Your cyber intelligence source

The reality of ransomware: mitigation, negotiation and recovery

The reality of ransomware: mitigation, negotiation and recovery

Part one: The evolving ransomware threat surface and response strategy. In the first of a two-part series, Davey Winder looks at the current state of the ransomware threat – and what you’re missing…

Part one: The evolving ransomware threat surface and response strategy. In the first of a two-part series, Davey Winder looks at the current state of the ransomware threat – and what you’re missing…

+++ STOP PRESS +++ As SC Media UK we’re putting the finishing touches to this article, news broke of a ransomware attack on Hackney Council. In February, Redcar and Cleveland Borough Council suffered an attack, too. The public sector is particularly vulnerable. And the weakest link, according to Stuart Reed, UK director Orange Cyberdefense, is people. “Building resilience towards social engineering attacks provides a significant line of defence.” +++ STOP PRESS +++

The National Cyber Security Centre (NCSC) has published a newly updated mitigation guidance document to reflect the changing nature of the ransomware threat. Although this second edition comes six months after the first, the remote-working revolution has brought, what the NCSC calls, a "growing threat from ransomware" firmly into focus.

Every new attack helps build an evolutionary image that requires an equally up-to-date incident response strategy. Understanding the ransomware threat and risk to enterprise has never been more important. Nor, for that matter, has the strategic positioning of boards when it comes to deciding to pay ransoms.

So where are we now?
Brett Callow, a threat analyst at Emsisoft, which has a dedicated anti-ransomware team, says cybercriminals increased ransomware activity over the past year. Attacks have "morphed from being disruptive and costly inconveniences into data breaches in which exfiltrated data is weaponised and used against the organisations from which it was stolen”.

And this weaponisation isn’t limited to releasing the data. He explains that the criminals "also threaten to sell or auction it on the dark web, use it to spear-phish organisations’ customers and business partners, notify regulatory bodies of the breach and contact the media."

Ransomware has, in other words, become much more targeted, efficient and mature as a criminal endeavor.

This is bad news for the enterprise as they now face very costly regulatory penalties, class action lawsuits and reputational damage due to data breaches. If this weren't scary enough, "incidents in which the actors are able to maintain or regain post-attack access to networks are becoming increasingly common," Callow warns, adding "this enables the groups to monitor organisations’ response to the incident, continue to exfiltrate information and encrypt data for a second time.”

Burner phones meet ransomware
Then there's the use of ransomware through 'as-a-service' purchase or rental packages. "This makes it easy for unskilled attackers to deploy ransomware in a targeted system," Calvin Gan, manager of the F-Secure tactical defense unit, says.

"These are typically deployed and targeted to smaller businesses with lower ransom demands," he says, while the specialist groups hit larger companies with larger ransoms.

Many ransoms in many baskets
The transformation of ransomware into a multi-stage process, where criminals move laterally across a network to compromise as many endpoints as possible, where the actual ransomware capability isn't executed till the criminals have done this, hits victims with maximum impact… this is the real new normal. "This operational attack pattern attempts to impact as many victim assets as possible, representing a higher risk," says Israel Barak, CISO at Cybereason.

But there is also some good news, Barak says: "This operational pattern is an opportunity for defenders with a rapid detection-and-response process to detect the attack early and respond effectively before ransomware can impact the environment."

Business. As usual.
"Ransomware has now become part of doing business," Barak insists, adding that "boards are reducing the problem of paying or not paying a ransom to the problems of services availability and data loss."

Simply put, boards and CISOs are increasingly trying to reduce the question itself to what will be cheaper: paying the ransom immediately or restoring business capability over time? "Boards and CISOs need to consider several factors calculating this," Barak advises, "including that even if you pay the ransom it could take weeks or longer to recover business function."

Bharat Mistry, the principal security strategist at Trend Micro, says it really is a matter of survival. The question to be asked is "can we still continue as a business tomorrow if we don’t get our data back?"

If the answer is an overriding NO, Mistry suggests the decision is simple: you have to pay the ransom – as a last resort. But, as Carolyn Crandall, chief deception officer with Attivo Networks, points out, there's a "tremendous pressure on CISOs and boards not to pay a ransom as there is no guarantee that the restoration will work”.

The most proactive organisations make plans to include legal alignment and business disruption calculations, as well as insurance programmes and access to negotiators, Crandall says, in the event they face a ransom demand. "They will have also created 'if/then' scenarios so that they can work through an incident with agility. An impact analysis will guide their answers, which will include an evaluation of the company’s ability and speed to restore operations, revenue and operating losses, viability to recover data, downstream impact from the use of stolen data, brand reputation impact, and more."

What none of this means is that boards should be taking a strategic view, ahead of any attack, that a ransom pot makes more economic sense than investing in effective security measures.

Pay the goodies… or the baddies?
"As with any risk management activity," Calvin Gan says, "there is a need to view both short and long-term risks." So, better security measures would increase resilience of an organisation in the long term, Gan adds, "while having money set aside to pay a ransom should be treated as a worst-case scenario."

The problem is that having a ransom pot strategy could lead to complacency and with no visibility as to what's next on the ransomware operational stage, it's a huge risk.

"Realistically, a board couldn’t create a strategy for ransom payment," Jon Niccolls, the EMEA incident response lead at Check Point, says. "There are so many variables involved: how can they know what data might be exposed or what the amount would be?"

The biggest problem here is that 'better' security for your enterprise data wagon often doesn't come until after the ransomware horse has bolted. Joseph Carson, chief security scientist at Thycotic, explains: "The big question for many companies is whether you should invest the ransom costs into better security or pay the ransom and still be exposed by not improving your security."

Read for Part two on The Reality of Ransomware… so you’ve decided to pay – now what?