"The best bad day is the one we never have. The second best bad day is the one we expected and prepared for."

While it’s not surprising that a quick Google search brings up quite a few jokes on the topic, ransomware is definitely not funny and you’re surely not laughing if you’ve ever been impacted by ransomware.

Where did the hacker go? I don’t know, he just ransomware.

Sadly, ransomware isn’t going anywhere anytime soon. According to the 2020 Verizon Data Breach Investigations Report, “ransomware is the third most common malware breach variety and the second most common Malware incident variety” and “It’s a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.” The unfortunate truth is that there are people out there (and lots of them) who spend all day thinking up ways to separate you from your money. And they are good at it.

What is Ransomware?

In short - ransomware is a form of malware that infects your computer, encrypts your files, and often provides a ransom note stating that you must pay the ransom in order to get the key to unlock your data.

Best case scenario, your organization has sufficient backups and ransomware is reduced to an inconvenient annoyance. More often, we see smaller organizations lack adequate preparation and the impact is devastating. It’s important to note that ransomware attacks don’t seem to discriminate; organizations of all types and sizes have been impacted.

Ransomware is Evolving

There used to be a ‘simple solution’ to ransomware: Have good data backups, a well-defined Disaster Recovery Plan (DR) and Business Continuity Plan (BCP) with acceptable Recovery Point & Time Objectives (RPO and RTO respectively). Now I know what you’re thinking, “You call that simple?!” Yes, it’s simple, not easy (or cheap) but simple, linear, logical, and navigable with a pragmatic approach. In most cases, cost and resource availability, keep many organizations from having such resiliency to ransomware, which is why it continues to be so effective, despite having such a clear answer. But unfortunately, even that plan might not work going forward.

New variants of ransomware are engaging in data exfiltration before encrypting your files and that data is then used to extract additional extortion dollars from the organization. This has been shown to increase the efficacy of the attack because it turns an otherwise [recoverable] availability impact* into a complex data breach—which, almost always, carries more severe consequences.

Impact of Ransomware

In the Security Industry – fear sells, but we don’t like to participate in fearmongering. That said, ransomware is a serious problem that warrants careful thought and preparation. The impact of unavailable data and systems varies by organization, but may include:

  • Revenue Loss due to downtime of revenue generating systems that may include but may not be limited to e-commerce sites
  • Reduced Employee Productivity cause by downtime of impacted systems
  • Compliance Issues could result on multiple fronts, from the lack of availability of data required for compliance, inability to meet contractual requirements, and also HIPAA compliance issues as the Department of Health and Human Services (HHS) considers data that’s been encrypted to be a breach
  • Reputation Risk that may result from either not being able to service your customers or worse - being in the news

How does it Work

Ransomware often gets into the environment through phishing where the attacker includes ransomware as an email attachments or provides a link to malicious websites where the ransomware is hosted (and then downloaded and executed). In other cases, bad actors gain access via password guessing attacks on Internet-accessible services or login portals and then once they obtain a foothold into the environment, they deploy their ransomware.

Once the ransomware is deployed, it attempts to spread everywhere it can—network file shares, other computers on the network, even backup files when possible. In more sophisticated cases, ransomware will spread as far as it can and lay dormant for months and then detonate at a particular date and time so that restoring to a recent back-up will not eradicate the malware from the environment.

Paying the Ransom

Should you pay the ransom? Most of us have a philosophical and ethical issue with paying criminals not to commit crimes (or paying them to undo them). The government may impose fines on organizations who elect to pay the ransom (as indicated by the US Treasury Department). As security professionals, we’d prefer to see organizations not pay the ransom. If organizations stop paying altogether, these attacks are no longer lucrative and there is less incentive for these criminal organizations to continue targeting businesses with ransomware. Easy for us to say, right? Unfortunately, the decision to pay or not isn’t a philosophical or ethical decision, it can be necessary to keep from going out of business.

If your organization is faced with paying the ransom or going out of business – what would you do?
Pretty easy question to answer, despite what the government and security professionals say.

Yes, when organizations pay, criminals are likely to return data. Their end goal, in most cases, is to get paid. If organizations think that paying won’t work, they will stop paying, which isn’t good for the criminal’s business. In reality, people pay because it generally gets their data back and organizations are usually able to recover their files after paying the ransom. However, at the end of the day, you are dealing with criminals and you need to approach the situation with eyes wide open. In other words, paying the ransom does not guarantee that you will be able to recover your files.

Bottom line, avoiding ransomware and having to make decisions on whether or not to pay a ransom should be the ultimate goal. Prevention is the best approach. Ensuring the ability to recover if infected is a must!

What Should You Do

As mentioned above, prevention is the critical first step to protecting your personal data. Some prevention is basic security hygiene such as:

  • Email filters and spam detection / prevention
  • Reduce Internet-accessible services and login portals and apply multi-factor authentication wherever possible
  • Web filtering to prevent employees from going to malicious websites
  • Anti-virus protection
  • Patch and vulnerability management
  • Security Awareness training and phishing exercises
Other things that make sense are
  • Examine Network File Shares (NFS) for sufficiently restrictive permissions
  • Network segmentation that restricts the ability of the ransomware to move laterally within the organization
  • Lock down workstations so that malicious software cannot be downloaded / installed
  • Whitelist applications to keep malware from running
On the recovery side,
  • Regularly backup files in a manner that would not allow the same form of malware to impact the primary and backup versions of your data / software
  • Keep incident and disaster plans up-to-date
  • Training and testing of backups, recovery plans, and incident response plans.
Lastly, independent testing of your approach, procedures, and security controls is always a good idea to test the effectiveness of what you have in place and to understand what you may be missing.

Questions, comments, concerns? Feel free to reach out. Let's chat.

About the Authors

Mark Keppler, CISSP, CISA, QSA
Information Security Leader & Advisor

Mark brings over 20 years of experience in IT Risk and Security including PCI DSS compliance, risk assessment, security frameworks such as ISO and NIST. Mark served as Chief Information Security Officer of a financial services company where he redesigned and revamped the security program. Mark has served as the interim or virtual CISO for several organizations and holds the CISSP, CISA, PCI QSA, and ISO27001 Lead Auditor certifications.

Ryan Bradbury, CISSP, OSCP
Principal Consultant & Cofounder

As a founding partner and principal consultant at SEVN-X, Ryan employs his training, experience, and expertise in helping organizations assess and protect their information security assets as well as respond to cybersecurity events. Ryan’s skillset has been forged from an extensive amount of field work—across various verticals—serving in both strategic and tactical security roles. SEVN-X requires all of its team members to be experts in information security and that starts from the top down.