The debate over whether or not to pay the ransomware demand has gone on for a while now. The FBI has long urged businesses to refuse all demands for a ransom payment. And while most businesses aren’t exactly excited to shell out a ton of money to criminals, if their backups are corrupted or they are facing extended downtime, paying the ransom may start to feel like the only option. Adding to the debate, last week the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released updated ransomware guidelines, reinforcing the FBI’s stance and possibly opening the door to imposing fines on organizations that pay up.
In the updated guidelines, the OFAC states that the U.S. government “strongly discourages businesses from paying ransom demands, arguing these payments may help fund future attacks against the U.S. The OFAC also makes the point that paying the ransom in no way guarantees you will ever see your data again or that the attackers didn’t make a copy of your sensitive information to use against you later.
However, the OFAC is doing more than strongly discouraging payments, they may also start imposing civil fines on those who do pay. “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SND list).” And just last month the OFAC added SUEX, a cryptocurrency exchange service, to that list. According to OFAC, over 40% of transactions on SUEX are more illegal purposes, include ransomware payments.
These new guidelines, therefore, give the U.S. government to fine businesses who decide to pay the ransom. However, Treasury Department is careful to clarify that other, preventative measures businesses take against ransomware may save businesses from dealing with public civil fines. Such mitigating measures include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
Incident response plans are essential for mitigating the effect of any form of cyber attack. A good plan involves not only having a detailed roadmap for how to respond to various cyber attacks but also includes bringing in a team of employees how are responsible for carrying out different parts of the plan, running test scenarios with that team, then making any necessary adjustments from what didn’t work during the tests. When it comes to incident response, a quick, competent, and efficient response is essential to mitigating risk and limiting damage.
Backups are also critical for dealing with a ransomware attack, potentially allowing you to get your data back without ever having to deal with the attackers. And because these backups are so important, it’s essential to be smart about how you do it. First, use the 3-2-1 approach to backups. You want to have 3 backups on hand so you have multiple options in case one gets corrupted. 2 backups should be kept on-site for easy access, but 1 should be stored off-site and offline, to ensure the attackers can’t get a hold of that too. And because ransomware attackers often steal administrative credentials, you should use separate passwords for your backups.
Summer is barely over, but given the myriad of highly publicized ransomware attacks that have taken place this year alone, it’s probably pretty likely business leaders everywhere are desperately trying to ensure that no ransomware attackers can get into their systems. And while it’s great that more organizations are starting to take cybersecurity more seriously, if you are placing all your emphasis on defending against outside threats you’re ignoring the very important question: what happens if attackers do make it inside? Then what? You may think that if hackers make it into your system it’s already too late, but that is far from the truth. Between gaining access and executing the ransomware, there is a middle phase to the attack in which attackers move around networks, gain access to administrative credentials, and locate the data they are going to encrypt and/or steal. Attackers can spend months moving throughout a network before actually launching the attack. Defending the middle is therefore essential to protect against suffering a ransomware attack.
In fact, according to a recent report by Coveware, it may be a lot more important to focus on defending the middle than just trying to keep the bad guys out. After analyzing data from multiple ransomware attacks, Coveware discovered that while attackers use a variety of means to gain access to a victim’s system, what the hackers do once they are inside is always the same. “As our data shows, 100% of the cases where we were able to collect triage observations found privilege escalation and lateral movement tactics employed.” And the tactics used in the middle phases are actually pretty limited. Once inside, if only one of the attacker’s tactics fails, it becomes a lot more difficult to pull off the attack. According to Coveware, “inhibiting a threat actor from escalating privilege or moving laterally is equally if not more important than preventing initial [entry].”
Because the tactics used to move around a victim’s network are pretty limited, that also means just a few protective measures could be the thing that stops the hackers from launching their ransomware. Here are 3 things businesses can do right now to defend the middle:
Multi-Factor Authentication For Domain Controller
A system’s domain controller is the part of your network that allows or denies access requests to your network. It’s essentially the seat of your access controls. That means if hackers gain access to your domain controller they can give themselves access to pretty much anything they want. To prevent this, it’s essential to set up multi-factor authentication for your domain controller. What’s more, it’s vital to use a mobile authentication code-based MFA rather than on hard MFA tokens. According to Coveware, “100% of ransomware attack victims LACK true multi-factor authentication for the domain administrator accounts.” So setting up MFA for your domain controller could be the thing that saves you from a ransomware attack.
Disable the Command Line
The command line is a back-end tool that allows IT administrators to build scripts that run automatically and perform complex tasks on a system’s network. It’s also an essential part of how ransomware attackers make changes to your system and move around your network. Coveware found that ransomware hackers rely heavily on the use of command lines to automate various parts of the ransomware attack. Disabling command line and scripting capabilities means hackers can’t rely on automatic processes to carry out their attack, making their efforts that much more time-consuming and costly.
Imagine taking everything you have and putting it in a single locked room. If someone breaks in, everything you have is now gone. That’s exactly like what having an unsegmented network is like. In order to make things harder for the bad guys and keep your data as safe as possible, it’s essential to separate different parts of your network from each other. That way, even if an attacker gains access to one part of your network, they aren’t able to get anywhere else.
In the past few years, new approaches to cybersecurity such as defense-in-depth and cyber resilience are becoming increasingly popular among cyber experts. In essence, both of these approaches argue that just protecting your systems from the outside is not enough. It’s vital to not just hope no one breaches your defenses, but that you have protections and plans in place for when someone does make it inside. Defending the middle is one strategy for taking on a defense-in-depth approach to cybersecurity, and it could be the thing that stands between you and a full-blown ransomware attack.
Tools such as endpoint detection, anti-malware software, and firewalls play a vital role in protecting from the diversity of cyber threats businesses face today. However, for those tools to work, they need to be properly installed, configured, and updated by people. When considering the human factors of cybersecurity, we often think of social engineering scams. But equally as important is managing human errors. In fact, this form of human risk was exactly what led to the massive Colonial Pipeline ransomware attack earlier this year.
Human risk involves not just what we do, but also what we don’t do. This was the case with the colonial pipeline attack. In June, the CEO of Colonial Pipeline, Joseph Blount, told a Senate Committee that the attack was caused by unauthorized accessed to a virtual private network (VPN) the company had once used and that did not have multi-factor authentication (MFA). MFA is a tool that requires users to verify their login through a second means, such as a text message or email that contains a unique code. Because this VPN did not use MFA, that extra layer of security was missing and the hackers got in unnoticed. The real kicker, however, is that Colonial Pipeline was already using a new VPN with more security features. However, the legacy VPN was still installed on Colonial Pipeline’s systems. According to Blount, the VPN the hackers accessed “was not intended to be in use.” The ransomware attack was therefore a result of someone within Colonial Pipeline neglecting to take the old VPN off of the company’s servers.
Risk, no matter the form, is the result of habits and behaviors. In order to address these issues, we need to create healthy, sustainable habits that limit human risks. They say old habits die hard but creating sustained change is possible if these three elements come together:
1. Keep it simple
When trying to create new behaviors for your employees, it’s vital to break things down into small pieces. Asking questions like “What behaviors do I want to do that will mitigate risk” is a good place to start, but once you have a list, choose one behavior and focus on that. The reason is that people are more likely to do something consistently if it’s simple and easy to do. By focusing on one behavior at a time, your staff is far more likely to follow through than if you give them a whole list of changes you want them to make.
2. Use a prompt
The next part of the equation is creating a prompt that alerts your employee to do the behavior you are designing for. This prompt can take any number of forms, like a scheduled email, a slack notification, or a checklist. When we have a habit, we aren’t actively thinking about having to do it, so when you want to create a new habit prompts will break that automatic thinking and make room for them to incorporate the new behavior you want to see.
3. Provide positive feedback
Lastly, once the new behavior is accomplished, it’s important to follow up with some sort of positive feedback. This helps reinforce the importance of the behavior by helping your staff associate this new habit with a positive feeling, making it more likely they will follow through again in the future.
Using Colonial Pipeline as an example, applying these behavioral principles for their IT could have helped prevent the hackers from gaining access. First, someone in the leadership could have communicated to one member of IT and asked them to take an inventory of applications installed once a month and remove anything that is out of date or no longer in use. Then, a prompt such as a scheduled email could have been created to send to the employee on the first of every month. Finally, the employee could be sent a message thanking them for taking an inventory — they could even create a point or star system that helps employees tally the completed behaviors that Colonial was designing for.
Mitigating human risk is a central aspect of a business’s overall cybersecurity posture. And the key is to create new, healthy behaviors by putting in place a system that helps your employees form new habits in a way that’s simple and leaves them feeling successful.
By now, you’ve almost certainly heard about ransomware — a form of cyber-attack in which hackers encrypt systems, steal data then demand a ransom payment to end the attack. While ransomware has been around for a while now, attackers have started setting their sights on bigger and bigger targets, gaining international media attention in the process.
But the reason businesses should be paying attention to ransomware is not because big corporations are shelling out millions of dollars in ransom payments. Instead, when you look at the bigger picture, small businesses are the ones who will continue to bear the brunt of these attacks. According to the Secretary of Homeland Security Alejandro Mayorkas, there has been a 300% increase in ransomware attacks in the past year and 50-70% of those attacks were directed against small and medium sized businesses. And while a cyberattack is tough for any businesses to recover from, the threat ransomware poses to small businesses is existential, with 60% of small businesses failing within 6 months of a cyber-attack.
Because the threat is so big and the stakes are so high, governing ransomware risk needs to be a top priority for small businesses. And in order to protect your organization, there are two vital areas that need to be focused on: systems controls and organizational culture.
1. Endpoint detection and response
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops and other devices in order to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today in order to stay on top of potential threats and put a stop to them before they can cause any damage.
2. Hardening your RDP Ports
Remote Desktop protocol is a tool that allows someone to connect to a computer remotely. This can be useful, but more and more ransomware attackers are using RDP ports to gain access to victims’ systems. Organization that do not actively use RDP should therefore consider disabling the feature or limiting to users and devices that are not connected to public internet.
Having a back-up of your systems could allow you to regain access to your data without having to pay the ransom. However, it’s essential to have an effective back up strategy in order to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your back-up. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Lastly, using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. At minimum, any user accessing your network should be using MFA. In addition, all users with administrative privileges need to use MFA, whether they are accessing your network remotely or on premise.
Don’t Forget Culture
When it comes to governing ransomware risk, the best way to prevent attacks is to focus on creating a culture that incorporates cyber-secure behaviors into every day practices. However, the biggest issue many organizations face when creating a cybersecure culture is sustaining those behaviors overtime. In order to properly govern ransomware risk, behavior change requires 4 essential elements:
1. Consistent Communication
We get it, cybersecurity can be confusing. And as the threat landscape changes, so do our cybersecurity policies. That’s why it’s so important that business leadership consistently communicate with their employees about the behaviors you want to see.
2. Make it Easy
When thinking about the behaviors you want employees to adopt, it’s vital you make these behaviors as easy as possible to do. Everyone is being pulled in a million different directions at once, so if an employee has to take 10 minutes out of their day to figure out how to report a phish, they aren’t going to follow through. If, however, you provide a simple and easy-to-use process, you’re going to have a much easier time getting employees to adopt new behaviors.
3. Help People feel Successful
People want to feel like the work they are doing is making a difference. If they feel like what they are doing just doesn’t really matter all that much, there isn’t going to be much motivation to continue doing it. That’s why it’s so important to help people feel successful when they follow through on the behaviors you want to see. Providing positive feedback, for example, can go a long way towards creating behavior change. If your employees know their work is being recognized and feel it makes a difference, they will be much more likely to keep it up.
4.Walking the Walk
The above three elements for creating sustained behavior change have one thing in common: you. A leadership team can’t simply talk the talk. Change starts at the top and requires you and your leadership team take an active role ensuring these behaviors become a part of the organizational culture and value structure.
There’s no doubt that ransomware poses a big threat to small businesses, and the best thing you can do govern the risks of attack is focusing on creating a culture in which cybersecurity is valued and acted upon every single day.
The prominence of ransomware within the already crowded cyber threat landscape has been in the headlines for the past few years. But what you won’t see in the headlines is the fact that small businesses are the ones bearing the brunt of the onslaught. Ransomware is a form of attack in which hackers encrypt or steal your data then demand a ransom before giving you back access. And, according to Coveware’s ransomware report for Q1 of 2021, 73%of all reported ransomware attacks this year targeted businesses with under 1,000 employees. Of course, there are plenty of large companies that have to deal with ransomware, but it’s high time we start looking for solutions to the very real threat that small businesses across the country are grappling with.
There are a number of reasons ransomware attackers focus their efforts on small businesses. For one, these attackers are opportunists. They’re not looking to crack the toughest systems, they’re looking for a quick buck. Since small businesses probably don’t have the sophisticated and expensive security tools in place that big corporations do, the bad guys see them as easy pickings.
Another big reason small businesses are targeted by ransomware is because the consequences of having their system’s shut down are far more costly for small businesses. According to Coveware, the average downtime following a ransomware attack is 23 days — up 10% from Q4 of 2020. Last year a small business in Kansas with only 8 computers was hit with ransomware and paid the hackers $150,000 for to regain control of their systems. Explaining why the company decided to pay the company’s CFO said, “If we don’t pay them, we don’t have a way out of this, and business just stops, so it’s quite a scary situation.” While cybersecurity experts tend to advice companies not to pay ransom, and new evidence shows 92% of companies never get their data back after paying, the stress, fear, and consequences of being down may be enough to give into the demands.
When it comes to ransomware and small businesses, it’s clear the stakes are high and only getting higher. It’s essential we start focusing our efforts on helping these businesses take reasonable and affordable steps that can help prevent attacks and protect their data.
To help, use the acronym R.A.N.S.O.M for 6 simple steps that can go a long way toward preventing and protecting your small business against ransomware:
Remote access protections and patching
Given the rise of remote work since the pandemic, hackers are increasingly using remote access to install malware. Having remote access protections in place is therefore essential for preventing an attack. Even simple steps like robust firewall settings and requiring the use of VPNs and adding Endpoint Detection and Response can go a long way to keeping attackers out.
In addition, hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out of date software, you’re at an increased risk for attack.
Administrative privilege limits
Setting limits on administrative and access privileges is another important way to protect your data. Every employee should only have access to the systems and information they need to preform their work. Too many businesses give employees more access than they need. If a hacker gains access to one of your employee’s accounts and there aren’t access limits set, then the hackers can move freely through your systems, changing settings and accessing sensitive data
It’s important to keep different elements of your network separate from each other so you can control how information flows from one to the others. Similar to privilege limitations, this will help ensure that anyone who breaks into your systems can’t then use that access to move around your networks.
Security awareness training
Phishing and social engineering attacks are common ways attackers gain access to your systems and install ransomware. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
Offline backups and periodic testing
This is a big one. If you suffer a ransomware attack, having a backup of your systems may enable you to get you back up and running without having to pay or start over from scratch. However, when making backups it’s important to takes a few steps to ensure you can rely on them. For one, backups need to be stored offline in order to prevent hackers from gaining access to them as well. Second, it’s necessary to periodically test your backups to ensure they are working currently. You don’t want to be in the position of needing your backup only to find the whole thing is corrupted!
Finally, requiring multi-factor authentication can go a long way to prevent an attack. If an employee’s login credentials are stolen, MFA adds an additional layer of protection that may prevent the bad guys from getting into your systems.
Last week, on the Tuesday before Thanksgiving, state auditors released a report detailing “significant risks” within the Baltimore Country School District’s computer network. The next day, the school district was hit with a ransomware attack that shut the school down until Wednesday of this week. Because of the increase in COVID-19 cases, the district had just shifted online. However, the ransomware attack put a stop to remote learning and gave over 115,000 students an extra week off school.
The state auditor’s report, released just the day before the attack, details the findings of an investigation into the security of the district’s computer systems that was conducted between May 2019 and February 2020. One of the major findings of the report showed that 26 publicly-accessible severs were located within the districts internal network, rather than segregated in external networks. This increases the risk of a user accessing the district’s internal systems via the public servers. In addition, the report that the district did not have adequate protections in place to secure personally identifiable information, there was no detection system in place to catch unwanted traffic, and students even had “unnecessary network-level access to administrative servers.”
The district has said it is too early to tell whether the attack was related to the vulnerabilities found in the auditor’s report. However, it is certainly possible the lack of network segmentation could have possibly made it easier for the ransomware to spread across systems and devices. The district has also not said whether any personally identifiable information was compromised in the attack.
Despite the district’s tight lips surrounding the specifics of the attack, they did ask all students and staff to perform a “confidence check” on school-issues devices, which potentially sheds light on some of the details. Specially, the district is asking students and staff to look for .ryk file extensions on their devices. This file extension likely points to an increasing common form of ransomware called Ryuk. Ryuk is a form of ransomware that encrypts data within the network. This may be a relief to school officials, given the recent trend in ransomware where attackers actually steal and leak sensitive data rather than just encrypt it within the network.. However, Ryuk is also infamous for its ability to quickly spread across devices connected to the network, including back-ups. This makes the state auditor’s findings potentially highly relevant to the scope and impact this attack has caused so far.
The Baltimore School District’s ransomware attack is unfortunately not entirely surprising. In the past few years, attackers have started targeting public agencies and schools. Because public entities often don’t have the budget or personnel for sophisticated cybersecurity defense and their services are essential for many people, attackers see these as juicy targets for ransomware attacks.
This doesn’t mean, however, that public agencies need to be sitting ducks. If the district had intrusion detection system in place, for instance, it’s possible they could’ve caught attack before it even started. The fact that students also had access to certain administrative servers is also a big problem, and could be easily fixed with simple access control measures put in place. Lastly, while you can’t always prevent these attacks from happening, segregating networks and devices can go a long way towards limiting the impact of ransomware. This will not only help prevent the spread of the attack throughout the network, but, if back-ups are routinely tested and stored offline, could allow organization’s to easily restore their systems to a pre-attack state without paying a ransom. The attack against the Baltimore School district is a stark example of the importance of creating not just a cyber-secure, but also a cyber-resilient online environment.