Ransomware on the Rise
Ransomware cripples the target company’s operations, making it much different from an attack that steals data. The implication of this became clear as I developed a contingency plan to pay a ransom. Before thinking through the issue, I pictured the payment as a get-out-of-jail-free-card. My team does all it can to secure our systems; if we get hit, we can pay and continue operations. But that simply isn’t the case. You need a better plan.
Ransomware on the Rise
Ransomware blocks access to systems or data until you pay. It takes what would once result in a breach or data loss through phishing email or an exposed security vulnerability, and systematizes how the attacker monetizes the attack. After the attacker gains control, they threaten to keep you locked out or to disclose your data unless you pay.
A recent attack on Kaseya shows how ransomware presents a threat to both a Managed Service Provider (MSP) and the end customer. The attacker uses the MSP to gain access to the customers.
Given the financial incentive, everything about ransomware has exploded. In 2020, ransomware attacks increased by approximately 400% in developed nations, with a reported 65,000 successful attacks which is an average of one every eight minutes. The FBI observes that, in 2013, ransomware focused on one PC at a time, now it targets entire networks or industries. A ransom demand had been hundreds of dollars, then thousands, now millions. Where previously a gang often worked alone, Ransomware attackers now coordinate as larger cartels, sharing information and techniques more broadly.
The threat has become so serious that the U.S. government now offers a bounty up to $10M for information that leads to the arrest of a ransomware gang. The government has also established a stopransomware site to keep you informed and encourage victims to report attacks.
Paying the Ransom, Not a Good Option
There are several reasons why you cannot depend on being able to pay your way out of a ransomware incident:
- No guarantee of honesty. Despite stories about the illicit dark web running like the Amazon store, where even the bad guys must maintain a reputation for honoring commitments, you can’t be sure that your system will be restored after you make payment. Even if your attacker wants to restore your system, the restoration process may not work or the attack may have been irreversibly destructive. You can also have no expectation that any restoration will happen immediately.
- Government prohibitions. On October 1, 2020, the Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory that ransomware payments encourage malicious activity, and could thus threaten national security. On this basis, OFAC can impose penalties for making ransomware payments.
In a development that may hit closer to home for an MSP, states are in the process of passing laws that draw this same line. Specifically, states are evaluating bills that prohibit ransomware payments and require reporting of ransomware attacks. MSPs that serve state and local government customers will be directly impacted. Louisiana is first, with its law effective February 1, 2021.
- Louisiana (Requires registration of MSPs that service Louisiana government entities and for registered MSPs to report cyber incidents and ransomware payments)
- New York (Bans the payments of ransom in cyber-incidents by a New York government entity or by another entity on their behalf. Requires reporting.)
- North Carolina (Prohibits government entities from making ransomware payments. Requires reporting.)
- Pennsylvania (Requires an MSP “in the service” of Pennsylvania to report “discovery of ransomware or of an extortion attempt involving ransomware within one hour of the discovery.” Taxpayer money must not be used to make a ransomware payment, except in circumstances of a declared emergency.)
- Reputation. Ransomware payments can become public, and your reputation may suffer. Moreover, the bad guys will know you pay, putting you on the radar for subsequent attacks.
As you consider whether to pay, your operations and those of your customers are at a standstill. Rather than be left in a no-win situation of choosing between watching your business perish or making a desperate payment that may only make things worse—have a backup plan.
Establish a Backup Plan
First off, implement appropriate safeguards to secure yourself against and detect cyberattacks (e.g., two-factor authentication, phishing training, access management etc.).
Then for Plan B, establish a ransomware response plan that includes backup and restore capabilities. Such capabilities assist not only in a ransomware situation, but apply in the case of any destructive event that effects your data or systems, events such as malicious insider activity, an honest mistake, or natural disaster. As an MSP, your plans should account for customers, as well as your own systems.
- Backup and Restore. If you have a working backup, you can sidestep the ransomware attack and get back to work as soon as you restore. So create backups for your systems and data, focusing on high value data.
- Segregation. Segregate the backups so an attacker can’t access them after compromising your systems.
Segregate parts of your systems. This enables you to pull-the-plug on an infected area, protecting the rest of your systems.
- Know where the copies are. Review your systems to locate where distinct copies of data reside, even if it isn’t a formal backup copy. You can make use of such copies during a crisis.
- Have a plan. Have an incident response plan, specific to ransomware, and periodically test it. Table-top exercises with your principal executive decision-makers are helpful, and so is testing of your backup and restore capabilities.
- More tips. Here are suggestions for what your plan can cover:
- Replacing infected hardware, like employee laptops.
- Claiming insurance. Check your coverage.
- Following applicable law. Monitor the changing legal landscape.
- Cooperating with the government. Consider whether, and under what circumstances, you will report a ransomware attack to the government or seek assistance. The OFAC advisory and stopransomware site provide contact information. OFAC may show you leniency for cooperative reporting, if you end up making a prohibited ransomware payment.
- Renewing your commitment to security, especially closing the specific vulnerabilities that were exploited.
After you implement these steps, you’ll have another layer beyond cybersecurity to protect you and your customers’ business operations. You won’t need to consider making the payment, because back-up and restore will be your get-out-of-jail-free card.