Ransomware: What Monetary Value Would You Assign to Your Data?

Incidents involving ransomware are becoming more prevalent and can devastate an underprepared organization. What is most alarming is that ransomware variants are increasingly easier to obtain and deploy by not only criminal syndicates, but anyone with the means and desire to purchase.

In the community we have seen rapid development of ransomware with many of the more robust variants becoming more and more difficult to circumvent. Thankfully, many practitioners and researchers have come together to assist ransomware victims in recovering their data. While it is good to see open-sourced solutions available to mitigate ransomware and help victims recover their data, criminals that develop ransomware can easily sidestep identified recovery techniques and deploy a more advanced version.

Not too long ago, ransomware attacks primarily targeted individuals (the Steam ransomware attacks come to mind). Many individual victims did not have the means or desire to pay the ransom, which directly impacted criminal profit. Within the past year we have seen not only an uptick of those exposed to ransomware, but honed targeting more directed at businesses (those with the means and desire to pay).

Two fairly publicized attacks involve Hollywood Presbyterian Hospital and a school system in South Carolina. In both cases, these organizations were underprepared to perform data recovery in-house and business leaders decided their only option was to pay the ransom; this is not the position an organization wants to be in when an incident occurs.

Each time ransom is paid, the attacker wins, the criminals become better funded and the ransomware attack model becomes more lucrative; thus attracting more criminals to conduct such attacks on larger scales. “Funding the cybercriminal” should not be the best option in a disaster recovery plan, although for many organizations it is both the best and only option. While moving at the speed of business, basic industry standards for backup and recovery planning are not being met. This can either be due to ignorance of the threat, lack of funding, too few resources, or misaligned priorities.

Our consultants respond to all types of incidents, including ransomware events. We also help organizations visualize how ransomware spreads by conducting live simulations using custom tools to simulate a ransomware attack and recommend our business-tailored phishing assessments as well. In all cases, our simulations show that clients without a disaster recovery plan (and those underprepared for an information security incident) experience a severe business impact and can easily be crippled by ransomware. A recent incident we responded to involved one click on a phishing email by an over-privileged user, resulting in a near complete loss of company data (even the nightly backup!). While we were able to assist in complete restoration of the encrypted data, I am positive the business leaders will not soon forget this incident.

Practical approaches to defend against ransomware (at a minimum) include:

• Robust disaster recovery plans and policy development
• End-user awareness of the business threat (easier to conceptualize a threat to business rather than IT screaming “Cyber scary things!”)
• Backup and storage solutions that are well-maintained and scalable as the business grows
• Segmented network space and restricted user account permissions (Sorry, having admin privileges does not make you cool, it makes you a target and business risk)
• Full network packet capture (even small amounts of packet capture can tell a story if there is an incident)
• Continuous monitoring and vulnerability assessment

Incidents involving ransomware are likely to continue. Industry involvement and development of mitigating techniques through reverse engineering of ransomware are extremely helpful in assisting an organization overcome by ransomware get back on their feet; this alone is just not enough to protect the business. The only way we can truly stop ransomware and those that distribute and profit from it, is to defund it. When ransomware is no longer lucrative for a criminal organization, ransomware development and improvements will vastly decrease (this goes against the criminal business model). As long as underprepared organizations are willing to pay the ransom, profitability remains.  Employing practical approaches to defend against ransomware attacks within your organization will help dry up the ransomware well.

Note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX) Threats & Controls tool. The threats include APT, cybercrime, DDoS, insider threats, malware, mobile malware, ransomware, social engineering, unpatched systems and watering hole. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here.

Brandon McCrillis, Sr., Information Security Consultant, Rendition Infosec, @13M4C

[ISACA Now Blog]