Ransomware: the long and costly road of getting back to businessSecurity
Recently, IBM researchers released a study outlining an average cost of a ransomware attack – which amounted to be $4.44 million in 2020. At first glance, this figure might seem astronomical. After all, if a business has a sound backup policy and a robust solution in place, getting back up and running – in theory – should take no time. However, this line of thinking might be the main reason why these figures seem so exorbitant. It might also be the reason why nearly 90% of managers are convinced that a successful ransomware attack will cost them no more than six months of annual corporate revenue, while the real estimates hover around one to seven years.
The disparity between official statistics and managerial estimates is something to be reckoned with, as it’s quite easy to scoff large numbers or to believe in the best case scenario: that a ransomware attack is unlikely. However, in reality, that’s just wishful thinking. According to IBM, ransomware was the most popular attack method in 2020, making up 23% of all incidents IBM Security X-Force responded to and helped remediate. Given the projections disparity as well as the prevalence of ransomware attacks, this article aims at outlining some of the considerations of what it will take to get back up and running, in order to put these numbers in a little bit of a perspective.
Old vs new modus operandi
Traditionally, when thinking about ransomware, one may imagine a piece of malicious software designed to encrypt a hard drive. The victim, usually duped by some type of a social engineering attack opens a file, which contains malicious code. Once executed, the program quietly encrypts vital contents of the hard drive, only to threaten the victim once it finishes the job.
When faced with this situation, there are usually three ways of fixing the problem. First, is to pay the hackers for a password (key) to decrypt the files. Second, is to completely format the hard drive, re-install the Operating System and import the files back from a backup solution. Third, is to attempt decryption and file recovery ‘at home’, which usually means trying several pieces of software in a trial-and-error method.
Needless to say, neither option is optimal. Paying hackers does not guarantee receiving the key. Moreover, doing so may tip off cyber-criminals that the business is vulnerable and is willing to pay. Formatting and re-imaging production systems is costly and time-consuming. Self-decrypting the files, on the other hand, might actually damage them further and gives no guarantee of success. It’s a hit and miss.
Enter LockBit ransomware in 2020. If a traditional ransomware attack wasn’t annoying enough, hackers thought of a new, clever way of making sure that the victim chooses the first option, which is paying the ransom: copying data.
The new modus operandi of ransomware is as follows: first, copy the user’s data to a safe location. Second, encrypt the data and ask the user to pay. Third, threaten the user with their data: offer to sell their documents, intellectual property, personal data; expose them to potential GDPR-related fines. If that doesn’t work, contact the media on their behalf and expose them publicly.
Name and shame
This is where things get disproportionally costly. Today, if a ransomware attack is successful, it’s best to think that all encrypted data is also at the hands of the attackers.
From a managerial standpoint, the business might be at a total loss: intellectual property may be sold to the highest bidder, or published for anyone to copy. Internal documents, including data related to employees and business partners should be considered in open to the public, and these actors may demand compensation for damage suffered. (This is especially true in the EU, which has stricter privacy-related laws than other jurisdictions.) GDPR-related fines can quickly amount, especially in a situation, where it can be proven that adequate data security practices were not in effect, or were somehow neglected (here the line can be blurry, as the law has no direct way of stipulating “adequate” data protection). Further strategies and marketing plans might also have to be revised, as this data can be used to the competitor’s advantage, further putting a strain on the business.
Then there’s the fallout from the ‘shaming’ part of the hacker’s strategy. Official fines and duration of court battles is one thing to consider. However, recovering from a customer’s or business partners’ lack of trust can take years, if not decades to accomplish. Hackers profit from ransomware attacks and are determined to do everything in their power to make sure they get paid. Regardless of the business size, big or small, threatening to contact the media (or doing it outright) is always an option. For some businesses, this may be the final nail in the coffin.
Putting court battles and sales figures aside, there’s still the recovery to be dealt with. This is also the point where the myth of having a backup as a ransomware solution may case to exist.
When ransomware attacks, it doesn’t only encrypt the hard drive of the system it infected. In fact, it’s in its best interest to spread further for two reasons: first, it can infect additional devices and force the business to pay even more. Second, it may retain itself inside the network on some type of a storage device, such as NAS or USB key. This way if the network is quickly cleared of the malware, it may re-emerge once again on the same network.
Hence, the first step to recovery is quarantine. The infected device, as well as all other systems on the same network segment most likely need to be temporarily taken offline, in order to assess where the malware spread and in which storage mediums (hard disks, NAS devices, USB thumb-drives) it could still reside. If the network is split into different segments, other machines, such as workstations and servers should immediately undergo antivirus security updates and deep antivirus (or anti-malware) scanning. The best solution from a security standpoint would be to take all systems offline and assess the situation one-by-one, however, this might not always be feasible. In either situation, the business is already severely impacted, if not at a full stand-still.
The second part of the road to recovery is the actual removal of ransomware. Here the safest option is to consider all infected machines as a total loss: hard disks need to be formatted, Operating System re-installed and all previously functioning software needs to be deployed once again.
This step may seem straightforward, at first. However, issues often arise. First, license recovery can be tricky. Some IT departments are well organized and can revert licenses on the fly. However, not everyone is blessed with spotless bookkeeping. Licenses go missing. Some software cannot be installed in the version in which it was purchased, simply because it’s no longer distributed for sale. Then there’s custom-built software which may no longer have an official maintainer or can be tricky to configure.
Second, not all backup solutions are built the same. Certain systems need a complete shutdown in order to be backed up and as such, backups may have been done at longer intervals. This essentially means that a business can sometimes lose more than just a few days of work. Moreover, backup solutions can fail due to a variety of reasons: hardware failure, lack of backup verification, misconfiguration or a bug. Although in theory bugs in crucial software should not happen, the reality is very often different. If such a circumstance arises, a business owner could technically go to court and seek compensation for sustained damages – and this takes time. In the meantime, the business is at a complete standstill.
Documentation and post-factum
If all things go well with the licensing and recovery stage, a complete documentation of the data breach should be made. This documentation is needed for two reasons: first, there are lessons to be learned. How did the attack occur? Which systems failed? Who or what was responsible for the success of the attack? What about the human aspect: insiders, hacktivist groups, rogue competition, targeted hack or just plain bad luck? If we’re not learning from the mistakes, we’re doomed to repeat them. Therefore, security holes must be immediately dealt with.
Secondly, this documentation is required by GDPR in all data-related breaches. In Poland, UODO (Urząd Ochrony Danych Osobowych), which is the governing body, will examine the data breach outcomes. In other EU countries, respective government bodies will do the same, as they are obligated by the law.
Given this mandated assessment, there needs to be a clear definition of who was involved in the data breach, what happened, who may be impacted (employees, business partners, potential sales leads, contractors, other entities) and how quickly the breach was discovered. The better the documentation, the lower the chances for a GDPR-related fine. Every bit of information helps.
Last, but not least, is contacting all victims (and potential victims) of the data breach. This part may be most painful for the business owner: publicly admitting a failure and hoping that it will not impact the bottom line. There are no good ways to break the bad news: “we got hacked and all information – including yours – is public”, which is the case.
Not repeating past mistakes …or getting ransomware to begin with
There is no way to look at a ransomware attack that does not involve a tremendous waste of resources, time and money. Downtime, fines, loss of productivity, loss of customers’ and business partners’ trust are just a tip of the money-draining iceberg. Even with the best backup solutions available, the road to recovery is usually much longer than most managers anticipate. As such, IBM’s X-Force Team is not far off, when they claim that a ransomware attack on average ends up costing approximately $4.44 million. However, there are some lessons to be learned here, aside from the fact that a successful ransomware attack is costly.
Securing the entry point
Ransomware usually penetrates network defenses due to human error. As such, it’s not the technology that fails us, but rather, lack of technological understanding and utilizing good practices in everyday scenarios.
A solid foundational understanding of computer security lays a strong foundation in understanding the technology and policies which make up a large chunk of business cyber-resilience efforts. Employees should know why computers are vulnerable, how hackers target employees and which systems and policies are in place to protect them from the outside. With this holistic understanding, security policies will be better understood and in consequence, more closely followed.
Last, but not least, there are technological solutions to consider. On top of resource containerization, antivirus/EDR/EDP platforms, security hardening and monitoring efforts, a robust and well-tested backup solution is a must. In the best case scenario, regular recovery exercises with existing solutions should be conducted in order to ensure that a smooth recovery can take place and no surprises pop up along the way.
The best defense is staying proactive. Expect the best, but prepare for the worst.