Could your housing organization withstand a lengthy shutdown of its computer systems? Weeks where you couldn’t access rent data or other tenant information? Building inventories? Payroll?
What if, during this period, you were also receiving threats of legal action? All while news reports of the crisis were tainting your organization’s reputation?
This is the kind of havoc that can ensue if your organization falls prey to ransomware, a type of malware that encrypts your computer files, preventing you from accessing your data until you pay a ransom to your attackers, who may also threaten to publish your sensitive information.
To Pay or Not to Pay
If you’ve fallen victim to a ransomware attack, should you give in to your attackers’ demands? AXA XL, a broker that provides HAI Group’s membership with cyber coverage, interviewed Winston Krone, global managing director of Kivu, a leading provider of digital forensic services, to get the latest thinking. His advice is reprinted, with permission, below.
“Assuming that legal due diligence check out (to be compliant with OFAC, AML, and anti-terrorism laws),” Krone says, “the key factors we consider are these:
- The likelihood that this particular attacker [can] provide the correct decryption methods to recover the encrypted data.
- Whether the client’s network is likely to have suffered corruption caused by the attack.”
If an organization doesn’t pay, the situation can play out in a few ways. “If [they don’t pay] because backups are found to exist, then frequently recovery is slow but ultimately successful—although in complex and large networks, some corruption is inevitable,” Krone says. “If the reason for not paying is because we advise that the attacker will not be able (or willing) to assist, or because corruption issues will make paying ransom pointless, the organization is going to suffer significant business interruption while it attempts to recover missing data from employees, isolated machines, and third-party parties/business partners.”
If the organization decides to pay, Krone says, it is rare for an attacker to accept a ransom and maliciously not follow through.
Catastrophic Ransomware—A New Threat
Ransomware attacks have been around for a long time—the first known attack occurred in 1989—but in the last six months, a vicious new breed has emerged that can take down an entire enterprise organization.
Chris Nyhuis, president and CEO of Vigilant Technology Solutions, an international security and total IT solution provider, told AXA XL more about this emerging threat, excerpted here with permission. “The goal [is for attackers] to quietly learn as much about an organization [as they can] so they can eventually turn off all operations and lock the organization down. [Then], they hold the company hostage until a sum, sometimes going into the millions, is paid” says Nyhuis.
Here’s how the attack plays out, according to Nyhuis.
- The attacker(s) come through an open port on a firewall, or vulnerability in a system. They can also come through users clicking on a link.
- The attacker then quickly pivots to another system, and in most cases, deploys an easy-to-identify virus or malware on the original system. This triggers the IT department of the attacked organization to run antivirus on it or re-image the machine, taking them off the track of the attacker and destroying evidence.
- The attacker then puts hooks in 25+ machines so they can retain consistent control.
- Next, the attacker patiently gains control of key servers and file servers, identifies backup systems and where they are stored, takes over email and learns the financial status of the organization. (This last step may take up to a year.)
- Once the attacker has taken control of key systems and feels they have learned enough to take the company down, they then lock down all networking, firewalls, email servers, file servers, manufacturing lines, and authentication servers—essentially taking the company and turning it off.
- The attacker will then hold the company ransom and will leave it turned off until a ransom is paid.
“The attacker knows your financials and stability,” Nyhuis says. “The ransom is, in many cases, based on this information, so they know how long you can be down and how much money you are likely and able to pay to be turned back on. They stand to make up to millions of dollars because the entire business is at stake.”
Protecting Your PHA
Cloud-based solutions and segmentation can help you mitigate your exposure to ransomware, according to AXA XL. That’s because these solutions are naturally segmented, isolating data and diminishing threat vectors and the opportunities for these threats to spread. Some systems also have built-in multifactor authentication, which makes it hard for threat actors to impersonate the user and break in. Another advantage is on-demand recovery, so, if your organization were attacked, you could take your backup from the cloud on demand to ensure no loss of business continuity during the ongoing forensics investigation.
If you’re looking for a remote cloud provider, Prem Ananthakrishnan, a vice president with cloud data protection provider Druva, says in a Q&A posted on AXA XL’s website, and used here with permission, to look for built-in multifactor authentication and other security features. Druva, for instance, has the same security monitoring and rigorous certification used by large federal agencies like NASA. He also says to make sure the solution is automated and 100 percent staffed so you don’t have to worry about making constant patches or upgrades. Anomaly detection is also critical. “Ideally you want a system that will help you flag security events and take action, and you want one that will integrate well with the rest of the security chain, especially your incident response,” Ananthakrishnan says.
Vigilant Technology Solutions’ Nyhuis says that conducting a vulnerability assessment once a year, or even quarterly, isn’t enough to mitigate risk. While organizations may also have SIEM solutions, firewalls and intrusion detection systems, “the problem is that the attackers identify all the tech that companies use to defend themselves and they just go buy the same technology online. Once purchased, they put it in their labs, learn about what you can detect and what you can’t, then attack with an undetectable custom attack,” he says.
According to Nyhuis, organizations need to consider the following:
- There isn’t time to find a place in your budget next year, there isn’t time to find a place in a project plan. This is a serious danger that can take you out of business overnight.
- Deploy detection and prevention technology that is not readily available on the market. What I mean is that commoditized technology, based on widespread accessible technology, will put you behind the attacker because they have access to the same technology.
- Obtain threat intelligence that is curated and specific to your organization.
- Move detection of SIEM and firewall technologies as these are easily visible and attackable to a threat actor.
- Ensure that you have a team of highly qualified analysts consistently hunting and looking at your network and system traffic for threats. When I say this, I do not mean Artificial Intelligence or automatic detection. I mean actual people investigating. If you can’t afford, or do not have the expertise, to build a team, it is important to outsource to a managed security provider.
Additional Reading on HAI Group’s Risk Management Center
NetDiligence®, a cyber risk assessment and data breach services company, has agreed to make the following materials available to HAI Group members.
Read more about ransomware trends, including costs, effects on business interruption, outcomes when ransoms are paid (and not), and which industries are most likely to suffer an attack.
Download this short guide on the ransomware safeguards you should have in place, plus helpful tips for your IT department—and your employees.