A few weeks ago, many Americans on the east coast spent several days scrambling for gas when Colonial Pipeline halted systems for 5,500 miles of pipeline as a precautionary measure after being hit by a ransomware attack. Highly publicized, the Colonial Pipeline ransomware attack is just one of many that have been hitting companies small and large. Healthcare has been a prime target, but other industries are equally at risk, and critical national infrastructure now appears to be a target. In 2020, over 2,000 local governments, health care facilities and schools were victims of ransomware.
How does ransomware work?
At a high-level, in a ransomware attack, a threat actor (usually a criminal group) infiltrates a target’s systems, and encrypts data and holds it hostage until the victim pays the ransom. These types of attacks have been around for a long time, but with the rise of cryptocurrency and the difficulty of tracing ransom payments, attackers have become emboldened. This is an extremely lucrative “business” because target organizations that are unprepared often believe that they have no choice but to pay the ransom. The rise in ransomware attacks has highlighted the security weaknesses and poor cyber hygiene of organizations across the board (in addition to the problems posed by unregulated cryptocurrency). While in the case of the Colonial Pipeline attack there are few details on the initial vector, it is likely that the attack was enabled by a compromised password providing access to the company’s networks, or an employee duped into downloading malware (e.g., phishing). Regardless of the specifics, a vulnerability in the company’s security opened the door to the attack.
With respect to the CIA triad – confidentiality, availability and integrity – ransomware attacks present a high threat level. They have been known to put hospitals on life support, reveal highly confidential data (and not just personal information) held in trust for customers or clients, and generally paralyze businesses while holding their data hostage. The situation has reached critical levels. Last week, after JBS Foods reported a cyber attack, a memo sent out to companies by the National Security Council implored corporate executives and business leaders in the private sector to address security vulnerabilities. In particular, the memo states that “[a]ll organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location… We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat.”
So what should organizations do?
NIST recently released a fact sheet on Tips and Tactics for Dealing With Ransomware. For more in-depth guidance, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly released the Ransomware Guide in September 2020. It includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. Below are some high-level steps that organizations should be taking to protect their systems and data:
- Backing up data. Perform frequent backups of systems and data, and verify your backups regularly. This includes customer data if your organization is a service provider.
- Storing backups separately. Store backups separately such that they cannot be accessed from a compromised network.
- Training personnel. Organizations must provide routine cybersecurity awareness training to their personnel. This will help ensure that your personnel understand current cybersecurity threats. Training is critical and yet an aspect of cybersecurity that is often neglected.
- Using preventative security solutions. This includes MFA, antivirus software, firewalls and the like.
- Whitelist applications. Identify approved software applications or executable files in order to protect computers and networks from potentially harmful applications. Make sure that your personnel understand what they can and cannot use. With remote work, this is even more important.
- Updating and patching. Ensure that systems have been updated with the latest patches. Vulnerable applications and operating systems are the target of many ransomware attacks.
- Encrypting data. Encrypted data cannot be read (so long as the encryption key is not compromised), so while encryption alone will not prevent a ransomware attack – your organization’s data may still be locked up by attackers – it will reduce the likelihood of confidential information being spilled all over the dark web.
- Segmenting your networks. This makes it more difficult for attackers to navigate through (and infect) multiple systems
- Having an incident response plan. Having a strong incident response plan will allow your organization to more quickly and efficiently address incidents.
- Reviewing insurance policies. Many organizations have a false sense of security when it comes to cyber insurance, though in fact they may not be covered. It is important to know in advance whether and to what extent your organization has coverage.
A strong security program will incorporate all of the above measures: this is what is often referred to as a layered approach. One security solution alone cannot provide protection against ransomware attacks, so it is important to take a layered approach, because a chain is no stronger than its weakest link. With ransomware attacks on the rise, organizations that are not implementing best security practices must make this a priority – or risk, in some cases, losing everything.