Over the last 6 months, ransomware has grown to become an even bigger threat than before, with ransomware operators targeting both large and small organizations. Because of this, it is important to be ready for ransomware attacks. Recently there have also been several attacks on hospitals and other healthcare providers in the United States, leading to unavailability of care to patients. Modern ransomware attacks are well-planned, where the attackers have compromised the infrastructure of the target before dropping the ransomware. This means they have then likely turned off backups, exfiltrated data they can threaten to dump online and secured multiple ways of maintaining persistent access to your network and assets before dropping the ransomware. In other words, it is important to detect and stop these threat actors as early as possible, if we are not able to stop the attack in the first place.
If we consider the risk from ransomware to be characterized by the probability of a successful attack occurring combined with the severity of the impact. Reducing risk is possible through a number of means, that can act on probability, severity, or both.
Criminals have targeted hospitals and other healthcare providers in the United States over the last few months. This prompted the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert containing information about malware types and response recommendations. Some of that advice you will find in this post too, but we aim to keep the information less technical and easy to use for a less technical audience such as small business leaders and management in general.
How bad can it be?
The technical consequence is exfiltrated data and encrypted files – but what would the business implications be?
- How much revenue will you lose due to unavailability of services?
- How much will the cost of fixing the problem be?
- Will you have future losses due to lost trust in the market?
- Is it likely that litigation costs due to breach of regulatory or contractual requirements?
- Are jobs likely to be lost because of this?
- How will your customers and suppliers be affected by the attack?
Answering these questions will quickly reveal that a widespread ransomware attack can have devastating consequences, not only for an organization but also for its suppliers and customers.
A 4-stage model for ransomware attacks
We can use four distinct stages to plan how to best reduce the risk from ransomware:
The computer users are both targets and your first line of defence. Informing stakeholders about ransomware risks is important to get the resources needed to fight this threat. All employees should get information about the threat as well, including what to look out for. Phishing is in particular a problem here as most initial breaches are phishing based. Phishing emails typically use links for credential theft, links to documents that can download malware, or attachments with such documents.
In addition to telling colleagues about the dangers of phishing and what to look out for, everyone needs to know how to report suspicious activity. Make sure this is visible and easy to find for everyone.
Often we work in ways that are very easy to mimic for cybercriminals. If your average workday is spent clicking links and opening attachments in emails, it is no wonder if you also end up clicking the phishing link sent from someone pretending to be a customer. It is better to use Microsoft Teams, Slack or another internal platform for internal day-to-day work. Instead of attachments, we can use document collaboration platforms like G Suite or Microsoft365. When we reduce the amount of email in general, and in particular emails for document collaboration, we make it much easier for us as human beings to see if a phishing is out of place.
Detecting the intruder
At one point your company will be breached. Someone clicks that link and installs the malware. If you can detect and stop the attacker before data is exfiltrated and files are encrypted, you are stopping the most severe consequences from manifesting. What you can do here depends a lot on your organisation’s maturity and resource access. In general, the following practices should be implemented:
- Run antivirus on every computer, with a solution that can alert the IT team of detections if possible
- Segregate the internal network so that the malware cannot easily spread from laptops to more critical computers
- Use two-factor authentication for access to all critical resources, including administration systems
- Do not use administrative users in day-to-day work
You need a plan for how to react to signs of something wrong going on. If you can’t stop the intrusion in the first place, you really need to be ready for the ransomware in your network; that means detecting that something is wrong and then taking action on it, preferably in an automated way. The most important thing if you think a computer or a user is compromised, is to isolate that situation by removing the computer from the network, revoking access to that user. Make sure you have a way of doing this.
Backups are your best friends
Before encrypting your data, criminals will often try to destroy your backups. It is important to have recent backups, and to protect them very well. Having a recent backup available completely offline can be a life-saver. A good idea is to have at least two backup locations, where one is offline. Also make sure to create and store safely hashes of backups so that you can see if they have been tampered with.
Without planning, your ability to execute under stress will be very poor. Think through what can happen, make a plan for what you will do when it happens.
- Who is responsible for what?
- How can you get help when you need it?
- Who are you internal stakeholders and what do they need to know?
- What do you say to the customers, suppliers, media?
- How do you start to contain the problem and begin recovery?
- What services will you try to reestablish first, and what can wait?
- How do you communicate if all your computer systems are unavailable?
- Will you engage with the attackers to buy time?
Digital fire drills
You know the drill, the alarm goes off, the floor fire safety responsible takes charge, gets everyone out the building. Afterwards the evacuation exercise is evaluated with respect to time, people not getting out of the building, communications with first responders. In the shadow of the ransomware danger, the same practice is needed if we are going to have a realistic chance of managing a cyberattack in practice; we need digital fire drills.
They do not need to be advanced and depend a lot on a simulation lab. Remember, the purpose of running an exercise is to help us be ready for ransomware attacks, and to help us build confidence in our ability to handle such incidents. The important thing is to test the decision making and communications process. Doing the whole process as a tabletop exercise or even on a video conference during COVID-19 conditions can be perfectly fine. We should aim to make annual digital fire drills expected and normal!