Reports of one ransomware attack after another continue to fill the news, including recent attacks on healthcare providers, suppliers, and even governments. Ransomware has emerged from an obscure security incident just a few years ago, to a major threat impacting the operations of many organizations.
It is important for all organizations to look at the contributing factors and motivations behind the increase in ransomware, and then use those observations to explore ways to help slow the trend, and identify methods to reduce the adverse impacts.
The motivation is money
The individuals behind ransomware attacks appear to be motivated by money. Ransomware is pure extortion, whereby the attacker takes control of a victim’s valuable asset (e.g., data), encrypts it, and holds it hostage until a ransom is paid. If organizations don’t pay within a specific amount of time (generally a few days), the extortionist claims he/she will delete the encryption key which renders the data useless and prevents future decryption.
Some organizations that make a business decision to pay the ransom will receive the unlock key, while others will get demands for more money, and some won’t receive any response. With the exception of last summer’s Not-Petya ransomware attack, which was characterized as a cyberwar-attack from one nation against another’s economic infrastructure, ransomware attacks typically contain instructions on how to pay a ransom to recover the data.
The reason behind the rise in ransomware is complex, but there are three basic assumptions. First, it was only a few years ago when hackers primarily stole data and used that sensitive data for nefarious purposes. For example, stolen credit card numbers could be used to create counterfeit cards, then those cards could be used to purchase goods. As the credit card companies improved fraud protection, the half-life of stolen cards kept getting shorter and shorter, so their street value dropped. The credit card issuers also tightened up controls so that fraudulent use must be geographically close to where the stolen cards are located, or else it triggers extra scrutiny. This made international use of stolen credit card numbers risky, so international hackers started losing interest. While breaches of retailer credit card systems still happen, there are other ways to monetize hacks.
Second, complex hacks that involve stealing data and monetizing it increases the risk of being caught. In healthcare, for example, we used to see massive data breaches involving millions of patient records. While some of the largest breaches appear to have been orchestrated by nation-states, others were used for identity theft and fraudulent billing. Insurance companies and the government have successfully leveraged ‘big data’ to identify providers who profit from these activities. Consequently, criminals find it harder to avoid being caught.
Finally, one can speculate that the emergence of cryptocurrencies has only compounded the problem. The anonymity of financial payments (e.g., ransom) has paved the way for individual hackers, organized criminals, and nation-states to exfiltrate money from their victims, then spend later without a trace. Cryptocurrencies are also used by nation-states looking to evade tighter sanctions, as the flow of cryptocurrency is thought to be untraceable.
How fast does ransomware strike?
There are several observations to derive from recent ransomware attacks. The first is that once the malware has gained a foothold on an ‘index machine,’ the rate of infection to reach all vulnerable devices is very rapid. The infection spreads exponentially and can only be stopped by isolating uninfected vulnerable devices from the network. In recent attacks, two organizations with several thousand endpoints were compromised in under one hour. The first organization did not have a robust reporting and alerting system, so the infection did not stop until every vulnerable device was compromised. The second organization had a security incident and event monitoring tool and an anti-virus console which alerted the IT staff and allowed them time to isolate some of the network. Both organizations detected the event but because of the zero-day nature of the attack, these tools were unable to automatically stop the spread. Eventually, most of the vulnerable devices in multiple geographic areas were compromised. The rapid response of isolating all network segments saved a few devices but not enough to continue operations.
I’ve been infected with ransomware, so what should I do?
First, remember that law enforcement officials encourage organizations to not pay the ransom because it only fuels the criminal elements and leads to more attacks. Regardless if a victim pays or not, the decryption keys only allow organizations to decrypt their data, but those keys will not remove the malware that delivered the encryption payload in the first place. Removing the malware is a huge effort that can take even midsize organizations weeks to accomplish because every infected device must first be identified, then reimaged. Removing the malware is also very expensive — for example, it cost one organization 60 percent of the annual IT budget recover from the ransomware attack. Another reason for the long recovery time is that normal operations cannot resume until the vulnerabilities that allowed the systems to be attacked in the first place do not magically get mitigated with a decryption key. Left untouched, there is a high probability of reinfection, especially if the ransom is paid.
Organizations that need to recover from ransomware should expect to be down for weeks, regardless of if the ransom is paid or not. This outage means that all business operations that depend on IT systems will need to operate in their ‘downtime’ mode. As an example, other organizations have experienced a total loss of their timekeeping systems, which impacted their ability to calculate and issue paychecks. Automated supply chain management systems had to temporarily revert back to paper and fax machines, which impacted supply levels because of the additional time it took to keep inventories of critical supplies. The move to paper records, especially in hospitals, significantly slows the process of documenting work and submitting claims to insurance companies for payment. This resulted in one a hospital getting $60 million behind in cash flow in less than one month. Once systems are back online, it is important to re-enter the data so that the inventory and payment processing systems can restart.
How can I reduce the probability of a successful attack?
The attack vectors used by the ransomware controllers vary, but the primary path is thought to be through emails containing links to malicious websites. Some emails are broadcasted to a large mailing list while other attackers use spear-phishing attacks to target specific individuals who are thought to have administrator accounts. Regardless of the vector, the first line of defense is to limit the number of individuals who have administrator privileges and the ability to execute untrusted/unauthorized code. The second line of defense is to mandate that all administrators have two separate user accounts — one ‘routine’ for use for general day-to-day work and a separate account with administrator privileges that is only used for functions requiring elevated privileges. The account with administrator privileges should not have email access, especially if that email address is published or can be easily guessed. It also helps to educate IT staff about the importance of not publicizing their roles on social media, as this can help reduce the information available for an attacker to attempt a spear phishing attack. Anytime an administrator account is accessed remotely, a multifactor solution should be used.
On the technical front, the use of next-generation firewalls that perform deep packet inspection can be used to identify domains where malicious software is stored, then it can stop the download until other measures can be deployed. This requires a lot of trust in the tools, something that requires extensive documentation and testing.
Studying the history of ransomware will help organizations better prepare for an attack. The most valuable lesson is that as long as humans are in the decision loop, ransomware will win the race to infect nearly all vulnerable machines that it can find. This knowledge increases the importance of having a robust incident response process where those individuals monitoring systems can alert senior decision makers with authority to shut down an organization’s entire network on a moment’s notice. It is also important that staff have access to the technical tools that allow them to isolate networks once the decision to execute the incident response plan is given.
Second, as the event unfolds, the incident response team needs to be augmented with all key stakeholders whose processes are impacted, including non-technical executives. Incidents may impact the ability to deliver services as well as create invoices for past work. Internal operations such as timekeeping and payroll may need to use manual or operate using downtime procedures. There also needs to be non-automated procedures to order supplies from vendors and suppliers that normally provide materials.
Finally, a strong incident response process needs to be developed and exercised regularly in order to proactively prepare for an attack. The response speed is paramount when responding to a ransomware attack so exercises should be planned with minimal people knowing the agenda and timing ahead of the exercise.
Ultimately, it is about planning for the worst case, and hoping for the best.