Ransomware: Believe the Risk and Be Ready for It

On September 11, 2001, the attack on the World Trade Center resulted in the total loss of the Port Authority of New York and New Jersey’s data center. In just a few days following the tragic event, the families of those working for the Port Authority – whether they worked in the twin towers or not – would need the money distributed through the regular payroll cycle. But without access to the data center, the Port Authority was forced to activate their emergency backup plan.

Several years earlier, the Port Authority had built a replacement data center in a secure facility on New York City’s Staten Island. Thanks to the incredible work of very dedicated people, within two days following the attack, the necessary computer hardware, backup data files and blank forms for the checks and payroll statements were in place. The payroll run was successful. Funds were distributed to grief-stricken families and surviving employees alike.

This immense effort was successful largely because the prior unsuccessful 1993 bombing at the World Trade Center forced the Port Authority to contemplate the impact of a catastrophic event, such as the loss of the data center.

But what if, in addition to a terrorist attack on the World Trade Center, the attack included a coordinated, successful systemwide compromise and ransomware attack? In 2001, the disaster recovery plan did not include a concurrent cyber-based assault. The Port Authority’s systems would not have been prepared, as it was not a focus of the plan built in response to the 1993 event. If the 9/11 attack had been accompanied by a preemptive cyberattack, the outcome for the Port Authority and their employees would have been significantly different.

Understand the Threat

Every disaster recovery plan is based on an organization’s understanding of perceived risks and the systems that need protection. Risks evolve, and as a result, disaster recovery plans must similarly be flexible, adaptable and frequently reviewed. It is impossible to fully predict the form a cyberattack will take. A disconnect between risk and readiness can lead to substantial impact on an organization and its stakeholders.

Traditionally, the risk that drove most disaster recovery plans was the physical failures of technology, or physical damage by fire, flood and natural disasters. Backups focused on recovery from hard-drive crashes, tape-backup drive failures or data center fires. Today, solid-state drives (SSDs) have a mean time to failure of over 150 years, and cloud storage permits remote backups in areas unlikely to be hit by fire and/or natural disasters. While technology failures still can and do occur, they are comparably infrequent. For many companies, this has resulted in complacency, opening them up to be particularly susceptible to ransomware.

In recent weeks, more than 22 towns and cities in Texas as well as cities in Florida were hit by successful ransomware attacks, with Florida’s Lake City paying more than $460,000 and Riviera Beach announcing that they would be paying a ransom of $600,000 for their data. Though unpublished, many Fortune 1000 companies have been forced to pay ransoms in the millions of dollars. For hackers, it’s becoming what ProPublica calls “The Extortion Economy.” Cybercriminals associated with ransomware are out for money, plain and simple. Upon executing the attack, cybercriminals demand payment within 72 hours. If money is forthcoming, the organization receives the decryption key and regains access to their data. In as much as 90 percent of attacks, the ransomware group will provide the decryption key upon receiving payment. Failure to provide the key would negatively impact the business model and cause hackers to lose credibility in securing payment for future attacks.

In the future, terrorist groups, nation-state actors and anarchists may not always be satisfied with simple economic gain. As a society and country, we should begin to prepare for when threat actors rotate from being cybercriminals motivated by financial rewards to terrorist groups and nation-states motivated by destruction, civilian fear and social disorder. What is the recourse when an anarchist group hostile to a country or organization focuses on a crippling attack for nothing more than impact on society (Mr. Robot, USA Network 2015)? Using ransomware with no intention of ever providing a working decryption key would render a devastating blow to any government agency, financial trading house or company and represents the substantial attack capability of a terrorist group or hostile government.

Given constant media stories describing organizations and governments victimized by criminals spreading ransomware, it might seem like companies are defenseless in the face of losing control of their data. In our experience, this is not the case. Cyberattacks can be vicious and devastating, but there are steps every organization can and should take to strengthen its cyber fortification and mitigate the collateral damage of a malware or ransomware attack.

The loss of data is not just a technical question to be left to an overworked IT employee. For many companies, their actual survival as an organization will depend upon a disaster recovery plan and access to the data in the wake of a ransomware attack. Based on our work on hundreds of malware and ransomware incidents, some observations might prove useful to a wide range of organizations.

1. Senior Management Should Understand the Magnitude of the Risk

The threat of data loss at the hands of threat actors is real and needs attention from members at the highest levels of the organization. There are many ways a ransomware infection can hit a company. An employee might click a link in an e-mail, plug an infected laptop into a docking station or connect a compromised cell phone to the Wi-Fi access point. Malware and ransomware are constantly evolving. Regardless of promises made by cybersecurity vendors, there are no perfect defenses. Zero-day vulnerabilities will always be present, providing the threat actor with techniques able to overcome the most sophisticated of defenses. Organizations in which top-level management recognize the nature of the risk are more likely to survive a cyberattack. At that level, resources can be allocated and priorities set for taking defensive measures and requiring incident response plans. We recommend senior management and boards be briefed at least quarterly on ever-evolving cyber threats and the organization’s contingency plans to ensure continuity of access to data.

2. Identify the Location of Vital Company Data

What information does the organization need to maintain the key elements of the business or governmental function? While the answer might seem obvious, in most instances, it’s much more complicated. It’s not uncommon for employees to have files stored on their local machines that are critical to supply chain or other ongoing operations. Since operating systems and applications can be relatively quickly reinstalled, the focus should be on user-created data. Given today’s architecture, which combines locally managed hardware, infrastructure as a service and storage as a service, understanding where the data resides may be far from trivial. But it is the necessary first step in the disaster recovery planning process.

3. Consider the Impact of a Threat Actor as Having Secured the Highest Level of Network Administrative Rights

If backup files are online and accessible 24/7 to members of the IT staff, then those same backup files are potentially accessible to a threat actor. When developing a disaster recovery plan, consider that the threat actor has the same level of network access and privileges of the senior-most members of the IT staff. Also consider that most ransomware attacks follow weeks, months and sometimes years of detailed reconnaissance and infiltration. So, many cyberattacks are successful because the threat actor has spent weeks surreptitiously observing the behavior of employees and IT staff members and gathering user credentials. If using a cloud-based backup as a service, is the system ransomware hardened? This means that in the days prior to a ransomware attack, a threat actor with the highest level of administrative rights cannot encrypt the backup files and terminate the system’s ability to roll-back to earlier file versions. To understand the degree of vulnerability, disaster recovery plans can benefit from an objective review by experienced cyber specialists. These experts can be in-house or external to the organization. If the company’s systems architecture for “backups” can be destroyed or encrypted with ransomware at the same time as the primary file, they cannot be considered ransomware hardened. Backup implies survivability. For example, relying exclusively on mapped drives to a cloud storage system may or may not be problematic. Check with the vendor to determine the level of protection.

4. Will the Backups Survive a Cyberattack?

What is a survivable backup? Has a malware/ransomware attack been considered when designing the disaster recovery plan? How are vital files backed up? Identify systems or architecture changes that will allow the organization to successfully survive an attack by a highly skilled and extremely talented threat actor. Before an attack, identify the resources that would be needed to counter such an attack. Make sure senior management understands and supports the incident response and survivability plan.

5. Restoring Operational Status

Simply having backup files is not enough. Consider how backup files and system images would be deployed in the event of a systemwide breach. For systems to be functional, they must be able to be restored to operational status so employees can do their job.

6. Test

In the military, there is a saying that battle plans often don’t survive the first contact with the enemy. Backup and recovery plans are no different. It is difficult to know if a disaster recovery plan will be effective until it is tested. Are the plans practical? Will they work in the hours or days following a ransomware attack? Experience has shown us that most disaster recovery plans require some tweaking to make them effective. Finding the shortcomings of a disaster recovery plan during a test is far better than working through challenges amid a real attack.

7. Revisit the Disaster Recovery Plan Regularly

Recognize that every plan has moving parts. Threats will continue to evolve as cybercriminals discover new vulnerabilities and build new forms of malware. Similarly, organizations and their data systems evolve. Companies outsource more and more of their IT services, creating a new exposure through the IT security of third parties. Managed Security Service Providers (MSSPs) and IT contractors hold the keys to access many organizations. MSSPs are high-value ransomware targets. An effective backup and recovery program can become ineffective if it is solely dependent on the security of a third-party IT provider. Security plans should be maintained, modified and re-tested periodically as the network infrastructure changes and adapts.

8. Backups and Disaster Recovery Plans are Only One Piece of a Cyber Plan

There are many important pieces to cyber armor (anti-virus software, patch management, VLAN segmentation, e-mail security gateways, firewalls, etc.). These proactive tools are particularly effective against the amateur cybercriminal and can even provide a level of protection against a protracted siege. An organization should not be lulled into complacency, thinking this armor will provide an impenetrable defense. As stated, no defense is perfect. Cybercriminals are diligent, skilled, patient and highly motivated; there is a good chance they will eventually find a weakness they can exploit. The reason to focus on a ransomware-hardened disaster recovery plan over other technologies is that once fortification defenses fall and battle with the enemy is over, the disaster recovery backups will be the difference between rebuilding and failure.

One additional important item to consider in connection with the post-attack rebuilding effort is cyber insurance. Just as every organization should have liability or fire insurance, every organization should have some type of cyber insurance.  Regularly revisit the policy to determine if the right level of coverage meets the current level of malware/ransomware threat. For small companies, the cost of fighting a cyberattack can quickly exceed $100,000. Medium-sized and larger organizations regularly face incident response and breach notification costs well more than $1 million. Many insurance companies now offer cyber insurance. Coverage and rates differ, as do underwriting standards. At the very least, it is wise to determine the extent to which cyber-insurance policies cover ransomware and other cyberattacks, and that coverage is appropriate given senior management’s full understanding of the organization’s cyber-risk exposure.

Unfortunately, ransomware and other cyber risks are not likely to subside. Using experience as a guide, if there is a financial incentive, the methods of attack will evolve, often in ways we cannot predict. The basic concept of ransomware-hardened backup and recovery is typically the first level of protection from a wide variety of threats.