Recovering From a Ransomware Incident

The state of ransomware at the moment should be a reason for everyone to take notice. This isn’t just a problem for IT departments but for all of us because they are impacting the institutions that we rely on to provide services every day. The rise in incidents is alarming and according to experts the number of incidents is increasing at an exponential rate. The types of organizations targeted typically include ones that have a large amount of personal data that can be held hostage by attackers. But what can we do? It seems like the magnitude of this problem is beyond our control. Not exactly sure what ransomware is? Wikipedia has a fantastic description on their site,

“Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.”

Government, healthcare, insurance and most recently infrastructure with the Colonial Pipeline Company have been targeted. The Colonial Pipeline incident caused havoc for motorists who experienced gas shortages, long line ups and in some cases a complete closure of gas stations. Experts speculate that future targets could include more of the same perhaps interrupting travel plans, surgeries and legal processes.

“DarkSide [ransomware gang] soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations.”

One potential answer to the problem is to engage your local government officials on a regular basis. Show up at local councils as a delegate. This is one way to have these problems considered; otherwise government representatives will become tied up with the plethora of other issues that burden governments. Write letters and become engaged in the process. We all need to become more engaged in fixing our societal issues.

What exactly could be done to help though? Some theories of the ransomware problem propose that regulating cryptocurrency could help alleviate the tension. Recently, Microsoft and Amazon have joined efforts to combat the problem by joining the Ransomware Task Force, a coalition of the Institute for Security and Technology. It has been proposed that the anonymous nature of cryptocurrency fuels the computer ransomware problem in that these attackers escape unnoticed when the bounties are paid out.

“This Task Force of over 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits, and academic institutions is working together on a comprehensive framework of actionable solutions. Their work synthesized best practices across sectors, identified solutions in all steps of the ransomware kill chain, targeted gaps in solution application, and engaged stakeholders across industries to coalesce around a diverse set of ideas and solutions.”

For some companies the problem goes deeper and includes complete data loss when the ransomware organization’s software fails to decrypt the stolen data successfully. There are companies being absolutely devastated by these attacks. And with an exponential increase it means it could result in job losses when data is lost and cannot be retrieved. The only hope in these situations is that IT organizations have fully prepared business continuity plans (BCP) with complete data backups stored off site. This is a problem particularly for small businesses that have very limited capital and human IT resources with even more limited cybersecurity standards, policies and procedures, if any. For larger organizations the problem is less pronounced since it’s expected that a full BCP would be in place as a part of standardization considerations.

According to Cybersecurity Ventures, 8000 companies worldwide are infected with ransomware every day. The problem is pronounced in that many of these organizations have no recourse nor the financial means to recover from these incidents. It means that services we all rely on will be interrupted at some point for days and in some cases weeks or months. For example, The Resort Municipality of Whistler was hit with a serious cyber attack on April 28th. It’s one month later and the organization is still not completely back online.

“May 11, 2021: Whistler, B.C. – The Resort Municipality of Whistler’s (RMOW) email and network systems remain temporarily offline due to a cyber security incident reported April 28.  As a result, many municipal services continue to be unavailable or have limited access. An estimate for when all services will return to normal is not yet known, but a limited number of critical systems are expected to start to return within two weeks.”

Another answer to the problem is for organizations to become proactive and initiate cybersecurity awareness programs that train not only new recruits but existing staff on all possible virus entry points, methods, and tactics used by the attackers. To be truly effective a program must introduce staff to the problem and encourage them to be wary of suspicious emails, phone calls and people that might enter the work place. Too often I hear stories about unrecognized people requesting keys and access to restricted areas and then staff simply giving the access over without question. Security needs to become a mindset before the breaches occur. An effective awareness program will be deeply integrated into an organization at the most fundamental levels. Security needs to be implemented from the top down however – not from the bottom up.

“Being security aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company’s computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening. According to the European Network and Information Security Agency, ‘Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.'”

I frequently see IT organizations become the sole proprietor of the security programs at many companies. The problem with this is that it simply isn’t driven on policies drafted by the most senior levels of management. In fact these policies should be drafted and implemented at the director or board level to be truly effective. In many cases the directors are liable for any security breach whether it be related to data or otherwise. The time to take action is now before the breach occurs. Put the policies in place and then draft up standards, guidelines and procedures that front line staff can implement.

“The Canada Business Corporation Act RSC 1985 (CBCA) requires every director to exercise their powers and duties with the care, diligence and skill that a reasonable prudent person would exercise in the same circumstances. Directors’ duties of care include good faith efforts to ensure that controls for known risks are implemented, as well as ensuring that monitoring and reporting systems are in place in relation to those risk controls. The CBCA provides for shareholder derivative actions for breaches of duties owed by directors to the company and the recovery of monetary damages on behalf of the company (section 239(1)).”

There can be very serious consequences for senior management when an organization isn’t prepared to deal with security proactively. The fact is that all companies, organizations and individuals need to be prepared to defend against a ransomware attack and have a plan to recover from one in the event that one actually happens. There are many resources available online to help prepare security policies including templates and FAQs. One resource of note was prepared by the Cybersecurity & Infrastructure Security Agency (CISA). Some of the basic recommendations include:

  • maintaining offline, encrypted backups of data and regularly testing those backups
  • creating, maintaining, and exercising a basic cyber incident response plan and associated communications plan
  • regularly patching and updating software and operating systems to the latest available versions
  • implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity or incidents

These are the very basic recommendations and if your company is lacking in these it is probably safe to say that your organization isn’t implementing the dozens of other guidelines recommended by CISA. Let this be a red flag that something needs to change. This all starts with some simple conversations about what is lacking and how the culture needs to change around the topic of security. This is not just a problem for IT departments as you can see here but a problem for everyone to solve collectively.

So what happens when your organization actually experiences ransomware? As we’ve seen from many news reports many companies have been paying out millions of dollars to these extortionists. Is this how your organization plans on dealing with an issue of this nature? Is there a guideline that speculates on the amount your organization is willing to pay out? What exactly should be the first response and how should the situation be triaged for the optimal outcome? These are just a few questions that should be included in the ransomware or cybersecurity response policy. The National Institute of Standards and Technology (NIST) published a white paper that will help in the policy development process. This paper goes to some lengths to discuss the options available but isn’t an easy read and will require many weeks of consideration to understand what will best work for you in your specific situation. Another resource more specific to the Canadian marketplace can be found here.

If you need a quick and dirty response because your organization failed to prepare adequately I might recommend something like this brief text file available on Github.

Some of the most dangerous types of ransomware that are currently circulating include the following:

These exploits target several vulnerabilities in an organization. It could be staff, an unpatched system or weak passwords. According to Secure List, the Maze ransomware has several compromise mechanisms.

“The initial compromise mechanism and subsequent tactics vary. Some incidents involved spear-phishing campaigns that installed Cobalt Strike RAT, while in other cases the network breach was the result of exploiting a vulnerable internet-facing service (e.g. Citrix ADC/Netscaler or Pulse Secure VPN). Weak RDP credentials on machines accessible from the internet also pose a threat as the operators of Maze may use this flaw as well.”

This is why it’s so important for policies, standards, guidelines, and processes to be in place. These are just a few things that will help prevent ransomware incidents but there are many things to consider for your organization’s security program to be a success. In fact a culture of security in some cases will completely shift the mindset of all staff. For this shift to truly happen the organization needs to embrace ongoing security awareness from the C-suite down to the line staff.

Half the battle of dealing with a cybersecurity incident is identifying the particular malware or ransomware that needs to be remedied. Fortunately there’s an organization called ID Ransomware that can be used to identify the problem simply by uploading an encrypted file or copy of the ransom note. Currently the service identifies 997 different ransomware variants. Other services that can help in the battle include VirusTotal and Hybrid Analysis.

Ransomware has evolved into a lucrative business for threat actors, from underground forums selling ransomware, to offering services such as support portals to guide victims through acquiring crypto currency for payment, to the negotiation of the ransom.

We all need to work together to achieve success against threats to our corporate and individual data. Hopefully some of the resources in this post have helped. If you can recommend any others please leave a note below.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: