In the past, a ransomware attack would target a single computer and ask the victim for $500. But now, what we see during our own cyber-incident response services and in incidents reported publicly, attackers are willing to take a little extra time to fully compromise a network before launching their ransomware.
Why go for a $500 ransom here and there, when an attacker can compromise and encrypt an entire network, extorting victims for $1 million or more? With that said, it might be thought that smaller organizations are less juicy targets. The truth is, organizations with limited security resources are the easiest targets and are frequently targeted by attackers. Here are the questions organizations should be asking themselves before ransomware or other malware hits, and why.
If attackers have the same level of network access your IT team does, can they destroy, overwrite or otherwise corrupt your existing backups?
It is not uncommon for attackers to specifically target backups. If all of the organization’s backups are on the network or accessible from the network, they are potential targets. A ransomware-tolerant backup solution should ensure regular backups that cannot be overwritten, even by an attacker that has obtained all the administrator passwords for the network. That might mean including regular backups taken to disk/tape, which are rotated off-site, or using technology that allows backup archiving in a way that prevents the possibility of anyone overwriting existing backups. If your production data becomes encrypted by ransomware, backups might be the only option to recover the data, so secure backups are extremely important for any size organization.
Do you have an incident response program that is regularly tested?
IT and security teams are always challenged for time and budget, so it is understandable that often, incident response programs are lacking, untested, rarely updated, or nonexistent. If you do have an incident response program, test it regularly with tabletop exercises and validate its effectiveness.
Do you have resources to call if an incident goes beyond your internal ability to handle it?
A limited incident response program can be just as bad as a non-existent one. For organizations with no or a limited incident response program, you should, at the very least, reach out, establish and maintain relationships with two or more incident response providers that can respond quickly to incidents in your geographic area(s). That way, you have someone to call if an incident like ransomware strikes. Even if you have an incident response program, you should still have outside help you can call for an urgent, time-sensitive situation beyond your control, which is often the case with ransomware.
Could your business operate without IT resources for days or weeks?
A real situation we see with aggressive ransomware attacks, is that all or almost all of the resources provided by IT can become unavailable, for days and in some cases, even longer. Planning for that scenario should be part of a disaster recovery program, but as we discussed earlier when it comes to things like Incident Response and Disaster Recovery, many organizations do not have a robust plan, or any plan, because resources are already strained.
An organization-wide ransomware attack is like a tornado that effects computer systems and hits every location you have.
Can you operate without your IT systems (Email, ERP, databases, custom applications, phone system, etc.)? For how long? Have a plan.
How effective is your antivirus software?
Many attackers get in through phishing emails targeting average users, which are often overlooked by an organization as low-value targets. Those low-value targets are a great entry point for an attacker. In fact, most of our clients who get ransomware infections do have antivirus software in place. Sadly, antivirus software, particularly traditional antivirus software, is an easy obstacle for attackers to overcome. This is an area where newer security controls should be considered.
A properly tested and tuned endpoint detection and response (EDR) solution can provide greater levels of attack protection and significantly more detection and logging capabilities than traditional antivirus. EDR solutions are not perfect. Despite being a big improvement in endpoint protection, a poorly configured EDR solution can be less effective than traditional antivirus. Whatever you use, test its effectiveness. Schneider Downs often performs endpoint security effectiveness testing as part of a well-rounded penetration test, which includes testing of antivirus and/or EDR solutions.
If your whole network is compromised, including your backups, how much would you risk paying to decrypt the data?
We don’t generally provide guidance on whether paying a ransom should be considered. The FBI and others typically recommend against paying a ransom, because it encourages the attackers to continue their work and there is no guarantee you will actually be able to decrypt the data, even if you pay. If an organization has no backups, or the backups have been encrypted by the attacker, some organizations will determine that it is worth the risk to pay the ransom. This is a question worth posing now to senior management, or to the board.
If you do pay the ransom and are able to decrypt your data, take heed: Paying the ransom does not ensure that an attacker has actually left your network, and it doesn’t resolve any of the security issues that led to the successful attack. And so those weaknesses could be exploited again by the same attacker or a new attacker. Do not stop your incident response efforts at the point where your data is recovered. Ensure that the attackers are out, analyze what happened and fix the issues that led to the successful attack.
Do you regularly evaluate the performance of your security controls by simulating attacks?
Cyber-security audits are great, but do not show you what is possible if an attacker gains access to your network. Penetration tests, purple team exercises and red team assessments are methods to put your network to the test and to see how it actually fares against an attack. Organizations that perform these assessments regularly and remediate the findings are the most mature organizations we work with from a cybersecurity standpoint and the most resistant to successful attacks.
If you had to, how would you rebuild your entire network?
This is a scary thought, but while some compromises are limited, others are so extensive in nature that a full rebuild of a network has been necessary. I can’t think of any organization that has the internal capability to rapidly rebuild every system on their network. Often, it requires outside help. Who will provide that help? Many incident response providers will help to identify and stop an attack, but do not provide on-the-ground IT level support that is required to rebuild a network. Schneider Downs’ cybersecurity team has full experience assisting clients: in figuring out what the bad guys are doing, kicking them out, determining what they accessed or compromised, and assisting your organization in system recovery if needed.
These are questions that should be considered by any organization before an incident hits. Being prepared could save a business millions of dollars—and prevent other losses that are harder to measure, like loss of reputation and the extenuating impact on your clients and board. Schneider Downs Risk Advisory Services and Cybersecurity team has the experience to assist with all of the questions posed in this article. Feel free to get in touch with our team to discuss your security consulting needs.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.