It is very common for threat actors to leverage ransomware to coerce organizational or governmental leaders into dire situations that require the payment of a ransom to avoid extreme business loss or embarrassing exposure of sensitive data. Ransomware is malicious code (a program/application/script) used by threat actors to lock all accessible data by using encryption keys, often managed by malicious key management servers on the Internet. Once the data is encrypted, using complex algorithms that are often very difficult to crack, the attackers leave behind a ransom note in a text file, often placed on the desktop of all Microsoft Windows systems that have been encrypted.
I am sure most of us have seen movies that contain kidnappings or grand theft in which ransom notes were left behind. Many years ago, I made the trip to Maui, and as many know, Charles Lindbergh is laid to rest there. So, I did some reading on his history, and I learned that his 20-month-old son was kidnapped on March 1, 1932. A $50,000 ransom note was left behind on the windowsill of the child’s nursery. Unfortunately, the child did not survive the ordeal. It is a grim reminder that criminals, and cybercriminals like them, often do not care who they harm in their wake. In terms of cybercrime, they are often self-motivated or nation state sponsored. No matter their motivation, their damage is often painful to those involved. Organizations and governments worldwide have sacrificed millions, if not billions, and likely lives, due to poor care and loss of other technologically managed resources through ransomware. Sometimes, the victims of ransomware are chosen by mere chance via mass phishing campaigns; however, of recent history, more of these events are targeted. Threat actors use spear phishing, whaling, mass Internet vulnerability scans, and other methods to select their victims.
When ransomware originally became a technique used by threat actors, the ransoms were often small, and if the organization had a means of recovery, the threat actor would most likely not collect the ransom. In time, the threat actors learned that if they added backup (method of recovery) destruction and exploitation to their ransom requests they were more likely to get the ransoms.
Ransom demands are often, depending on the organization, in the multiples of millions. Recently, it was reported that Colonial Pipeline paid a $5 million ransom. In May 2020, Grumman Shire Meiselas & Sacks received an initial $21 million ransom demand; however, they did not pay. Gary Indiana was recently compromised with ransomware; however, the ransom demand has not, as of this writing, been published. Ireland’s Health Service Executive received a $20 million demand. It was reported just this week that one of the largest insurance companies in America paid $40 million in ransom, CNA.
Let me be clear at this point; if you find yourself in a ransomware event, do not negotiate with the threat actors. Do not even start communications with them. Please hire professionals, like Conversant Group, to advise on doing this properly. There are federal laws you could be breaking, and you may limit your ability to recovery if you start negotiating with them first.
During a ransomware event, there are really two reasons an organization may have no option except to pay a ransom: (1) No ability to recover otherwise and (2) Prevent data exploitation. Naturally, cybersecurity professionals and governmental entities advise to not pay threat actors. Paying ransoms emboldens the criminals, and it enables them financially to enact more terror. Thus, the professionals advise to not pay ransoms. However, if your organization is in a situation of non-recovery, meaning you have no remaining backups to use for recovery, paying the ransom often becomes an act of survival.
Roughly about 4.5 years ago now, we worked our first breach recovery event that involved the threat actor destroying all the organization’s backups prior to “locking up” the company’s data. Since, every attack we have worked has involved either encrypting or deleting the organization’s backups. If your company fails to protect its backups, you will find your organization with a difficult choice: (1) Pay the ransom and decrypt the data or (2) Skip paying the ransom and rebuild all your company’s data manually.
In our industry, there is a backup strategy called 3-2-1. This means that the industry standard is always to keep three copies of your data: (1) production data, (2) first backup copy, and (3) second, remote backup copy. Unfortunately, most companies entrust their survival completely to this strategy, and 3-2-1 are often all stored within domain accessible, non-immutable storage mechanism. For a non-technical person, this simply means that all three copies of the data can be destroyed by ransomware. You should not solely entrust your company’s fate to this backup strategy. You must have additional, air-gapped copies of all your data. Air gapping means that you have a copy of your backups in a form that cannot be destroyed by ransomware. Further, the primary storage platforms employed should be immutable, meaning the data cannot be fully deleted/destroyed by a threat actor.
To add insult to injury, most companies are not even monitoring and testing their backup systems, and most simply do not have a plan for recovery.
Threat actors now, not only delete the backups and encrypt the data, but they also often first exfiltrate sensitive data (meaning they send copies of your sensitive data to their servers), and like with Lindbergh, they hold something precious to you hostage at threat of significant, negative outcomes. The threat is the dropping of sensitive data about your clients, employees, or intellectual property to the Internet for public consumption. During these situations, your organization may be advised to pay the ransom even if your organization has a means of recovery.
We have spoken publicly regarding the need for strong password policy (long passwords with no reuse) and MFA on all publicly exposed systems. Here our goal is to stress the importance of protecting, monitoring, and testing your backups. Have a plan! In more than 75% of all assessments conducted by Conversant Group, we find significant issues with backups that are not being addressed. There are a variety of underlying reasons, but no matter the reasons, you must protect your company’s data with appropriate backups. This point also applies if you have fully converted to cloud infrastructure.
If the data is good enough to keep, it is good enough to back up properly! Defense and prevention are almost always less expensive than recovery.