizing data loss during recovery?” He believes those are mutually exclusive goals. As a result, he suggests upfront planning and the use of machine learning solutions are essential for pre-attack preparation.

 

2. Strengthen email security. As I noted in Part One of this article, email is often the point of vulnerability used by hackers to gain access to a company’s data. Machuca-Koniw writes, “Ensure your current email gateway is strengthened with email encryption as well as other mandates such as a Sender Policy Framework (SPF) to automatically remove spam and phishing emails.” Often, however, the weak link in email security is the employee not the system itself.

 

3. Enhance your patch management strategy. Machuca-Koniw writes, “Prioritize patching critical systems and applications to ensure all vulnerabilities are identified and repaired.” While keeping software updated is critical, as I pointed out in Part One of this article, hackers often attempt to infiltrate company systems by trying to convince users they are downloading a required update from a legitimate company.

 

4. Enhance your backup strategy. Machuca-Koniw suggests, “Keep a separate and encrypted data backup network in the event of a cyber threat or disruption that could result in loss of data.” Eckerle notes that his company’s lead security engineer insists, “With an effective backup solution, ransomware can ideally be reduced to a minor inconvenience.”

 

5. Keep your staff aware. As noted above, humans are often the weakest link in a layered defense. Machuca-Koniw explains, “Educating your staff through the use of a security awareness plan will help them become warier of threats such as phishing emails and suspicious files.”

 

6. Consider cyber insurance. According to Machuca-Koniw, “Cyber insurance policies cover companies and consumers for financial or data loss in the event of a cyber-attack such as ransomware.” However, cyber insurance might not be an available option in the years ahead. The Economist reports, “Officials in America, Britain and France want to ban insurance coverage of ransom payments, on the ground that it encourages further attacks. Better to require companies to publicly disclose attacks and their potential cost. In America, for example, the requirements are vague and involve large time lags. With sharper and more uniform disclosure, investors, insurers and suppliers could better identify firms that are underinvesting in security. Faced with higher insurance premiums, a flagging stock price and the risk of litigation, managers might raise their game. Manufacturers would have more reason to set and abide by product standards for connected gizmos that help stem the tide of insecure IoT devices.”[4]

 

Another reason to be cautious about cybersecurity insurance is that it may actually make your company more vulnerable. Jake Davis, a convicted hacker who now legally helps companies improve their cybersecurity, notes, “Hackers today target cyber insurance companies specifically so they can get lists of clients, so they know who to hack. They then get a higher likelihood of receiving a payout.”[5] He goes on to observe, “Cyber insurance companies now often refuse to payout ransom demands. There are 40 or so companies about the $500 million premium threshold and if only a few of those are hit and get a maximum payout then you’re looking at over half a century of premiums. At the moment it’s risky for companies getting cyber insurance but it’s also risky for the cyber insurance companies themselves.”

 

With more datasets residing in the cloud, industry expert and thought leader David Linthicum (@DavidLinthicum) insists companies also need to understand what cloud providers are doing to protect their data from ransomware.[6] He asserts that the best practices to prevent ransomware in the cloud include:

 

Security Monitoring. “Security monitoring,” Linthicum insists, “is the best defense against ransomware. This includes detecting attack attempts as well as monitoring other ways ransomware can get into your cloud-based systems, such as phishing emails.” Companies, he writes, “should be proactive.” He adds, “Leverage your cloud provider’s native security systems to not only set up defenses, but to actively monitor all systems by looking for things such as failed log-in attempts, CPU and I/O saturation, and even suspicious behavior by authorized users. Once a threat is detected, respond.”

 

Automated Response. According to Linthicum, “The response should be automated. If you’re sending texts or emails to security admins, it’s likely too late. Automated systems can lock out certain suspect IP addresses and automatically kill processes that are behaving suspiciously. Other actions could include forcing password changes to accounts to prevent cloud account takeover based on monitored activity. Even initiating backups in case the attack is successful, to be prepared to move quickly to recovery. There is a human element to responding, including activating a well-trained response team to follow a set of preplanned processes. This should include communicating with others interacting with the cloud-based systems, such as customers and suppliers, as to their risks and courses of action.”

 

Concluding Thoughts

 

As you can see, there is a lot that can be done before a ransomware attack occurs. Nevertheless, the ransomware threat is a difficult challenge — no matter how many precautions you take. The Economist notes, “A cloud of secrecy and shame surrounding cyber-attacks amplifies the difficulties.” It’s understandable why companies are a bit sheepish about admitting attacks. Davis explains embarrassment runs particularly high when a company is “knocked out by cheeky attacks by kids.” He adds, “They don’t admit it, because it would look bad to say we forgot to lock this door, but this is what most hacks are, and it will continue that way until we correct this basic posture.” Every company is vulnerable. Being truthful when attacks occur can help make everyone a bit safer by exposing vulnerabilities that could be widespread. In the concluding part of the article, I will discuss what a company can do during and after an attack.

 

Footnotes
[1] Ellen Nakashima and Rachel Lerman, “Ransomware is a national security threat and a big business — and it’s wreaking havoc,” The Washington Post, 15 May 2021.
[2] Taylor Machuca-Koniw, “How To Develop A Strong Ransomware Strategy,” Datafloq, 14 June 2021.
[3] Adam Eckerle, “Using Machine Learning for Anomaly Detection and Ransomware Recovery,” CIO, 16 September 2021.
[4] Staff, “To stop the ransomware pandemic, start with the basics,” The Economist, 19 June 2021.
[5] Stuart Sumner, “Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware,” Computing, 2 July 2021.
[6] David Linthicum, “Don’t be a ransomware victim,” InfoWorld, 9 July 2021.