While the concept of malware-based extortion has remained relatively unchanged since the first documented occurrence in 1989, attackers have spent the past 30 years refining their techniques and manipulating new technologies to build ransomware into a multibillion dollar industry.
Tactics have evolved from the early days when physical floppy disks were mailed out containing the “AIDS Trojan” with the hope that unsuspecting targets would load the malware onto their PCs. Even just a few years ago, ransomware such as “WannaCry” and “CryptoLocker” was spread via widespread phishing campaigns that were generally not tailored to specifically targeted individuals or groups. But today, ransomware is increasingly deployed as a secondary attack after the bad actor has already gained a solid foothold in the organization’s internal network.
Weekly, we are seeing new headlines revealing the latest victims of ransomware: state and local government offices, educational institutions, healthcare providers, and small and medium-sized businesses. Often the attacks are tailored and use advanced methods that disable the organizations’ critical resources and demand ransom payments large enough to cripple operations. Public utilities have seen billing disrupted for months, police departments have been forced to revert to paper recordkeeping, and local governments have been reduced to issuing official statements about the outages via handwritten memos.
This past August, 22 cities in Texas were attacked simultaneously and held ransom for $2.5 million as the result of the breach of a shared third-party. Earlier this summer, Lake City, Florida paid a ransom of almost half a million dollars rather than attempt to recover its systems from backups. Cities that have chosen not to pay ransoms, such as Atlanta and Baltimore, have faced recovery costs of several million dollars even with reliable system backups.
An event of that magnitude can quickly threaten the existence of a small or medium-sized business, but the process of preparing to face the threat of ransomware does not need to be overwhelming. Managing this risk requires focusing on three main activities:
1. Prevent
Standard cyber-hygiene such as anti-virus and patch management still applies, but organizations should also be considering how to limit damage if an endpoint, or – increasingly – a service provider, is compromised. An email protection platform like Mimecast® adds an additional layer of defense from the most common means of compromise: phishing.
2. Detect
Next-generation endpoint protection platforms such as Carbon Black® help detect suspicious activity, and when possible, remediate the issue before it can propagate throughout the network. Organizations of all sizes should be employing properly tuned automation platforms to sift through system event data and flag potential security concerns.
3. Respond
Simply performing regular system backups does not constitute an adequate approach to disaster recovery. Organizations should ensure that appropriate plans are in place to manage cyber incidents and that these plans, as well as the organization’s data backups, are regularly tested.
How can Schneider Downs help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. Schneider Downs is an authorized reseller of both Mimecast® and Carbon Black®, and offers comprehensive digital forensics and incident response services. For more information on our available services and software, please contact us at [email protected].
Our whitepaper outlining some of top preventative measures organizations overlook is available here: https://schneiderdowns.com/10-things-companies-wish-they-did-before-a-breach.
