Protecting your organization from ransomware
Ransomware is one of the most common cyberattacks, targeting a variety of industries and organizations, often used by organized crime groups. In addition to their rise in numbers, ransomware group’s methods and tactics have evolved. Double extortion methods allow cyber criminals to both encrypt and transfer data from their victims. These hackers threaten that if the ransom is not paid within an allotted time, they will refuse the decryption key and sell the stolen data on the dark web.
Surefire Cyber is a CAI partner specializing in pre-incident planning, incident response, and post-incident services. They offer digital forensics, e-discovery, expert witness, and cybercrime services.
Brian Dykstra, Director of Forensics at Surefire, has been involved in several cases including negotiation with ransomware threat actors, and shares his insights about this form of cybercrime.
Should I pay the ransom?
Dykstra warns that criminals have been known to expose stolen data even if a ransom is paid. There are cases where the promise has been broken, and the data was leaked after payment.[i] He adds that organizations that track dark web activities have reported on large ransomware groups selling victim data that they ‘promised’ to destroy.
Because the answer to this question is nuanced, I recommend weighing out options prior to a payment decision.
The FBI has stated they do not support paying; their website states that, “it also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”[ii]
I often advise clients that since the likelihood of exfiltrated data being exposed is high, paying the ransom is essentially nothing more than purchasing the decryption key. Even so, there are no guarantees you’ll get your data back. In some cases, with smaller less-funded groups, the key will not always work. And since data is digital, the threat actors can easily copy it from the organization’s systems.
Additionally, the ransom also does not include the entire cost of recovery. Other costs include the hours to remediate the attack, communication costs, increasing insurance premiums, and legal and regulatory fees.[iii] Recovery speed can influence how an organization would benefit from paying the ransom. Good backups and restoration procedures are the secret. An organization that can rapidly recover their systems and continue operations has the luxury to ignore paying for just a decryption key.
The effects of ransomware
In many cases, ransomware has only hit a part of the organization. It could be contained and not totally disable operations, allowing incident response teams more time to investigate and minimize the damage. However, if there are critical functions that impact human lives, such as hospitals, paying the ransom may be a viable option.
Dykstra warns that not all organizations are as fortunate. “Some companies have had their data backups destroyed by the ransomware group,” he said. “And most of their data is encrypted with no possibility of recovery…facing the very real possibility of having to cease operating as a business, failing to deliver on current contracts, and having to fire hundreds or thousands of employees, paying a ransom can be the best unhappy decision.”
Preparing and planning for a ransomware attack
In my years as a consultant, I often let clients know that a cyberattack should be expected. However, there are steps that organizations can take to prepare for and minimize the impact.
The following are 6 cybersecurity actions that can help:
- Asset management: Along with inventory control, this is one of the most crucial steps towards protective measures. Organizations need to understand their data, where it is stored, and how it is used. This includes knowing how data moves through the organization, what applications and systems it touches, and who can access it.
- Multifactor authentication (MFA): MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a system or an environment. Enforcing MFA on servers, virtual machines, email, and remote access solutions can make it more difficult for an unauthorized user to access systems.
- Patch management: Threat actors are always looking for ways to exploit vulnerabilities. Patching these vulnerabilities minimizes the potential of attack. Maintain a program of regular patching for all network devices, servers, workstations, virtual machines, and applications.
- Develop an incident response plan: Breaches may happen despite the best network defenses. A cybersecurity contingency and incident response plan can reduce the risk of operational disruption when a breach happens. This plan should be reviewed and updated annually. This can be done in the form of table-top exercises and reviews with key stakeholders. This ensures that everyone knows their role during a cyberattack and can minimize the damage and impact to the organization.
- Select an endpoint/managed detection and response (EDR/MDR) provider: One of the most effective things organizations can do is find a partner to help them track and prevent malicious actors from causing harm. Early detection of a threat actor in the environment allows for a less costly means of getting them out or limiting their ability to do damage. The ideal services from such a provider include:
- Containment and investigation: Effective providers will quickly take control of an infected system and isolate it for advanced forensic analysis.
- Response: In addition to containment, providers should disable all known operational capabilities of the threat actor and support your incident response plan.
- Threat hunting: This is more than identifying known vulnerabilities but discovering zero-day and new advanced threats. This allows you to continuously evolve and remain proactive in protecting your environment.
- Backups and rehearsal: Make sure you are backing up your data on a regular basis. At a minimum, this is recommended once a week, but, if possible, every 24 hours. Additionally, perform periodic restore and recovery testing to ensure that your backups are effective.
It is possible to limit the impact of a cyberattack. Engaging a qualified partner to help assess, address, and mitigate cybersecurity threats can be an essential part of your strategy.
CAI’s cybersecurity solutions offer end-to-end assessment, governance, planning, management, and administration to increase your cybersecurity resilience.
To learn more about preparing for and mitigating a cyberattack, or to start a cybersecurity assessment for your organization, contact one of our experts.
[i] Ellis, Jessica. “Ransomware Groups Break Promises, Leak Data Anyway,” Phish Labs. November 25, 2020. https://www.phishlabs.com/blog/ransomware-groups-break-promises-leak-data-anyway/
[ii] FBI. “How we can help you – ransomware.” November 15, 2022. https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/ransomware
[iii] Hayes, Nick. “How To Calculate the Hidden Costs of Ransomware.” Ransomware.org. August 15, 2022, How To https://ransomware.org/blog/how-to-calculate-the-hidden-costs-of-ransomware/