Ransomware Risk Management: 11 Essential StepsTips From a Cybersecurity Veteran on Winning the Battle
There's been a lot of discussion within the InfoSec community about ransomware - why it has been increasing, whether ransoms should be paid and how to mitigate this rapidly growing threat.
The culprit that opens the door to these attacks, apparently including last week's city of New Orleans attack, often is weak remote desktop protocol, or RDP, server credentials that enable attackers to jump right into the network.
To mount an effective cyber-defense, you will have to engage and commit your entire enterprise to a mission. That mission is "rational cybersecurity risk management."
The aggregate dollar value of ransoms that criminals have successfully collected from victims shows an alarming trend. Total ransoms surged from $325 million in 2015 to $5 billion in 2017 and are projected to reach $11.5 billion in 2019, according to Cybersecurity Ventures.
Be Aware of All Costs
In planning defensive strategies, organizations must recognize that the cost of a ransomware attack goes far beyond the extortion payment. A steadily growing list of victimized companies have reported that other costs associated with an attack - downtime, lost sales opportunities, angry customers, the expense of attack mitigation and recovery, damage to company brand reputation, penalties for unmet contractual obligations to customers, and fines for non-compliance - make the cost of the ransom itself appear trivial.
The city of Atlanta spent almost $5 million just in procuring emergency IT services following a March 2018 ransomware attack that crippled essential city services for days. The additional costs, including those associated with third-party incident response services, crisis communication, augmenting support staff and subject matter expert consulting services, have now exceeded $17 million and are still accruing.
Atlanta apparently had $22 million in expenses because it neglected to pay a few thousand dollars to patch 2,000 known vulnerabilities.
Why Are Attacks Proliferating?
Ransomware attacks have wreaked extensive downtime and economic harm on many industries, including police departments, local governments, automotive manufacturers, logistics companies, financial services institutions, healthcare providers and transportation systems around the world.
Ransomware has been growing, in part, because victims are readily paying the ransoms and because it is super easy to launch these attacks. Another key factor: Targeted organizations steadfastly refuse to do the little things necessary to fend off these attacks.
Why don't they? I have been trying to unravel that riddle for the past eight years and I still haven't a clue. But instead of just blathering on about how dangerous ransomware has become and how fast the threat is growing, I'd like to specify risk mitigation steps to take, at an affordable cost, that could prevent the vast majority of these attacks from succeeding.
But first, let's look at how easy it is for hackers to get their hands on the ammunition required to launch a ransomware attack.
Ransomware as a Service
Hundreds of low-cost products and services are available on the deep web to help inexperienced hackers wage their attacks.
The deep web hacking market flourishes thanks to the anonymity offered by the communications protocols implemented in this part of the web. Ransomware gangs copied the model of tech vendors such as Salesforce.com, continually and rapidly developing and improving their product and relying on a network of internet-based "distributors" - lower-level, relatively-unskilled criminals willing to push the malware onto as many machines as possible in return for a cut of the ransom - to get their product into the marketplace.
These criminal front men use a variety of techniques to propagate ransomware attacks, including blasting out phishing emails with infected web links or attachments and placing bogus online ads that lead users to fake websites that invisibly download malware to anyone that visits them.
Meanwhile, the highly skilled back-end developers labor to create new variants that can exploit operating system and application vulnerabilities, take advantage of unwary end users, and evade anti-virus software and other defenses created by the IT security industry. They also build sophisticated distribution, monitoring, notification and payment infrastructures, which they make available to their "distributors" for free.
All anyone needs to get into the ransomware distribution racket is moral flexibility, a browser and an Internet connection to access these easy-to-use tools, start spreading ransomware around and begin extorting cash from victims.
The approach is known as ransomware-as-a-service.
The addition of what is essentially a technical support help desk for the hacking tools - friendly interfaces, Quoras and deep web Internet Relay Chat, or IRC, channels - dramatically reduces the level of difficulty for average users. Ransomware kits are offered to novices for around $50 and are extremely effective.
So that's where all the guns and ammo come from, but how do hackers choose which vulnerabilities to target?
Most successful recent ransomware campaigns involved malware that relied on open RDP servers as the initial access point. Ransomware families such as SamSam thrived, whereas other campaigns failed because they were trying other, better-secured pathways.
The reason why publicly accessible RDP servers are widely available is that many organizations use RDP instead of a VPN to gain remote access to their machines.
The successful campaigns look for networks that have internet-facing servers running the RDP service. Attackers either take advantage of the (well-known) vulnerabilities in unpatched servers or use a brute-force password attack. Once the attackers have successfully gained access to the exposed system, they use it as a jumping off point into the core of the network, installing their ransomware onto target machines and often disabling backups and other files.
RDP is not the only vulnerability attackers use and as we have seen with SamSam, CrySiS, and BitPaymer. Bad guys look for any service that may give them access.
This year and last year, ransomware attacks have targeted known vulnerabilities in JBoss, FTP and other services, but open RDP servers are the preferred target. There are a lot of them, they are easy to find and they are easy to exploit. Even better, if an attacker is having trouble exploiting open RDP servers, they can just purchase an exploit kit for about $15.
The reason why publicly accessible RDP servers are widely available is that many organizations use RDP instead of a VPN to gain remote access to their machines. Plus, organizations are frequently not aware that the RDP service is running on internet-facing servers. This could be the result of a configuration error or a failed security check - or it could be started by another service after the server is deployed.
Fixing this requires a penetration test as part of a risk assessment that can be conducted by a host of service providers, plus subsequent patch applications and testing. The total cost should be less than $25,000.
The advertising budget for 2019 for just the Atlanta City Council, not the entire city, was $103,000. Do you think the city could shave 25 percent off their city council PR campaign to get this done? Ironically, all of the advertising and PR in the world will not help the city council's image now.
The other pathway in for ransomware attacks is through phishing campaigns.
GandCrab ransomware relies heavily on Microsoft Office macros, VBScript and PowerShell to avoid detection. Although consumer tools such as free mail services, and anti-virus vendors have gotten better at detecting ransomware, GandCrab continues to find success by using an advanced ransomware-as-a-service model and making dozens of adjustments and at least five new code releases since its inception.
A simple and repetitive security awareness training program can go a long way toward helping employees recognize phishing attacks for about $6,000 a year. And technical phishing countermeasures are low cost as well.
But ransomware actors are very nimble and quickly adapt their techniques to the changing security landscape. This battle will not be won with a one-and-done mentality.
Determining where your vulnerabilities are and fixing them - and implementing attack-pathway countermeasures such as anti-phishing technologies - are components of an ongoing process requirement for continually improving cybersecurity hygiene. Slapping some software in place and scheduling a few classes is not going to prevent a ransomware attack. To mount an effective cyber defense, you will have to engage and commit your entire enterprise to a mission.
That mission is "rational cybersecurity risk management." And it must have support from the board and C-suite executives through your entire IT organization. If it doesn't, it will fail.
Use an MSSP?
Below, you'll find a list of critical steps to take to start implementing rational cybersecurity risk management. You can try to do these yourself or outsource them to a competent managed security service provider - or a mix of both.
Dozens of qualified MSSPs provide all of the services described below. The potential reasons for partnering with one of them are:
- They are professionals with deep experience in the space while you are not.
- They have committed to a suite of products and practices that are proven to work.
- You can't find nor afford to hire or manage the requisite cybersecurity skills yourself.
- The overall cost will be less than the DIY or hybrid version.
- They are contractually committed to perform to a service-level agreement.
- The project will get done and get done much faster - and time trumps money.
Five Key Components
The development and administration of a comprehensive cybersecurity risk program is complex, difficult and requires deep knowledge of the problem space. You will need to address five key components.
- Risk assessment and mitigation;
- Cybersecurity technologies for monitoring, prevention, protection, detection, alerting and remediation;
- Process and policy management;
- Training and education;
- Recovery communication and protocol.
If you feel competent to address and manage through what is required in each of these areas, then you should go for it. Here's what you will need to do:
1. Backup Systems Locally and in the Cloud
Regularly perform system backups and keep them separate with a local copy, an offsite copy and at least one copy in the cloud. This will keep your information backed up in a safe area that hackers cannot easily access, and it will make it easier for you to wipe your old system and restore with your backup files in case of an attack.
But just backing up your files is only half the job. You need to test the backups as well and institute a program so that each time you do it, you will be able to prove it all worked.
Cloud backups are cheap, they introduce redundancy and they add an extra layer of protection.
2. Segment Network Access
Limit the data an attacker can access. With dynamic control access, you help ensure that your entire network security is not compromised in a single attack. Segregate your network into distinct zones, each requiring different credentials for access privileges.
3. Use 'Least Privilege' Principles
Configure your access controls (file, directory, and network share permissions) on the basis of "least privilege" principles. In other words, users who require access only to read documents or files should not be allowed to edit those specific files, directories or shares - no exceptions, including the C-suite or corporate officers.
4. Implement Early Threat Detection, Monitoring Systems
Install ransomware counter-measure software that will help identify potential attacks.
Most popular unified threat management programs can find intrusions as they happen and prevent them - and they offer gateway anti-virus software as well. Even conventional SIEMs or network monitoring services available through MSSPs will leverage advanced IDS and IPS, firewall, behavioral analytics, threat intelligence, end-point defense and threat detection capabilities that will identify and alert for the presence of malware and recommend remediation steps or provide it directly through SOC first responders.
If you are doing this yourself, you will need to buy a UTM system or SIEM and build a security operations center to provision a first responder capability.
Also, you will need to implement email security best practices and spam filtering to keep unwanted attachments from showing up in your email inbox. Windows has features that should be leveraged to control identity and access management.
Rigorously download and install all software updates or patches on a regular basis. Many continuous vulnerability assessment and management systems, or CVAMs, are available that scan and appraise for vulnerability attention. Many SIEM-as-a-service providers include CVAMs as part of their service.
Patching is the best way to deter most ransomware attacks. All of these vulnerability assessment and scanning tools can run continuously so you don't have to remember to initiate scans yourself. These scans must include all network devices including your mobile phones, tablets and any connected IoT devices as well.
5. Install Anti-Ransomware Software
Don't assume you have the latest anti-virus to protect against ransomware. Your security software should consist of anti-virus, anti-malware and anti-ransomware protection. It's also crucial to regularly update your virus definitions.
By now, you have probably detected a theme here. Regular, rigorous, disciplined, scheduled activities by people dedicated to your cybersecurity risk defense program are essential. Otherwise, all the technology in the world will not help, and you will become a ransomware victim.
6. Train Your Employees
Most all ransomware attacks can be traced back to poor employee cybersecurity practices arising from a lack of training and education. Phishing attacks, weak passwords, misconfigurations and poor access management are some of the primary causes that open the door to successful ransomware attacks.
Much of this can be addressed through employee training and security-awareness education. But it has to be entertaining, repetitive (once a year won't cut it) and engaging (testing and scoring results). And it has to have buy in from the very top - your CEO needs to be in the front row every quarter.
Employees should recognize the signs of a phishing attack. You and your employees need to be up to date on the latest ransomware variations and on the techniques that ransomware distributors use. Teach staff to be cautious about the online advertisements and email links they click on, the websites they visit, and the attachments they open.
Stress the importance of examining links and attachments to make sure they are from a reliable source. Warn staff about the dangers of giving out company or personal information in response to an email, letter or phone call.
For employees who work remotely, make it clear that they should never use public Wi-Fi because hackers can easily break in through this kind of connection.
Also, make it clear that anyone reporting suspicious activity does not have to be sure a problem actually exists. Waiting until an attack is happening can mean responding too late. There should be no penalty for mistaken identifications of threat.
7. Insist on Strong Password Security
Utilize a password management strategy that incorporates an enterprise password manager and adopts the best practices around password security.
Three out of four people use the same password for multiple sites, and one-third use a significantly weak password, multiple studies have shown. If your organization won't embrace multi-factor authentication, at least insist on using multiple strong passwords and force a change-out every 90 days.
8. Implement Mail Server Blocking
Start filtering out and rejecting incoming mail from unknown sources with executable attachments. Also, set up your mail server to reject addresses of known spammers and malware.
Installing anti-virus and malware software on your email server can act as an additional safeguard. If you don't have a mail server in-house, be sure that your security services provider can at least filter incoming mail.
9. Manage Vulnerable Plug-Ins
Hackers use scores of web plug-ins as targets to infect your system. Two of the most common are Java and Flash. These programs are standard on a lot of sites and are easy to attack. Either update them regularly to ensure they have the proper levels of protection or block their use entirely.
I'm also a proponent of eliminating all BYOD and BYOC programs. Doing so will not win you any popularity contests, but eliminating them might prevent the next ransomware attack.
10. Buy a Cybersecurity Insurance Plan
First-party cyber liability insurance covers claims related to data breaches, ransomware and other cyberattacks on your company and helps pay expenses related to client notification, credit monitoring services, public relations campaigns, lost income and even ransom payments.
Third-party cyber liability insurance covers your responsibility for your customers' data. Claims on third-party coverage might be triggered by accusations that your business failed to prevent a virus or the disclosure of confidential information. This coverage typically pays for attorney's fees, settlement or judgements against your business, government fines and penalties, and the cost of defense before regulatory boards.
In the case of Lake City, Florida, City Manager Joseph Helfenberger recommended to the mayor that the city allow its cyber insurer to pay the ransom of 42 bitcoin, then worth about $460,000. Lake City, which was covered for ransomware under its cyber insurance policy, would only be responsible for a $10,000 deductible. The city chose to pay the ransom because the cost of a prolonged recovery from backups would have exceeded its $1 million coverage limit.
The danger? Hackers now know that the insurers have deep pockets and will obviously choose to capitalize on decisions like this one.
11. Don't Pay Ransom - Except Under One Condition
Law enforcement and security experts agree that paying the ransom is a very poor defense: Over half of ransomware victims who pay a ransom do not successfully recover their files, either because the extortionists fail to deliver the promised keys or have implemented the encryption/decryption algorithms so poorly that the keys don't work, various studies have shown.
The only exception is this: If you have a cyber insurance policy that covers ransomware expenses, including ransoms, then sure: Let your insurer pay so you can get back up and recovered as quickly as possible. Your primary responsibility is to your shareholders, customers and employees.
The Price Tag
So, what will all this cost?
It all depends on device counts, employee head counts, service packages and more. But in broad strokes, a small to midsize business would spend between $35,000 and $110,000 per year for all of the services described above, excluding insurance and training. A cybersecurity insurance policy premium with basic coverage will range between $2,500 to $7,000 per year for these businesses. Training will run about $5,000 per year.
Again, these technologies, processes and protocols are only the fundamental defenses required to improve your chances of warding off a ransomware attack. They are not intended to be a comprehensive study course in cybersecurity risk management.
Using a risk-adjusted cost of future events formula to determine whether to spend money on preventive measures, buy insurance - or do nothing at all - usually yields rational results. For example, the risk-adjusted cost of a fire (high cost, reasonable likelihood) makes it cost-effective to buy a fire insurance policy. Calculating the risk-adjusted cost of ransomware will determine if it's worth investing in prevention.
Keep this in mind: The city of Atlanta spent $22 million after its ransomware attack. That argues strongly in favor of prevention.
From Sun Tzu's "The Art of War": "Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win."
A survey by Osterman Research found that about 22 percent of businesses with less than 1,000 employees that experienced a ransomware attack in the last year About 15 percent lost revenue. On average, small companies lost over $65,000 per ransomware incident due to downtime and another $35,000 in lost revenue, the survey shows.
A ransomware attack is projected to occur every 14 seconds by the end of 2019, up from every 40 seconds in 2018, according to Cybersecurity Ventures.
Ransomware is clearly becoming an epidemic.
Unless the federal government and/or the insurance cabals move to insist upon the implementation of a specific suite of preventive and protective measures and criminalizes the payment of ransom, it's up to every organization, government agency and business to take rational steps to defend themselves and prepare for the next ransomware attack.
From Sun Tzu's "The Art of War": "Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win."
Victory is always preferable to defeat, right?