Ransomware Everywhere & How to Avoid It
Updated: Sep 14, 2021
In our last post, we discussed how often businesses fall victim to ransomware attacks. In an Embroker study, they predicted that a ransomware attack will claim a victim every 11 seconds in 2021. Unfortunately, we are starting to see this prediction become a reality, as the following stories of ransomware have emerged in the past month:
Underwriters Laboratories, the largest and oldest safety certification company in the United States with 14,000 employees and offices in over 40 countries, suffered a ransomware attack that encrypted its servers and caused them to take systems and services offline.
Automatic Funds Transfer Services (AFTS) was hit with ransomware from an organization known as "Cuba Ransomware". The attack took AFTS offline and has resulted in data breach notifications to customers from multiple cities within California and Washington.
A South Carolina county is still recovering from a ransomware attack on January 22nd that disabled email and network services for the county offices. The ransomware was initially delivered via email to an employee.
Canadian Discount Car and Truck Rentals was targeted with a ransomware attack that may have also exfiltrated sensitive data, an emerging tactic for ransomware breaches. The responsible organization, known as DarkSide, posted on their data leak site that they stole 120GB of unencrypted finance, banking, and account data.
A hospital in southern France was the victim of ransomware and has said that full restoration of services could be "several weeks away". In the meantime, hospital staff have resorted to pen and paper to maintain records.
Major electric utilities in Brazil suffered a ransomware attack that disrupted operations and temporarily suspended services. The organization DarkSide again took credit for the attack, claiming that they have 1,000GB of data from the breach, including utility infrastructure information and personal details of staff and customers.
This list doesn't even address general data breaches, phishing attacks, and other sources of malware and, of course, only deals with ransomware attacks that were reported. Moreover, many companies focus on recovering their data after a ransomware attack without identifying the root cause of the attack. Thus, half of ransomware victims are exploited again! One company in England ended up making two payments of the equivalent of nearly $9 million after being reinfected by the same ransomware.
Based on the size of your organization, you may have a simple or complex environment to protect. You may have hundreds of employees to worry about or only a half dozen. Nevertheless, everyone can follow these basic guidelines to mitigate the risk and damage of ransomware attacks.
Prevent the Attack
Of course, the first and primary goal is to prevent the attack in the first place. This requires knowing all of your Internet connected devices and systems and ensuring that they are kept up to date with the latest security patches and security defenses. Some of the tools/processes for preventing attacks are:
Up-to-date inventories of assets and software versions
Securely configured firewalls
Securely configured Intrusion Prevention Software (IPS)
Employee security awareness
Strong password policies
Detect the Attack
Despite our best efforts, sometimes attacks still make it through our defenses. In that case, we want to detect the attacks as quickly as possible. According to an IBM study, it takes companies an average of 197 days to discover a breach and as many as 69 days to contain it. Moreover, companies that discovered a breach within 30 days saved an average $1.16 million dollars when compared to companies that took more than 30 days. Some of the tools/processes for detecting attacks are:
Centralized Logging (SIEM)
Securely configured Intrusion Detection Software (IDS)
Security monitoring and alerts
File integrity monitoring
Respond to the Attack
Security managers' worst nightmare becomes a reality and an attack is detected. Now, your goal is to respond effectively by identifying what happened, what was affected, and recover any data/money possible. Some of the tools/processes for responding to attacks are:
Centralized Logging (SIEM)
Incident Response retainer
Most importantly, though, you want to identify the root cause of how the attack occurred and fix the relevant security hold so it doesn't happen again. As the saying goes, "fool me once, shame on you; fool me twice, shame on me."