Every industry is a target for hackers, and you should always prepare for battle. Hackers seek potential targets is by looking for vulnerabilities, evaluating the complexity of an attack, and the payoff potential. Modern organizations operate dynamically, and cybersecurity isn't always an integral part of their operations.
Ransomware attacks can spread through the organization irrespective of the attack vector. Critical files, data, and even infrastructure and applications can become inoperable. The growing usage of mobile, Internet of things (IoT) devices, backup encryption, and the need for data availability make protection against ransomware even more necessary.
A recent example would be at the University of California at San Francisco, where a group of people using ransomware called ‘NetWalker’ targeted the school’s Medicine IT environment. The COVID-19 pandemic over the past year provided a golden opportunity for hackers. The school wasn’t convinced that the hackers obtained information about their patients, but found themselves paying $1.14 million to the bad actors. Paying the ransom isn’t recommended because there are no guarantees that your data will remain decrypted or that data integrity won’t be affected. Another reason not to pay the ransom is that it encourages bad actors to continue this type of activity.
Another example would be the arrest of an individual who attempted to infiltrate a Gigafactory
, owned by American automobile manufacturer Tesla
. Egor Igorevich Kriuchkov, a Russian citizen, is suspected of trying to bribe an employee to install ransomware inside the firm. The ransomware would collect data from the company, and then the attacker could threaten to make the data public if a significant payment wasn’t made. The FBI arrested Kriuchkov in August, and he faces up to five years in prison and a quarter-million-dollar fine. In this particular example, the hacker has decided to take the path of least resistance. He was not going to install the ransomware himself but rather collaborate with an internal resource. The attacker was also going to capitalize on Tesla’s proprietary information and threaten to make it public to destroy their reputation and affect their brand.
Ways to mitigate ransomware include:
- Enforce ransomware governance— establish who the key decision-makers are in your organization and support their efforts.
- Ransomware assessments— this includes vulnerability scans and penetration tests to determine the degree of vulnerability.
- Always have three copies of your critical data in three different types of environments— for example, cloud, local, and off-site.
- Use least-privilege and need-to-know security concepts to manage access, coupled with identity management authentication tools.
- User training to ensure they are aware of ransomware and its implications as well as new types of ransomware. Users should be tested periodically to ensure they are familiar with cybersecurity concepts and protocols for the organization.
The last bullet point above is critical with the large increase in remote work because every home computer is a potential doorway. Ransomware is most commonly delivered through phishing emails or via “drive-by downloads.” Social engineering is still the most effective exploitation to gain a foothold in your network. Thus, the risk of infection is always high, and taking the proper steps to recover is essential. Gary Audin’s recent No Jitter post
described steps WFH users should take, but organizations need to take much more significant action.
A client recently was hit with a ransomware attack and a demand for payment. However, because they had excellent preparation, they were able to temporarily shut down, locate (and fix) the source, and restore from backups that were only a couple of hours old. The disruption was less than a full day and with no payment.
Incidents involving ransomware are rising now more than ever before, and no evidence suggests that it will decline in the foreseeable future. A distressing fact is that whatever resources organizations allocate toward information security are typically weighted disproportionately towards defense and prevention, and not nearly enough attention is paid to response and recovery. The sad fact is that most organizations never fully consider that no matter what precautions they take, a breach will happen sooner or later. A comprehensive security strategy must consider different types of threats and their respective impact on the organization, active monitoring for potential security events, and include the ability to recover quickly after an incident.
J.R. Simmons, Principal Consultant for COMgroup, contributed to this article.
"SCTC Perspective" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide. Knowing the challenges many enterprises are facing during COVID-19, the SCTC is offering to qualified members of the Enterprise Connect user community a limited, pro bono consulting engagement, approximately 2 - 4 hours, including a small discovery, analysis, and a deliverable. This engagement will be strictly voluntary, with no requirement for the user/client to continue beyond this initial engagement. For more information or to apply, please visit us here.