Ransomware is a Slippery Slope for Enterprises Large and Small
By Katherine Teitler
May 20, 2016
Ransomware is the hot, new buzzword in security. It is also a serious, escalating problem. Hospitals in Kentucky, Maryland, Ottawa, and California (among others) have had data held hostage in recent months; the U.S. House of Representatives blocked access to third-party email apps after ransomware attempts (or maybe unconfirmed attacks?) were perpetrated; a Lansing, Michigan electricity utility was knocked offline and rendered inoperable for a week following a ransomware strike; and the folks behind the biggest online banking fraud, Dridex, have added ransomware as a secondary attack method once the banking Trojan executes.
New attack stories are in the media weekly, it seems, though clear patterns have yet to emerge. Financial services and healthcare organizations appear to be the most frequent targets to date, but even a small, home-based animal rescue was forced to rebuild its entire website and database after a ransomware developer stole, encrypted, and demanded ransom for its data. Based on the frequency of this type of attack, it’s difficult to ascertain whether ransomware attacks are mostly opportunistic or if a concerted effort against companies with large amounts of data—i.e., financial services and healthcare—is underway and the intermittent SBM is the anomaly. The coming weeks, months, and years will surely reveal patterns, and the industry will have plenty of attacks to analyze soon.
That ain’t workin’, that’s the way you do it
However the patterns materialize, one thing is for certain: businesses are not ready for ransomware. SMBs, in particular, often don’t have the resources or capabilities to recover quickly. What’s even more surprising is that larger organizations keep getting caught with their pants down too.
“Ransomware is the current cyber readiness litmus test,” writes Mark Arnold, Sr. Research Analyst, Solutions Research & Development at Optiv. “This current epidemic is testing the efficacy of controls, the ability of organizations to defend and to recover. Simply put, ransomware is exposing the fact that we have yet to master the basics.” What Arnold means is that organizations still aren’t consistently and adequately backing up sensitive data and storing copies in offline or air-gapped systems. Many businesses haven’t installed or don’t maintain up-to-date endpoint protection and strong firewalls. Admin accounts continue to run with most privilege. Even ad blockers aren’t installed on many companies’ networks.
Technical controls are only one part of the equation, though. The other extremely important aspect of stopping ransomware is security awareness and training. Unsuspecting users are falling prey to enticing emails, links, and attachments. Ransomware developers are “abusing the trust appetites of users,” says Arnold. There is a long way to go before all users are acutely aware of what to look for, but there’s no denying that humans are prone to error and evolution isn’t going to change that proclivity anytime soon.
Therefore it’s time to get our tech chops in order.
Money for nothing get your kicks for free?
So your technical capabilities aren’t up to snuff and the threat actors are holding your data hostage. Now what? To pay or not to pay—that is the question. The FBI says definitively: No. Do not pay. The theory is that paying will just encourage the criminals. Then there’s the issue of the return itself; does paying ensure safe return of stolen data? Bad guys are, well, bad guys. They’ve already stolen something; why would there be any guarantee that they’ll return the data, in full, in a timely manner, without any other repercussions?
Some organizations feel they don’t have much of a choice but to try, though. Backups either don’t exist or are not complete. Downtime during recovery/restoration would be excessive. Technical staff on hand isn’t adequate to deal with the scope of the incident. In weighing options, some organizations feel the only chance at recovery is to pay the ransom and try to receive the decryption key and gain back access to their own information.
In the best case scenario, a developer decides to release the key and all victims can use it to recover data. No one is sure why this developer made the bold move, but it’s unlikely to happen again soon or regularly.
Victim organizations are facing tough choices in today’s ransomware landscape. One way or the other, companies are going to have to pay, whether it’s implementing better controls and processes or forking over large sums of money for the safe return of data. Companies that already have fortified business continuity and disaster recovery capabilities are at a significant advantage.
Even with those capabilities in place, at-the-ready organizations could still become victims.
That’s the way you do it
One issue that few people are talking about when it comes to ransomware is secondary attacks. At present, most ransomware developers are holding stolen data and either providing the decryption key after the ransom is paid or taking the money and running back to the dark web to play. These are not the only two options.
At some point, these threat actors are going to start layering tactics:
Step one: find an ingress.
Step two: locate sensitive data.
Step three: exfiltrate data.
Step four: sell data to other threat actors.
Step 5: encrypt remaining data and contact the victim’s company, tell the legitimate company to pay up and continue to sell the unencrypted data on the black market for a handsome price.
This could already be happening. Evidence hasn’t yet been found, but that doesn’t mean threat actors haven’t thought of it or aren’t committing this crime.
Ransomware is a new twist on an old type of extortion, and the farther the criminals can take it, the more effort they’ll put into reaping larger benefits. Don’t think for one second that TeslaCrypt exposed the decryption key without first making a profit. The game became cumbersome, the stakes got too high, or the gang decided they got what they needed out of the ransomware and are now setting sights on some other cyber crime.
The possibility that ransomware attacks could escalate (we’ve already seen some layering occur with Dridex, but in reverse) is proof that organizations need to harden controls and processes ASAP. Arnold warns, “The tactics, techniques, and procedures of ransomware dealers continue to evolve, outpacing our ability to defend,” and businesses can’t just let that continue. Organizations that fail to act will end up paying the price, maybe with nothing to show in the end but a whole lot of empty data files.
More Infosec Articles