Sunday, October 24, 2021

Ransomware 101: To Pay Or Not To Pay???

 


As we have been hearing in the news headlines, Ransomware is the most prevalent threat vector that we have today.  Not only has it gotten worse, but it is expected to continue further down this path well into next year. 

Many Cyber experts now fear a possible Ransomware attack upon our Critical Infrastructure, in which a Cyberattacker literally hold a major US hostage for days on end, with no water, electricity, or oil/gas, thus starving people to death.

Now the question comes down to, whether the actual Ransome should be paid.  This is a topic that I have addressed before, and I still stand firm on what I believe in.  I will reveal that at the end of this blog.  Given just how fierce it has become, many victims now feel compelled that they must pay up in order to get their normal business operations up and running again.

According to a recent research project that was conducted by Veritas, 66% of businesses claimed that it would take at least five business days or more in which to restore operations back to some normalcy.  Obviously, this is time that no business can afford to take place, so the next best option is to merely pay off the Ransome.  More information about this can be seen at the following source:

https://www.techrepublic.com/article/66-of-companies-say-it-would-take-5-or-more-days-to-fully-recover-from-a-ransomware-attack-ransom-not-paid/

But this only fuels the cycle for this madness to continue:

*The Cyberattacker deploys the Malware to essentially lock up the files and the devices of the victim;

*The victim is totally paralyzed by this, and decides to make payment via a Virtual Currency, such as that of Bitcoin.  This is done so that the Cyberattacker cannot be tracked down. 

*This payment is then used to fuel the fire for other attacks like this to happen.

But in some cases, the attack could be so devastating, that the victim really feels that they have no choice but to pay up.  This is best exemplified when the Cyberattacker threatens to make the PII datasets of the company available to the public, or even sell them on the Dark Web for a rather nice sum of money.  These extremes of extortionism have gone even deeper than this.

In an effort to help stop this vicious cycle from happening all of the time, the Department of Treasury back in September announced a new set of rules that would require public reporting in case they did pay the Ransome.  In fact, they had even taken steps to make paying up the Cyberattacker a crime, or even a felony of treason.  But as far as I know, nothing too much of that has actually become law yet.

In fact, the City of Baltimore made news when it was hit by a rather massive Ransomware attack.  Rather than merely coughing up the $76,000 that was demanded of them, the City refused to pay up. Because of this, more than $18.2 billion were spent in trying to rebuild what was taken over by the malicious payload. 

More information about this nefarious attack can be seen at the links below:

https://www.darkreading.com/endpoint/baltimore-city-network-struck-with-ransomware-attack

https://www.darkreading.com/attacks-breaches/baltimore-reportedly-had-no-data-backup-process-for-many-systems

While trying to make paying Ransomware attacks illegal, or even punishable by law, we first need to take a closer look as to what is causing these attacks to take place to begin with. 

Apart from the financial gain of it, many Cyberattackers target their victims because they know they are weak, primarily because they don’t have all of the required security tools or technologies in place.  But remember, it takes more than technology to have a great line of defense.

It also takes every employee in the business that they are working at to have a proactive mindset.  This means if you see something suspicious, report it immediately.  Don’t take any action whatsoever, leave that up to the pros on the IT Security team.  This also means having a 24 hotline in which abnormal behavior can be reported anonymously on a 24 X 7 X 365 basis.

Being proactive means training your employees what Ransomware is, and the signs to look out for in case they see any red flags that are popping up. This definition also extends to the IT Security team.  Given them the tools that they need in order to react in a timely manner to any sort of Ransomware threat that may be looming on the horizon. 

This also means that the C-Suite needs to give the CISO the money that they need in order to accomplish this task.

To put it bluntly, this will all impact the Earnings Per Share (EPS) that no CEO wants to see happen to the company that they are at the helm of.  Being proactive also means that your business has the proper Incident Response/Disaster Recovery/Business Continuity Plans in place and ready to activate them when and as needed.  In fact, this was one of the key lesson learned from the COVID19 pandemic.

My Thoughts On This

So at the beginning of this blog, I had mentioned where I stand on all of this.  My answer is, and always will be, to never make payment of any kind whatsoever.  Why so I say this?  It all comes down to putting the brakes on this madness somewhere, somehow. 

By not paying the Cyberattacker, they will simply lose motivation in launching similar kinds of threat variants.  But y paying them, we are only fueling the fire for more innocent victims to be affected.

Although people might disagree with me, one of the best lines of defense is to make backups of all of your mission critical information and data.  That way, if you are hit, you can come back to some reasonable level of operations hopefully in a quick manner. 

Also, consider migrating your On Premises Infrastructure to the Cloud, such as that of the AWS or Microsoft Azure.  That way, if you are even hit at this level, you can create new database servers and Virtual Machines (VMs) in just a matter of a five minutes or less. Think about all of the time, expense, and effort it would take to restore your servers if you have an On Prem Infrastructure.

Believe it or not, there even have been documented instances in which after the ransom payment was made, that the Cyberattacker actually complied with their end of the deal and released the decryption keys so that the victim could get access back to their files and devices. But don’t count on this happening all the time.

Also, newer ways of tracking the Virtual Payments after they have been made would also help quite a bit in the attribution process of finding the perpetrators.

Just think about all of this in this context:  Back in the Reagan Administration, and even up to now, the mantra has always been never to negotiate with terrorists. So why can’t we do the same thing with the Cyberattacker???

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...