Ransomware – A Study of Mitigation, Negotiation & Recovery as Techniques!

Also, in Feb., Redcar & Cleveland Council suffered an attack, as well. The public-sector seems particularly vulnerable.

The, ‘weakest-link’, observed Stuart Reed, UK Director Orange Cyber-Defence, is the people. “Building resilience towards social engineering attacks provides a significant line of defence” he commented.

Mitigation Guidance Document

The UK National Cyber Security Centre (NCSC) has just published an updated Mitigation Guidance Document to reflect the changing nature of ransomware. Although this 2nd edition comes 6 months after the first, the remote-working revolution has brought, what the NCSC calls, a “growing threat from ransomware” very firmly into their sights.

Each new attack helps build-up a new picture, that requires an equally up-to-date incident response strategy. Understanding the ransomware threat & risk to enterprise has never been more important. Nor, has the strategic positioning of boards when it comes to deciding to pay ransoms.

State of Play Right Now

Brett Callow, a Threat Analyst at Emsisoft, which has a dedicated anti-ransomware team, says cyber-criminals increased ransomware activity over the past 12 months. Attacks have “morphed from being disruptive & costly inconveniences into data breaches in which exfiltrated data is weaponised & used against the organisations from which it was stolen”.

This is not just limited to releasing data. Criminals “also threaten to sell or auction it on the dark web, use it to spear-phish organisations’ customers & business partners, notify regulatory bodies of the breach, & contact the media.”

Targeted

Ransomware has become much more targeted, efficient & developed as a criminal sector.

This is bad news as companies now face very costly regulatory penalties, class action lawsuits & reputational damage due to data breaches.

If this weren’t worrying enough, “incidents in which the actors are able to maintain or regain post-attack access to networks are becoming increasingly common,” Callow warned, & added, “this enables the groups to monitor organisations’ response to the incident, continue to exfiltrate information & encrypt data for a 2nd time.”

As-a-Service

Another factor is the use of ransomware through ‘as-a-service’ purchase or rental packages. “This makes it easy for unskilled attackers to deploy ransomware in a targeted system,” Calvin Gan, Manager of the F-Secure Tactical Defence Unit, explained.

“These are typically deployed & targeted to smaller businesses with lower ransom demands,” he states, while the specialist groups hit larger companies with larger ransoms.

Ransoms

The morphing of ransomware into a multi-stage process, where criminals move laterally across a network to compromise as many endpoints as possible, where the actual ransomware capability isn’t executed till the criminals have done this, hits victims with maximum impact has, sadly, become the real ‘new normal’.

“This operational attack pattern attempts to impact as many victim assets as possible, representing a higher risk,” says Israel Barak, CISO at Cybereason.

There is also some positive news, Barak outlined. “This operational pattern is an opportunity for defenders with a rapid detection-&-response process to detect the attack early & respond effectively before ransomware can impact the environment.”

Business. As usual?

“Ransomware has now become part of doing business,” Barak suggests, adding that “boards are reducing the problem of paying or not paying a ransom to the problems of services availability & data loss.”

Boards & CISOs are increasingly trying to reduce the question itself to what will be cheaper: paying the ransom immediately, or restoring business capability over time? “Boards & CISOs need to consider several factors calculating this,” Barak advises, “including that even if you pay the ransom it could take weeks or longer to recover business function.”

Bharat Mistry, Principal Security Strategist at Trend Micro, explains it really is a matter of ‘survival’. The question is, “Can we still continue as a business tomorrow if we don’t get our data back?”

Tremendous Pressure

If the answer is ‘NO’, Mistry suggests the decision is therefore simple – you have to pay the ransom, but as a last resort. Carolyn Crandall, Chief Deception Officer with Attivo Networks, points out, there’s a “tremendous pressure on CISOs & boards not to pay a ransom as there is no guarantee that the restoration will work”.

The most proactive organisations make plans to include legal alignment & business disruption calculations, along with insurance programmes & access to negotiators,

Crandall says, in the event they face a ransom demand. “They will have also created ‘if/then’ scenarios so that they can work through an incident with agility.

Impact Analysis

An ‘impact analysis’ will inform their answers, which will include an evaluation of the company’s ability & speed to restore operations, revenue & operating losses, viability to recover data, downstream impact from the use of stolen data, brand reputation impact, & more.”

What this doesn’t means is that boards should be taking a strategic view, ahead of any attack, that a ransom pot makes more economic sense than investing in effective security measures.

Paying the goodies to the baddies?

“As with any risk management activity,” Calvin Gan commented, “there is a need to view both short & long-term risks.” Better security measures would increase resilience of an organisation in the long term, Gan added, “while having money set aside to pay a ransom should be treated as a worst-case scenario.”

The problem is that having a ‘ransom pot strategy’ could lead to complacency, & with no visibility as to what’s next on the ransomware operational stage, it’s a huge risk.

Variables

“Realistically, a board couldn’t create a strategy for ransom payment,” Jon Niccolls, the EMEA Incident Response Lead at Check Point, suggested. “There are so many variables involved: how can they know what data might be exposed or what the amount would be?”

The biggest problem is that ‘better’ security for your data often doesn’t come until after the ransomware attack has happened.

Joseph Carson, Chief Security Scientist at Thycotic, explained. “The big question for many companies is whether you should invest the ransom costs into better security or pay the ransom & still be exposed by not improving your security.”