Managing the Risks of Ransomware
This blog post was co-authored by Jason Fricke.
Ransomware poses a growing threat to both businesses and government agencies. Though no strategy can fully eliminate these risks, this post provides recommendations, and links to additional best practices, on better managing ransomware risks.
Three Decades of Ransomware
The first ransomware virus was created by Joseph L. Popp, an evolutionary biologist. Popp distributed the virus at the World Health Organization's 1989 AIDS conference via 20,000 infected disks. The virus, which used rudimentary symmetric cryptography to encrypt files, was called the AIDS Trojan and also PC Cyborg. While infected organizations were able to easily decrypt the affected files, Popp's innovation inspired cyber criminals to develop more sophisticated variants.
Features of contemporary ransomware include the use of anonymous payment services to collect ransoms, strong asymmetric encryption, and fileless (no executable) malware. Emerging trends include ransomworms, such as WannaCry and NotPetya, and evolving tactics, techniques, and procedures. Though cyber criminals' interest appears to be making money, skilled attackers might also penetrate a network, accomplish their objectives, and leave ransomware behind as a distractor from their primary objectives.
Ransomware attacks are now an established part of the cyber threat environment, and they are getting costlier and more sophisticated. Even though the healthcare industry was a primary target for ransomware attacks in 2018--almost half of the incidents reported involved healthcare companies--the highest profile attacks affected large businesses and municipal governments. The IT infrastructure of the city of Atlanta, Georgia, was infected by the SamSam ransomware in March 2018. While the city did not pay the ransom, its recovery costs were estimated at $17 million. Baltimore also decided not to pay the ransom and instead worked to recover from its May 2019 ransomware attack, with costs estimated to be over $18 million. Twenty-two towns in Texas had their networks attacked in a coordinated ransomware incident in August 2019.
Unfortunately, if an organization is the victim of a ransomware attack, the only response at that point is reactive. When organizations fall victim to ransomware attacks, their least-worst option may seem to be to pay to regain access to their sensitive data, perpetuating the criminals' business model. An organization can try negotiating for a lower ransom, but even if it pays, there is no guarantee that it will regain access to its data.
Would your organization have to pay? Would you trust the criminals to unlock your files?
Thankfully, there is a proactive approach: strengthening your cybersecurity posture, including resilience, and improving your plans for ransomware protection, detection, analysis, and response. Preparing for resilience can help protect an organization from many types of attacks, including ransomware. Planning ahead, exercising the plans, and training staff can help ensure an effective response.
Resilience in an organization is the capability to continue to provide and maintain an acceptable level of service, meeting its critical objectives, under adverse conditions, including disruptions such as cyber-attacks, and to recover quickly when attacked. Establishing resilience requires implementing not just core requirements for business functions, but also ensuring that the practices supporting resilience are embedded such that the organization would continue to operate during disruptions. Institutionalization of practices drives resilience. Establishing resilience involves a number of additional supporting activities, including governance, configuration management, resources, training, and involvement by stakeholders and higher level management. See the CERT Division's work on resilience, including the CERT Resilience Management Model, for additional guidance on risk management and resilience.
Practices that help manage common cybersecurity risks, called cyber hygiene practices, are a good place to start when establishing resilience. Cyber hygiene practices that help protect against ransomware include lifecycle management, such as managing hardware and software assets (maintaining asset inventories, upgrading systems to avoid their becoming unsecurable or unsustainable), configuration management, vulnerability management (patching systems for vulnerabilities), and controls on privileged accounts. Standard hygiene practices should be expanded to cover ransomware, for example, adding ransomware awareness to employee training, updating incident response plans to include ransomware response options, and exercising those plans.
Managing Ransomware Risk
The most effective way to prepare for ransomware attacks is to have regular, verified backups. Plans for reliable backups, particularly of key systems and servers, should consider restoration times based on downtime impacts. Organizations should test backups regularly as part of exercises and should include worst-case scenarios for operating without computer systems.
Essential practices for reducing the risks of ransomware attacks include
- Back up your critical data regularly and keep it offline so it is not impacted by an attack.
- Keep your systems updated and patched.
- Use strong identification and authentication controls, such as multifactor authentication, particularly for privileged user accounts.
- Employ antivirus and spam filters to scan downloads and emails for links to ransomware.
- Apply the principle of "least functionality." Disable unnecessary services, especially Remote Desktop Protocol (RDP), a common attack vector for ransomware, if your business does not need it.
- Use whitelists to prevent running unapproved applications.
- Employ a threat intelligence or situational awareness capability to maintain awareness of ransomware threats.
- If you use remote administration, whether for internal IT staff or a managed service provider, review recommendations from the Texas Department of Information Resources.
Responding to Ransomware
If ransomware goes from being a risk (unrealized potential harm) to being an actual issue, the first step will be to activate the incident response plan. Paying the ransom is an option to consider, but it should be discouraged as it incentivizes the criminal activity. Some ransomware attacks may be undone by openly available recovery tools. Europol's No More Ransom program includes applications that can decrypt data locked by some types of ransomware. The FBI's recent Public Service Announcement provides additional defensive best practices and urges that ransomware incidents be reported to law enforcement. A previous blog post from the SEI includes additional guidance on preventing and responding to a ransomware attack.