The recent attack on Colonial Pipeline's systems brought ransomware to the forefront of the news, and many Americans learned about it for the first time as they experienced the impact via higher gas prices and shortages due to panic buying. Ransomware attacks have become increasingly prevalent as Verizon’s 2021 Data Breach Investigations Report says ransomware incidents grew by 6% last year. Criminals have attacked all kinds of institutions, from private businesses to local governments and hospitals.
Colonial Pipeline paid the attackers $5 million to regain control of their systems. It's understandable why companies sometimes pay ransoms, they may not have other options for quickly restoring their IT systems. Ransomware has long posed a threat, but this incident may be a tipping point towards ransomware being seen as a serious problem. The criminal gang responsible likely drew more heat than they could handle when they attacked critical infrastructure that falls under the umbrella of US national security. They have since disbanded, although whether that is a survival tactic or a result of law enforcement activity remains to be seen.
President Biden’s recent executive order on improving cybersecurity raises standards for government agencies and mandates a number of other security and process changes. It is a step in the right direction for better security. However, signing an executive order is one thing, performing the work it outlines will be a monumental task.
Cryptocurrencies and cryptocurrency exchanges are under a microscope these days due to their role in facilitating ransomware and other online crime. While cryptocurrencies can be used for legitimate purposes, they also make it easier to pay large ransom payments. While there were previous methods of paying ransoms like gift cards or money transfers, cryptocurrencies enable criminals to receive large payments without having to deal with a regulated system. Then they can use a cryptocurrency exchange located in a country with lax rules to change their cryptocurrency to fiat currency.
How can I mitigate the threat posed by Ransomware?
Ransomware can bring your business to a screeching halt. Here are three ways to reduce your risk:
- Improve your security – this is a very general recommendation, as every organization’s immediate security needs will be different. However, everyone can benefit from implementing best practices, like using multi-factor authentication whenever possible, removing administrator permissions from end-users, and making sure people only have access to what they need to perform their jobs. A good IT consultant can evaluate where your organization stands security-wise, prioritize what needs to be fixed, and develop a plan.
People often do not appreciate the value of good security, because it results in "nothing happening," things just work as expected. Then over time fewer and fewer resources are devoted to security until a major security incident occurs. An ounce of prevention is worth a pound of cure, it is better to pay for good security now than to end up paying that money to criminals to restore your systems.
- Backups - the main method for recovering from ransomware without obtaining the decryption key is to restore systems from backup. It is critical that your backups are not also infected with ransomware. Care must be taken when selecting a backup vendor or setting up a backup system to make sure there is an offline backup component. Offline backups are not readily accessible which means they cannot easily be infected by ransomware.
It's important to note that recovering from ransomware is not just a matter of restoring from backup. You must determine how the breach occurred, then patch systems to close whatever security holes exist, otherwise systems may get re-infected. Consultants with specialized knowledge may be necessary. Additionally, companies don't always test restoring systems from backups, so sometimes they may discover issues with the process. To avoid this, backup testing should take place yearly, as a preventative measure, which will also help if a system needs to be restored from backup for other reasons.
- Obtain Cyber Insurance - many organizations have decided to mitigate the risk of ransomware and other cyber-attacks by purchasing cyber insurance. Typically, this insurance will cover ransomware and includes some degree of coverage for a ransom payment. This is becoming more controversial, as paying ransoms encourages future crimes of the same nature. French insurer AXA recently signaled they will no longer write new cyber-insurance policies covering extortion payouts to criminals (they also just had one of their businesses impacted by ransomware). This could be a sign of a coming global change, as insurance companies are loathed to encourage payouts. Things could also change if legislation is passed restricting or eliminating the ability to pay ransoms.
Ransomware Tactics Are Evolving
Criminals have learned from their experiences and have adapted their ransomware tactics to become more effective. There are often dual ransom demands, one for the key to decrypt systems, the other in exchange for the data not being published or sold. Criminals are aware that a backup system can save a company from being extorted, so they may make more of an effort to encrypt or destroy backup data. They may lay low longer once gaining initial access, to make sure they have the time necessary to take care of backups. Criminals also like to target companies that have cyber insurance, so if you do obtain insurance, it is best to keep knowledge of the policy closely guarded if possible.
IT is constantly changing, and IT security is no exception. Ransomware attack and defense tactics will continue to evolve. Would you like help improving your IT security? Contact us at iuvo Technologies today!