- Ransomware attacks are unfortunately an ongoing threat.
- There are several IT deficiencies to watch out for that could help ransomware spread.
- You should be taking proactive steps to reduce your organization’s exposure.
Ransomware attacks are still very much a threat, and the ease of perpetuating them is a big reason why. All it takes for a ransom attack to begin is for a single employee to click on a phishing email. Sadly, these attacks aren’t going away anytime soon.
The latest 2020 Verizon Data Breach Investigations Report cite phishing as the number one attack vector for the second year in a row, and the number of large corporations that have been subject to ransom attacks continues to grow and make the news each week. For example, a recent ransomware attack on a major entertainment law firm managed to steal more than 750 GB of private client data including phone numbers and personal email correspondence. Another attack on the University of Utah netted close to half a million dollars in a ransom payment to prevent the criminals from leaking the student data collected.
Ransomware criminals count on several weak links in an IT department’s governance that often leave entry points easily exposed. For example, there are often numerous open network ports that aren’t carefully monitored, and, frequently, infrastructure isn’t consistently managed or maintained with delays in patching and deploying system updates. Additionally, the role of backups has completely changed in the ransomware era. Attackers are getting more adept at penetrating networks which forces backup strategies to become more sophisticated and cover a wider variety of circumstances, threat models and conditions. As more of us use our smartphones for work purposes, this means that we store data on our phones, making the corporate backup solutions ineffective if our phones are lost or stolen. Backup tools also weren’t initially designed for heavily virtualized and cloud computing environments, which made them difficult to scale as these virtual and cloud servers were brought online.
Create a Solid Playbook to Avoid Future Mistakes
Your organization doesn’t have to be such a tempting target for ransomware attacks. There are a few simple ways to minimize your exposure and make it more difficult for attackers to gain a foothold.
First, you need to set up the appropriate playbook and ensure that it is comprehensive and current. This Forrester report has a ransomware incident flowchart with lots of suggestions on how to create one. It starts with pre-incident planning and offers suggestions on various responses, including assembling your team and perhaps including ransom security specialists, pre-purchasing Bitcoins in advance (in case you choose to pay the ransom) and validating and recovering from backups. That is a good starting place.
If attacked, you’ll need to decide whether to pay the ransom or not. It is tempting to pay, especially if you think your backup copies are fine and the cost of the actual ransom payment could be less than the costs and consequences of trying to fix the damaged systems on your own. But you have to be confident that the attacks will actually decrypt your data and return your systems to a working state. That isn’t guaranteed: remember, you are dealing with criminals. Plus, you shouldn’t confuse repairing a machine with restoring its data. Just because you have a spare Windows Server that could be brought online doesn’t necessarily mean that it has the right configuration to operate on your network properly, or that its shadow copies haven’t been damaged in the ransom process.
How to Reduce Your Exposure
Here are a few steps to take to reduce your potential ransomware exposure.
- Automate as much of the data recovery process as possible. Figure out what needs to be backed up and how these backups can be staged to reduce recovery time objectives. If there is too much data to recover and a limited amount of time to do it, you need to go back and revise your playbook.
- Test your recovery procedures frequently and ensure that all of your critical data has been backed up. This means that you should know when your key systems are missing their backups. This seems obvious, but missing critical data is often seen after ransom attacks. You should also be on the lookout for what happens to your backups when your systems, networks and applications change. You should regularly check and vet your recovery procedures; many ransomware victims never find out how inadequate these are until after they have been hit and their data is lost. This also means holding regular disaster recovery drills where issues are reviewed and procedures in your playbooks are improved. If you are looking for a place to create a simple backup plan, see this post on HPE’s blog.
- Make sure you have everything you need for a complete recovery. Some organizations operate completely separate disaster computing offsite, while others employ managed service providers that specialize in cloud-based protection. Using these sites should be factored into your disaster planning drills as well.
- Plan for disruptions in staff communications. Many ransom victims are left with crippled email and phones that hobbled their communications to get things back online. In the City of Baltimore’s ransomware attacks from several years ago, staffers tried to set up private Gmail accounts but were quickly shut down by Google because the city should have created business accounts instead. They should have figured this procedure out ahead of time.
Remember the keys to better IT decision-making to protect your organization:
- Beef up your IT security practices so you can track the root cause of any potential ransomware attack.
- Maintain IT management continuity and consistent ownership of IT infrastructure.
- Implement a solid patching program to deploy regular system and server updates.
- Create and verify appropriate data recovery processes and procedures.
- Plan ahead for potential disruptions in staff communications during an attack or outage.