Your news feed has probably been interspersed with stories about ransomware attacks in recent months. The most prominent examples being attacks on Colonial Pipeline, Brazilian meat processor JBS USA, and IT software maker Kaseya. These attacks are part of a disconcerting trend of attacks against increasingly larger and more sophisticated entities. Yet, the vast majority of attacks still affect small and mid-sized institutions: municipalities, small businesses, not-for-profits, etc. This article explains ransomware attacks and lays out some proactive steps organizations should take to avoid being the victim of an attack and identifies some considerations to be aware of in case of an attack.
Anatomy of ransomware attack
A ransomware attack is a criminal breach of a private computer system where a malevolent computer hacker, a “threat actor,” infiltrates a private computer system and demands payment from the owner of the system, the “victim,” in exchange for the restoration of the system. One tactic is for a threat actor to pilfer confidential data and threaten to release or otherwise misuse it unless the victim pays ransom. A second tactic is for the threat actor to lock the system so that the victim can’t access it, making normal operations impossible, and only unlocking it if the victim pays.
Some attacks begin with a technical hack into a vulnerability in an organization’s software. More often, threat actors use relatively uncomplicated means to gain access, such as phishing e-mails that fool employees into opening an attachment or link that downloads malicious software. The software will encrypt files and bar all the organizations’ employees from accessing the network.
The threat actor will then message the organization demanding payment in exchange for a “decryption key” or other software that will unlock the network. In addition to lost control of the organization’s networks, ignoring the threat actor may result in them publicizing the successful breach to the media, social media, and nefarious web forums frequented by criminal elements.
How to prevent a ransomware attack
Short of unplugging all your organization’s computers and throwing them in the dumpster, it’s just about impossible to guarantee it’s not the victim of a ransomware attack. However, there are some proactive steps every organization should take to minimize the risks.
The Biden Administration issued memorandum guidance on June 02, What We Urge You To Do To Protect Against The Threat of Ransomware, to assist organizations in ensuring they’re able to promptly restore operations after an attack. Among the recommendations included in the memorandum include:
• Implementing two-factor authentication;
• Using endpoint detection and response to head of potentially malicious activity within the network;
• Encryption of data being sent from and stored on the network; and
• Establishing an empower cyber security team to rapidly patch systems and incorporate threat information.
Since many ransomware attacks are perpetrated through e-mail phishing campaigns, organizations should train employees to identify phishing e-mails and how to respond if they receive one. Organizations should create encrypted backups of the company’s data and store it offline. There’s less of a need to pay ransom if the organization’s data is backed up and accessible through offline means. It is important to regularly test these backups to ensure they will work in case of an attack.
Cyber criminals also regularly look for weaknesses in widely used software programs to gain control of an organization’s systems and deploy ransomware. Therefore, organizations should always patch their systems and security solutions, and ensure both are up to date. Threat actors regularly target employee’s credentials through trial-and-error methods, or by purchasing credentials on the dark web. Consequently, multi-factor authentication for all accounts, including service and social media accounts, are well-advised.
Planning a response
Having a well thought out plan of action for what to do in the event the organization falls victim to a ransomware attack is increasingly an operational necessity. These are often referred to as a cyber incident response plan. Implementing a response plan will take the air of crisis out of the situation should it arise and limit the damage wreaked by the attack.
A thorough response plan should outline the responsibilities of everyone in the organization, making it clear who’s responsible for what specific responsive actions. Such plan may include establishing a channel of communication through a secured texting application so management can communicate in the event the attack takes down the internal communication systems. Such response plan should be regularly tested to help expose gaps in the plan to allow employees to get familiar with the plan, so they are not seeing it for the first time during an attack.
Approximately a third of US companies have cyber insurance. However, this type of coverage is reportedly harder to find and more expensive as covered incidents proliferate. Organizations should also consider establishing a relationship with a professional negotiator to communicate on its behalf with the threat actor. This professional should be versed in how threat actors operate and communicate. They can help the organization get a better “deal” with the threat actor and coordinate where and how money will be sent, in the event the organization determines paying the ransom is the most prudent response.
A few years ago, it was considered devastating public relations for an entity to fall victim to one of these attacks. Today, it is generally understood that entities are susceptible no matter what precautions they take. What is still unforgivable however, is having failed to make and execute a plan for how to responsibly respond. Talk to your IT professional to make sure your entity’s technical safeguards are up to snuff and consult with experienced legal counsel about the legalities of its plan for dealing with threat actors.
Christopher Baiamonte and Justin Furry, are a members of the Wladis Law Firm, P.C., located in Syracuse, New York, and can be contacted by calling 315-445-1700.