Large ransomware attacks are being reported more and more frequently, and these are only a small fraction of the attacks that actually occur. (When ransom demands are paid, the hackers and victims usually agree together to not publicly disclose the attack.)
In the previous article in this series (Ransomware Attacks: The Worst Cybersecurity Threat, Part 1), we discussed:
- How the majority of high-profile security incidents are now due to ransomware.
- The high potential damage from a successful ransomware infection.
- The large revenues being collected by the ransomware gangs.
- The impressive organization, efficiency, and professionalism of these gangs.
- The growing industry providing support and services to threat actors.
- The rise of extortionware, which is an even more pernicious and damaging form of ransomware.
Unfortunately, many executives have not been paying attention to these trends. Of those that have, many are relying on countermeasures that are ineffective in the current threat environment.
In this article, we’ll discuss some of the most common mistakes being made today.
How Not to Defend Against Ransomware
1. Underestimate the Threat
Some executives still think of hackers as ‘script kiddies’. Today, this stereotype is not only inaccurate, it’s dangerous.
As detailed in the first article in this series, ransomware gangs are organized, highly skilled, highly motivated, and well-financed. Some even appear to be state-sponsored, whether directly or indirectly.
The easiest way to fall victim to the ransomware gangs is to not take them seriously. If your organization does not diligently maintain a robust, adaptive, sophisticated, and well-maintained security posture against them, you will fail.
2. Delegate Instead of Leading
The second mistake is to forget that a robust security posture starts at the top of the organization.
Ransomware is a multi-vector threat, and executives need to lead the defense against it. It can be tempting to delegate the problem of finding and implementing the best way to defend against ransomware to the IT team and forget about it, but this approach will eventually fail. Here are just a few of the reasons for this:
- The IT team can’t require all employees to receive regular training on email hygiene and social engineering prevention.
- The IT team can’t protect the network when executives refuse to obey “inconvenient” policies on edge device security.
- The IT team can’t prevent high-level managers from declaring, “Yes, I know it’s an important security update, but you can’t patch my department’s systems for a while because we‘re too busy.”
- The IT team can’t override an executive who realizes that “cutting back the security budget will increase my bonus.“
- The IT team can’t influence C-level decisions such as, “Improving our security posture would come out of capex, so let’s skip it. Instead, we’ll just buy a better insurance policy, and pay the premiums out of opex. That will cover us in case we get hacked.”
That last item relates to a broader topic, which is the next mistake on our list.
3. Rely on Insurance
A growing number of insurance companies sell cybersecurity policies, which can include protection against ransomware.
As a result, many executives are tempted to reduce the amount of resources dedicated to security, and use an insurance policy as a backstop. “Then if we get hacked, we’ll just pay the ransom and get reimbursed later from the insurance company. No problem.”
But this ‘strategy’ has little chance of success. As ransomware incidents have skyrocketed, insurance companies are tightening their loss control procedures. Even if you could get a policy at an acceptable rate, there’s no guarantee that you would be paid after a breach occurs.
If your company got hacked and then submitted a claim, you can expect your security and IT practices to go under the microscope. The insurance company will be looking for a way to show that you failed to take reasonable measures: in other words, a reason to deny your claim.
They will ask questions such as:
- How often do you scan your systems for malware? How do you monitor your environments for penetration attempts? When an attempt is detected, who gets notified, and what standardized policies and procedures are they required to follow?
- Show us your records of all the pentesting that was recently done, and the results.
- How do you protect your networks from potentially compromised devices, e.g. employees who travel with company laptops and use unsecured wifi connections? Why do you allow them to do this, when the NSA says that you shouldn’t?
- Do you have 2FA enabled everywhere that it’s possible? Why not?
- Do you have a complete inventory of every single IT asset? Show it to us.
- How do you monitor announcements (from every vendor) about vulnerabilities and patches for those assets? How do you ensure that all updates are applied immediately?
- Show us your records proving that every asset had all the correct and current patches applied.
If your company gets breached and substantial financial damage occurs—from business interruptions, ransom payments, etc.—your insurance company will be highly motivated to deny any resulting claims.
An interesting (and potentially precedent-setting) example of this is currently in litigation. In the 2017 outbreak of the NotPetya ransomware, Mondelez International lost 1,700 servers and 24,000 laptops. They submitted a claim on their policy with Zurich American Insurance Company; the policy included coverage for ”physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction,“ along with subsequent losses due to business interruptions.
Zurich denied their claim. Why? Because there was evidence that the Russian government was responsible for NotPetya (intending it as a cyberattack against Ukraine), and Mondelez’s policy did not cover any “hostile or war like act” by any “government or sovereign power.”
Mondelez then sued Zurich for $100 million. Several years later, Mondelez still hasn’t been paid, because the case is still being fought in court.
The lesson here is clear. A cybersecurity insurance policy is not a reliable way to mitigate the risk of ransomware.
4. Plan to Pay the Ransom
Some executives have basically resigned themselves to getting hacked sooner or later. Their plan is this: if/when a ransomware attack occurs, they will just pay the ransom, get the decryption key from the hackers, and restore the data.
This too is a poor strategy, for multiple reasons.
The attackers might not fulfill their promises. Even after paying the ransom, the victim might not get the decryption key. The attackers are criminals; there’s no reason to expect that they will act honorably.
The attackers might be unable to fulfill their promises, even if they wish to do so. Ransomware operators focus on developing and distributing attack tools that can evade detection and successfully encrypt data, so they can issue ransom demands. They have much less interest in testing and running QA procedures to verify that the tools can successfully decrypt the data afterwards.
One prominent example is the recent Colonial Pipeline attack, which disrupted the gasoline supply for the U.S. East Coast. Within hours, the company paid nearly $5 million to Eastern European hackers to stop the attack. The hackers obliged, and provided a decryption tool. However, the tool ran so slowly and poorly that the Pipeline operators had to restore from backups anyway.
The victim might experience legal or regulatory consequences. The G7 nations recently issued a statement which notes that in some cases, ransom payments go to threat actors which might use them to finance terrorism, or possibly even aid in the proliferation of weapons of mass destruction. Thus, the U.S. Treasury Department says that paying ransom demands might be a violation of OFAC (Office of Foreign Assets Controls) regulations.
The victim might experience another attack. Attackers are eager to find targets who will pay ransom demands. According to a study by Cybereason, about 80 percent of all victims who pay a ransom will be hit with another attack (and almost half will be hit by the same group of threat actors).
Many Ways to Do It Wrong
Unfortunately, the mistakes listed above are common today. Many executives are relying on tactics that ultimately are putting their organizations at great risk in the current ransomware threat environment.
This raises the question: what are the correct best practices to defend against ransomware? They will be discussed in the next, and final, article in this series.