Unless you’ve had your head buried in the sand recently, you know that attackers are attacking a wide assortment of companies with ransomware. When they attack your organization, how will it respond?
Cybersecurity has steadily been moving from a strategy of availability to resilience. Years ago, the goal was to achieve 99.999% availability (called five nines) for critical systems. In other words, organizations implemented security controls to ensure systems never went down.
Unfortunately, a strategy of 99.999% availability won’t help when attackers successfully attack an organization with ransomware.
In contrast, resilience refers to an organization’s ability to recover from attacks. It starts with a simple premise.
Your organization will be attacked.
How Do You Respond?
OK. You’ve been attacked. Now what? All your sensitive data is encrypted. Computers are locked up, except for the occasional pop-up messages explaining the ransom terms.
What do you do?
Ransomware Option 1 – Pay the Ransom
One option is to pay the ransom to unlock your data and computers quickly.
However, law enforcement agencies around the world urge victims not to pay ransoms. Every Bitcoin payment that criminals receive allows them to expand their capabilities and launch more ransomware attacks.
One ransomware gang has reportedly received at least $90 million in ransom payments from about 47 victims during the past year.
Paydays like that encourage them to do it again and again.
Additionally, you can’t rely on criminals to give you what you need to unlock your data and systems. After all, they are criminals. There are many incidents where the victim paid the ransom, but the decryption tools provided by the criminals didn’t work. In other incidents, the criminals demanded more money.
Ransomware Option 2 – Create a DRP
A much better option is to have a strong, well-tested disaster recovery plan (DRP). A DRP identifies how to recover critical systems and data after a disaster. Many organizations have separate DRPs for different disasters.
Organizations in Silicon Valley with mature cybersecurity processes in place know how they’ll respond after an earthquake. Similarly, mature organizations in Houston and New Orleans know how they’ll respond after a flood. They document their responses in DRPs, and they regularly test the DRPs to ensure they work.
Creating DRPs for critical systems isn’t an easy process. Effective disaster recovery is a part of an overall business continuity plan (BCP), which starts with a business impact analysis (BIA) to identify critical systems and components.
Without a BIA, it’s difficult to determine what needs to be protected. Should you spend millions protecting a development server used for testing software?
Hint: No. But does everyone know that?
Probably not, but a BIA will identify critical systems and components and make sure people do know what systems to protect.
Once you know the critical systems and components, you can create one or more DRPs. For ransomware, start with the scenario that your organization is infected with ransomware. Next, document the steps needed to restore critical systems and components.
Last, test the steps in the DRP. Some people think all they need is backups. However, if the backups are online, expect them to be encrypted too. An effective backup strategy often has three backups – one offsite, one onsite by disconnected from the network, and a third online for quick non-ransomware data losses.
Ransomware – Another Option
Of course, there is another option. Denial.
Like the proverbial ostrich, stick your head in the sand and refuse to believe your organization will ever get hit by ransomware.
Attackers Only Have to Find One Vulnerability
Remember the attack on the Colonial pipeline? It disrupted the gasoline supply chain on the east coast, spurring outages, panic buying, and pushing gas prices up.
Attackers reportedly got in through an employee’s unused but active virtual private network (VPN) account. There isn’t any evidence that attackers used phishing to get the employee’s password. Instead, the employee’s password appeared in a dark web data dump of credentials from another breach.
In other words, cybersecurity experts are guessing that the employee used the same password when setting up the VPN account as the password for the account in the breached database.
Organizations Need to Block All Exploits
In contrast, organizations much block all exploits. Ideally, prevention techniques can block ransomware attacks.
- Implement zero trust
- Monitor all incoming traffic
- Monitor all outgoing traffic
- Use multifactor authentication
- Implement privileged access management
- Audit accounts and disable unused accounts
- Train employees, but remember it only takes one to click a malicious link (or reuse a password)
The most important thing to do is realize your organization will be attacked by ransomware and your best protection is preparation.