Recovering from Ransomware

Ransomware attack campaigns bypass advanced security controls by exploiting trusted humans and human operations to deploy weaponized encryption onto mission-critical systems. The malware paradigm is the latest evolution of unsophisticated or entry-level attack campaigns – a marriage of the insider threat tactics used in phishing and other social engineering schemes with the simplicity and generality of early Internet scams previously delivered in pop-up ads. The IBM X-Force Threat Intelligence Index 2022 reported that ransomware was the most popular form of attack for the third year in a row – comprising 21% of all attacks in 2021-2022.

Ransomware is not subject to the same market constraints as other malware and has not significantly declined in popularity. With most cyberattack paradigms, whether sophisticated tailored malware or “plug-and-play” cybercriminal code, the propensity of attacks decreases as the victim market saturates or as anti-malware applications improve their ability to mitigate and remove the code. Traditional malware is resource intensive to develop, deploy, and actively operate to achieve a targeted impact or exfiltrate valuable data. On the other hand, ransomware can be spread widely like any phishing campaign and is essentially just weaponized encryption. Hence, it is often less sophisticated than other malware options, and the operators do not necessarily need to dedicate resources to its operation. They can disseminate it widely and automate encryption and decryption operations depending on whether or not the victim sends the requested cryptocurrency to the designated address. Though advanced attackers might use ransomware as a distraction to steal data while victims scramble to restore their systems, the average cybercriminal receives a higher ROI on their time by relying on the automation inherent in the process.

More impressive than its simplicity is how ransomware insidiously “humanizes” attacks. Ransomware succeeds and spreads by leveraging psychological warfare, humanity, and trust to extort businesses of all sizes and individuals of every background. It spreads through social engineering, phishing emails, and other vectors that depend on human error, and then it coerces victims to pay by evoking a panic response, fear of loss, and time constraints. Ransomware as a model continues to evolve and popularize because many victims pay either out of desperation or because paying the ransom, at least for businesses, is often cheaper than suffering downtime or restoring systems from redundancy assets. For businesses, every minute of downtime incurs a cost in both real-time monetary loss and accumulated future backlog. Ransomware is ubiquitous because viable targets range from public schools to hospitals to businesses to individuals. Attackers are incentivized to actually decrypt systems when paid because the model only works if the general perception is that the transaction will be honored. Worse, every ransom paid perpetuates attackers’ perception that ransomware is profitable. Paying ransoms increases the popularity of ransomware. In traditional malware attacks, victims are less likely to be targeted following breaches because valuable data was likely already stolen; however, ransomware victims can be repeatedly extorted, and the attack time table is measured in hours instead of the traditional months of more complex malware. In short, victims play a critical, unintentional role of active and passive complicity in ransomware attacks.

Organizations can minimize the impact of a successful ransomware attack by improving cyber-hygiene training for all personnel, investing in cutting-edge anti-malware solutions to preclude compromise, and by developing and routinely practicing a comprehensive disaster recovery strategy. Preliminary steps for developing a disaster recovery plan include:

1. Conduct a Business Impact Analysis (BIA) – BIAs identify mission-critical assets and operations and invest in defensive solutions and training accordingly. Decisions like securing a treasure trove of data but forgetting to protect the only applications capable of accessing that information are why attacks like ransomware have proven effective. BIAs should include stakeholders ranging from leadership to IT management to entry-level personnel to identify system dependencies and network bottlenecks.
2. Conduct a Comprehensive Risk Assessment – A risk assessment is a cyclical and perpetual process that maps the onsite and offsite network, people, processes, and technology underlying the organization, assesses vulnerability and exposure, quantifies security resource allocation against internal and external factors, identifies points where redundancy is equally or more important than security, and documents and incorporates lessons learned into the subsequent risk assessment in the cycle.
3. Efficiently Invest in Security – Organizations are comprised of personnel, systems, data, and operational procedures. Each requires investment and upkeep in their security as a form of “regular maintenance” to deter attacks. While some may argue in favor of cyber insurance for peace of mind, it should never be a replacement for adequate investments in cyber-hygiene training or security applications. Zero trust models, network segmentation, identity and access management, and anti-malware solutions will last longer and provide a more significant ROI against potential breaches than cyber-insurance or “silver bullet” solutions.
4. Ensure Redundancy – Onsite and offsite backup systems (which also must be adequately secured) reduce the panic and impact of an attack and transform a devastating loss or predetermined extortion into a manageable unexpected delay.
5. Assign and Articulate Relevant Roles and Responsibilities – The worst time to consider or debate an action plan is in the moment. Have a clear understanding of the chain of command and predetermined scenario-planned actions that are well-documented, regularly communicated, and widely understood. In many cases, during an incident, the CISO or Information Security team may call the shots more than the board or CEO. In a disaster, let the Disaster Response team do their work.
6. Discuss Disaster Recovery with Partners and Demand Security and Accountability – Security controls, expectations, and assigned responsibilities should be addressed and detailed in service level agreements with first, second, and third parties. Clear communication protocols with strict timing requirements should be set in case of an incident to ensure that all parties in the supply chain can act to mitigate further compromise.
7. Practice, Practice, Practice – Employee cyber-hygiene training must be regularly tested for retention, and security applications must periodically be updated and tested. Similarly, businesses’ disaster response plans should be routinely drilled at irregular intervals to quantify the effectiveness and ingrain operational procedures so that panic and pressure are mitigated and impacts are minimized when an incident occurs.

Ransomware continues to increase in popularity as technical barriers to entry decrease, with many threat actors even selling Ransomware-as-a-Service (RaaS) or “point-and-click” versions. Organizations of every size, across every sector, and the personnel and customers of those organizations are viable targets. We can combat the Ransomware threat with a whole-of-nation and stymie its further evolution if businesses take action to consciously object to being complicit in the model and instead consider their risk, adequately prioritize security investments, and responsibly develop disaster response plans.