While ransomware continues to be a threat, it has evolved from its simple beginnings – from encrypting most files on a single system and asking for a relatively small payout in a cryptocurrency, to more sophisticated methodologies like affecting data exfiltration, attacking databases, spreading laterally among different systems, and credential grinding. More recently, ransomware appears to have taken a slight backseat to crypto jacking (i.e. using a host’s target computer to mine cryptocurrency without their explicit permission) as it’s seen as offering a better payout proposition. Nevertheless, ransomware has not completely disappeared, and I expect that weak implementations of IoT (Internet of Things) will be an even-more popular target of interest for ransomware in the future.
Ransomware has evolved in almost an Amazonian manner since it exploded in popularity a few years ago. On the surface, it appears to strike an excellent balance between profitability and the aversion to pay. By this, I mean: if the ransom is too high, the “client” will avoid paying the ransom and find another way to soldier on (e.g. restore from backup, survive with lost data, re-create full data from fragments, etc.). As the attacker, it’s important to find the “sweet spot” in which the ransomed company feels it’s a reasonable price to retrieve the data. I expect that going forward, there will be more targeted attacks – where if the attacker believes that the target can afford a more expensive ransom, they’ll ask for it.
But does it make sense to negotiate with a ransomware attacker?
Paying the ransom typically is not recommended, although victims often choose to pay. Unfortunately, it is probably the fastest, most efficient way to regain control of hijacked data. But, it also adds fuel to the fire. If you pay the ransom, there is no guarantee you will get your data back, that the data will be restored, or that the data was not exported elsewhere. IF you have data that you are unable to restore, where the effort to affect such a restore would be financially punitive, I suppose I would entertain the negotiation with a ransomware attacker. However, as a default mode, I would not negotiate as there is no guarantee that they won’t already be in your network. Also, by paying a ransom, you put yourself at risk for future attacks. If a hacker is successful the first time, they will try again.
Many also assume that when you pay a ransom, your files will be fully restored. This isn’t always the case. Depending on the variant of the malware, you may receive some, all or none of your files once you pay. It’s just not worth the risk.
So, what can companies do?
Companies can significantly reduce their risk by hardening their security posture. Here’s a short checklist to ensure the cybersecurity essentials are covered:
- Recognize how most common successful attacks are initiated.
- Publish an acceptable use policy.
- Enforce a rigorous password policy.
- Blacklist known bad domains within DNS and known bad IP addresses. Block blacklisted/whitelisted content at the firewall level.
- Block content based on executables and file suffix. Scan all embedded URLs, sandbox all attachments and enforce non-mail-based file transfers.
- Minimize the number of users with administrative privileges.
- Ensure patching is up to date and done so in a timely manner.
- Ensure all security infrastructure is updated and running properly.
- Back up all critical systems and test restore process quarterly. Backup critical workstation components, test restore processes monthly.
- Log system accesses, and regularly review and look for anomalies.
- Implement a continuous monitoring methodology.
- Don’t forget about physical security (such as locked doors and encryption).
- Train and educate staff to help with proactive detection of malicious content and perform monthly phishing testing.
Ransomware demonstrates that the responsibility for cyber security practices are not limited to the IT team or even the security team. Every level of an organization plays a role in protecting its networks, and while a lot of firms see third-party service vendors as an extension of their organization, they can be the weakest security link. Ensuring that a third party’s cyber security posture is up-to-date should be an important part of any pre-engagement process.
In the end, the tragedy of ransomware is that many companies will fail to act until after an infection. In the meantime, the threat from this pernicious class of malware is mounting. There’s such an evolution in ransomware that I can’t see it ever going away.