Categories
Ransomware

Ransomware on the Rise: How Companies Can Protect Themselves Against Industry-Specific Threats

Ransomware has emerged as a formidable cybersecurity threat, with attackers increasingly targeting vulnerable sectors such as healthcare, financial services, education, and manufacturing. In 2024, the healthcare sector experienced a 7% rise in ransomware attacks, while the manufacturing industry saw a staggering 71% year-over-year increase. Additionally, active ransomware groups grew by 30%, with 31 new groups emerging in the past year. These alarming statistics underscore the urgent need for businesses to implement robust security measures to safeguard their operations and data. 

Industry-Specific Ransomware Risks 

Healthcare 

The healthcare sector has long been a prime target for ransomware attacks due to its reliance on critical data and the potential for significant disruption. In 2024, healthcare organizations faced a 20% increase in malware targeting, highlighting the sector’s vulnerability. Notably, over half of the healthcare organizations that paid a ransom in 2022 reported ongoing data corruption and system issues, indicating that paying the ransom does not guarantee a full recovery.

Financial Services 

Financial institutions are experiencing a surge in ransomware attacks, with the rate increasing from 55% in 2022 to 64% in 2023. The average data breach cost in this sector reached nearly $6 million, reflecting the high stakes involved. Ransomware incidents can disrupt operations, damage reputations, and result in costly regulatory penalties, making robust cybersecurity measures essential. 

Education 

Educational institutions, notably higher education, are increasingly targeted by ransomware attacks. A recent survey revealed that 79% of higher education institutions reported ransomware incidents in the past year. These attacks often lead to significant business impacts and downtime, disrupting learning and research activities. 

Manufacturing 

The manufacturing sector has seen a dramatic rise in ransomware attacks, with a 71% year-over-year increase. Manufacturers face unique vulnerabilities as they become more reliant on digital tools and networks. Ransomware attacks can halt production, disrupt supply chains, and lead to substantial financial losses. 

Emerging Ransomware Trends 

The ransomware-as-a-service (RaaS) model has lowered the barrier to entry for cybercriminals, leading to more frequent and sophisticated attacks. In 2023, ransomware payments exceeded $1 billion, the highest amount ever observed, indicating that attackers are becoming more aggressive in their demands. 

Mitigating Ransomware Threats 

To defend against this, companies need a multi-layered approach beyond basic cybersecurity practices. Here are key strategies: 

  1. Implement Advanced Endpoint Detection and Response (EDR): EDR solutions are essential for detecting unusual behavior on endpoints like laptops, servers, and mobile devices. By flagging suspicious activity in real-time, EDR enables organizations to respond quickly before malware spreads across the network.
     
  2. Conduct Regular Vulnerability Assessments and Penetration Testing: Routine assessments can uncover weaknesses in your organization’s network, systems, and applications. Penetration testing, which simulates an actual attack, helps identify gaps that threat actors could exploit.
     
  3. Establish and Test a Robust Incident Response Plan: A strong incident response plan is the backbone of effective ransomware mitigation. This plan should outline steps for containment, communication, and recovery in the event of an attack. Regular testing through tabletop exercises ensures everyone knows their role and the plan is up-to-date.
     
  4. Implement Multi-Factor Authentication (MFA) Everywhere: MFA is one of the simplest and most effective ways to prevent unauthorized access. MFA significantly reduces the risk of attackers gaining access to systems and accounts by requiring multiple verification forms.
     
  5. Invest in Employee Training Programs: Human error remains one of the leading causes of ransomware infections. Regular cybersecurity training can help employees recognize phishing attempts, suspicious links, and other common tactics attackers use.
     
  6. Adopt a Zero Trust Architecture: Zero Trust assumes that no one inside or outside the network is trustworthy by default. This architecture requires continuous verification at every stage of access, reducing the likelihood of an attacker moving laterally across the network if they gain initial access.
     
  7. Backup and Encrypt Critical Data: Regular backups are essential for ransomware recovery. Organizations should maintain encrypted backups stored offline to ensure they remain unaffected by an attack.

  8. Engage in Threat Intelligence Sharing: Knowing the latest ransomware trends and tactics can help companies stay one step ahead. Participating in industry threat intelligence sharing groups allows organizations to gain insights into potential threats and prepare accordingly.

  9. Maintain Compliance but Aim Beyond It: While compliance frameworks like SOC 2 or PCI DSS set essential standards, real security extends beyond these requirements. Compliance checks are often retrospective, but threats evolve in real-time. Security-minded companies invest in ongoing risk assessments, advanced monitoring, and adaptive strategies that go above and beyond compliance checklists. 

Ransomware poses a significant threat across various industries, with attacks becoming more frequent and sophisticated. Organizations must adopt a proactive, multi-layered approach to cybersecurity, implementing advanced detection tools, conducting regular assessments, and fostering a culture of security awareness. By doing so, companies can better protect themselves against ransomware and ensure the continuity of their operations. 

 

References:
https://rehack.com/cybersecurity/ransomware-statistics/
https://www.varonis.com/blog/ransomware-statistics/

Categories
General Cyber and IT Security Ransomware

The Rise of Ransomware-as-a-Service: A Roadmap For Executives

The cybersecurity landscape has witnessed an alarming escalation in ransomware attacks, compounded by the proliferation of Ransomware-as-a-Service (RaaS). This model enables even those with minimal technical expertise to launch ransomware attacks, making it a pressing concern for organizations worldwide. RaaS operates much like a traditional SaaS (Software-as-a-Service), where affiliates pay a subscription fee or share a percentage of the ransom profits with the ransomware developers, making this a low-risk, high-yield proposition for the perpetrator. This article delves into the growing trend of RaaS and outlines effective countermeasures and response strategies for organizations to protect themselves and mitigate the impact of these attacks. 

Understanding Ransomware-as-a-Service 

RaaS platforms provide a user-friendly interface, detailed instructions, and customer support, lowering the barrier to entry for conducting ransomware attacks. They have democratized access to sophisticated ransomware tools, leading to an increase in the frequency and sophistication of attacks, even by script-kiddies. The RaaS model has also facilitated the targeting of a wider range of organizations, from small businesses to large enterprises and government agencies. 

Countermeasures to Protect Against RaaS 

Strengthen Email Security 

Since phishing emails are a primary vector for ransomware attacks, organizations should implement advanced email security solutions that include phishing detection and sandboxing capabilities. Educating employees on recognizing suspicious emails and conducting regular phishing campaigns can also significantly reduce the risk of successful attacks. 

Implement Robust Backup and Recovery Procedures 

Regular, secure, and tested backups are the linchpin of ransomware defense. Since backups are a target of the bad actor, ensure backups are encrypted, stored offline or in immutable storage, and regularly tested for integrity and recovery efficiency. A robust backup strategy can significantly minimize the impact of a ransomware attack by enabling the restoration of encrypted data without paying the ransom. 

Apply Least Privilege Access Controls 

Limiting user and system access to the minimum necessary can help contain the spread of ransomware within a network. Implement strong access controls and regularly review access and adjust permissions to ensure they are aligned with user roles and responsibilities. 

Keep Systems and Software Up to Date 

Regularly update operating systems, applications, and firmware to patch vulnerabilities that could be exploited by ransomware. Employing a vulnerability management program with a remediation schedule can help identify and address security gaps promptly. 

Response Strategies for Ransomware Incidents 

Incident Response Planning 

Develop and regularly update an incident response plan that includes specific procedures for responding to ransomware attacks. This plan should outline roles and responsibilities, contact information, communication strategies, and steps for isolating affected systems to prevent the spread of ransomware. 

Rapid Detection and Isolation 

Implement monitoring tools and services to detect ransomware activity early. Upon detection, quickly isolate infected systems from the network to prevent the ransomware from spreading. Disconnecting storage devices and backups can also prevent them from being encrypted. 

Analysis and Investigation 

Conduct a thorough investigation to understand the attack vector, the extent of the compromise, and the ransomware strain used. This information is critical for effectively removing ransomware and implementing solutions or processes to aid in preventing future attacks. 

Legal and Regulatory Considerations 

Consult with legal counsel and consider reporting the incident to relevant authorities. Paying the ransom may have legal implications, and certain jurisdictions require notification of data breaches. Additionally, law enforcement agencies may help in responding to the attack. 

Recovery and Restoration 

Prioritize the restoration of critical systems and data from backups. Ensure that all ransomware has been removed and security vulnerabilities patched before restoring backups to prevent re-infection. 

Post-Incident Review 

After resolving the incident, conduct a post-incident review to identify lessons learned and areas for improvement. Update security policies, employee training programs, and incident response plans based on these insights. 

Conclusion 

The rise of Ransomware-as-a-Service represents a significant and growing threat to organizations of all sizes. By understanding the nature of RaaS and implementing comprehensive countermeasures and response strategies, organizations can enhance their resilience against ransomware attacks. Strengthening cybersecurity defenses, fostering a culture of security awareness, and preparing for efficient incident response are essential steps in mitigating the impact of these malicious campaigns. 

Categories
General Cyber and IT Security

Do I Pay the Ransom? Insights from an Incident Responder

When people meet me, and I identify as a Cyber Incident Responder who has been a part of several ransomware extortion cases, everyone asks, “Should I pay the ransom if I am attacked?” I am about to share some insights gathered while working with companies that faced these questions in real life. Now, there are some people out there who hold absolute hardlines on this position, and while hardlines are always a good place to start, the reality is that many companies need to step off that first position and find a position that works best for them. 

Each company needs to make its own decision in concert with qualified specialized legal counsel. In sharing this information, I hope it helps you determine whether you should pay their ransom if that fateful day arrives. Viewer discretion is advised.

First, You may not even need to pay at all.

Our good friends at CISA and the FBI have developed several tools to decrypt files damaged by many popular threat actors. They are 100% free to acquire and use. CISA has created the ESXiArgs-Recover tool to assist networks whose ESXi infrastructure may have been encrypted.1 The FBI has created keys for victims of Blackcat, AlphV, and Sphynx ransomware variants.2 Obtaining the keys from these groups will strengthen your ability not to have to pay ransom much.

Now, the Company hard line.

At a recent security conference that I was speaking at I was fortunate enough to be sitting at a table with a bunch of local liaisons to a government agency that is very involved in ransomware activities. When one of the gentlemen asked me what I was speaking on, I told them to title my session, which was called “ESXi Host Protection 2024, why you can’t ignore this anymore”. This session was on ESXi hosts targeted by ransomware threat actors and how to prepare/prevent such attacks. 

Upon hearing my session title, the gentleman asked me my thoughts on paying the ransom while simultaneously telling me his staunch view. Unsurprisingly, he echoed the agency line that nobody should ever pay the ransom. Paying ransomware is the equivalent of negotiating with terrorists. You should never negotiate with terrorists. It just encourages them to continue. That is a valid point.

I stated that, in my experience, every situation was unique. Then I mentioned that I had recently worked with a company willing to pay their ransom even if they did not receive the encryption keys, which sometimes happens. (Newsflash, criminals are not honest. More on that later). Puzzled, the gentleman across the table asked why they would do that. My response was, well, it was simple. 

They viewed themselves as having a large liability for possibly causing the ransomware incident to take place in the first place. Therefore, their legal counsel was telling them that since they may not have done everything, they should have to protect the data; they now need to do everything possible, including paying a ransom, to demonstrate (to potential future judges and jurors) that they did everything they could to recover the data.  The company was preparing itself for pending litigation due to the cyber incident. 

I could tell by the look on his face that he didn’t like the answer. but he nodded and said he understood why someone would do that. Then, he immediately pivoted back to his agency’s line. As you can see here, the theory of never paying the ransom has real merit. But when the theory makes first contact with the enemy, companies need to be ready to adjust their stance. In this case, what was best for the government agency wasn’t necessarily the best thing for the business affected. The two can co-exist and do. Not paying is a good position to start at, but be ready to pivot if needed.

Can you restore and recover in time?

One factor to consider in whether you’ll pay the ransom is, once you receive decryption keys, how long will it take to decrypt your data (if you even receive the key)? The way ransomware works is that it’s designed to encrypt data for maximum impact rapidly. It can take just hours to encrypt a medium to large-sized network completely. Still, it is extremely slow to decrypt the same data, especially large data sets (hundreds of gigabytes or more). Therefore, you need to plan accordingly for just how long your restoration will take once you begin.

I witnessed one company days away from financial ruin and closing its doors for good due to the vast amount of encryption that had taken place with ransomware in its environment. The timing of the attack could not have been worse, and that was the point. The ransomware gang had stalked this company internally and knew the business cycle and when the company was most vulnerable. These people were under tremendous pressure to get their systems restored. Therefore, paying the ransom seemed viable, or at least harder to say no to, when all the other options may have led to total failure.

But here’s the catch. Is it really a viable solution? What if this company could not get the data restored within a couple of business days it needed? What if the ransomware actors don’t respond to your request or payment as quickly as you need them to? Threat Actors don’t work under Service Level Agreements. 

In this scenario, if it will take you a week or more to restore all the necessary data, what’s the point in paying when you exceed your window for restoration? The harm will happen either way, so you might as well not pay. Many people don’t factor in the time it takes to restore the data or systems in their decision-making process. They should. This might be a reason, albeit a sad reason, not to pay. Better yet, if you know that you can restore your systems from backups in a rapid time, the need to pay the ransom may no longer exist or never exist to begin with.

Should you trust a criminal?

Do I really need to answer this one? Despite working with some smart businessmen and women and helping them navigate some tough waters, I am always surprised when they express shock when the ransom is paid, and the other side doesn’t completely hold up their end of the deal. Maybe this is because they are looking at this like they would negotiate a contract for services with AT&T. Now, while the feeling of being held up for ransom and having to deal with poor customer service may be the same in both scenarios, I assure you that they are not the same situation, or at least not yet. Please repeat after me.

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

The recent takedown of LockBit Ransomware Group leadership shows what I have advised many customers about. Just because someone says they will delete your stolen data doesn’t mean they will. There are ways to easily fake the evidence that ransomware gangs provide as proof of deletion. You are taking a thief at their word that they will do what they claim after they just willfully wrecked your business. 

Investigators who took down LockBit have found massive amounts of stolen victim data on the servers of the ransomware gangs, even those victims who paid and were given proof of the deletion. The gangs hoarded the data for the next round of extortion or marketplace sale to other threat actor groups. While you are negotiating with them, the threat actors are selling your data to other criminal groups so that they may attempt extortion later.

To make things worse, the ransomware group is also selling to others how they initially gained access to your network to steal/encrypt your data, to begin with. The goal is that someone else will attack your network when they are done in hopes that the initial access was not properly fixed. Now, the ransomware group will have deniability that they were involved with your second or third cyber incident, thus giving them the appearance of credibility when there never was any. 

Not only is this being discovered by law enforcement, but now, sadly, a new wave of victims is emerging: those who paid group #1 but are now being extorted by group #2. All this being said, there has always been evidence of some ransomware groups skipping town with the ransom and not providing the decryption keys or not providing decryption keys that work properly, which is just as bad. Like before, the ransomware gang can claim that they held up to their end of the deal by giving you the working keys when they did not or falsely advertise their capabilities. There is no honor among thieves.

Insult to Injury

It should surprise no one that the cost of cyber liability insurance and services around ransomware has skyrocketed. Just like your auto insurance rates increase when you open a claim for an accident, your cyber liability insurance will most likely increase dramatically, or you may get dropped completely when the matter is over. Those are business costs that sometimes get overlooked during the heat of the battle. You may have paid $25,000 in one-time ransom, but if your insurance premiums go up $25,000 per year for every year you are in business from now on, is this a wise financial move? 

I hate to paint Insurance as a bad guy, as they provide a much-valued service for businesses today. But at the end of the day, ransom payments are a business decision with wide-reaching implications long after the battle. Costs are still costs. Paying a ransom might cost your business more in the long run than enduring the short-term financial pain today.

Final Advice

I will summarize what you need to know and incorporate it into your business equations to determine whether you should pay the ransom.

1. Check to see if your variant of ransomware is one that either CISA or FBI has decryption tools available before you start any discussions on paying ransom.

2. You cannot trust the extortion groups regarding their capabilities or commitments. They will lie, and they have. They are criminals.

3. Ransomware/Theft negotiations ARE NOT enforceable business contracts. Don’t treat them as such. You can’t sue them for breach of contract when they double-cross you.

4. Don’t get caught up in the emotions. I’ve seen people think this is a scene from a movie and get the adrenaline rush of “talking to the bad guys” or have strong emotions as they feel violated or the pressure of the situation gets to them. It’s human. But adrenaline and emotions skew the rational, analytical conversations that need to take place. Take a breath before moving on.

5. Don’t do this alone. You need to have good, experienced legal counsel advising you along the way.

6. Don’t do this alone. You need a good, experienced Incident Response Team to help your company’s recovery efforts while you have a business conversation with legal counsel. Remember, these gangs are selling information on how they broke into your systems. You need experienced experts to determine how they did it and provide a path to remediation so that future attacks can be properly fended off. While multitasking during negotiations with Khan may have worked for Captain Kirk, in the movie The Wrath of Khan, it is not a good foundation for success, and we’re not Captain Kirk.7. Companies that prepare for ransomware/breaches fare better than those that do not. Do you know how long it will take to restore your systems? Is this good enough for a business to survive? The best time to handle ransomware is during the preparation stage when you can plan your defenses and response strategies and when things are calm. Engage with an experienced Incident Response team to help you prepare. Your Cyber Insurance carrier may even have plans or programs to help you at no additional cost. Don’t overlook these policy benefits.

 

8. Finally, don’t hide from regulators. Some business leaders discuss the pros and cons of not disclosing the breach if they get their data back. It’s been my experience that you were breached will eventually come to light, whether you want it to or not. You won’t be able to hide this forever.

If you become a victim, there is no one-size-fits-all answer for dealing with extortion gangs. Learning what happened to others in similar situations may help you consider those facts while determining what to do. I never fault a company for doing what is best for them in these situations. What works for one company may not be appropriate for another. If you are a ransomware or data theft victim, the experienced team at SecurIT360 is ready to lend a hand. You can contact us at https://securit360.com/contact. I hope this has been helpful and we can meet someday under favorable circumstances and not when my team’s response services are not needed.

1 To obtain a copy of ESiArgs-Recover tool, visit CISA’s GitHub page at: https://github.com/cisagov/ESXiArgs-Recover.

2 For the FBI tool, you need to open an IC3 report at: https://www.ic3.gov

In the description, ask for the specific decryptor tool that you need to route your request to the right team. (Blackcat, AlphV, Sphynx variants only).

Categories
Compliance

NY DFS Cyber Regulation Proposed Amendments Target Ransomware Notification

On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.

In this blog post we’re going to describe one of the most significant proposed amendments to the reg. That is, the NEW requirements related to ransomware, extortion and the reporting of those cybersecurity events.

Notice of Ransomware Event

The proposed amendments to Section 500.17 would incorporate two new definitions of a cybersecurity event, one of which specifically addresses ransomware. Should any of the events described in this section occur, electronic notification to the superintendent, within 72 hours, is required.

  • 500.17 (a)(4) – cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system.

Under the current rule, reporting cases of ransomware would be required if: there is a required notice to a government body, self-regulatory agency or any other supervisory body or if there was a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

Notice & Description of Extortion Payment

The proposed amendments to Section 500.17 would also incorporate a requirement to notify the superintendent of extortion payment, within 24 hours of the payment. A written description sent to the superintendent would also be required within 30 days. This written description would have to include:

  • A written description of the reasons payment was necessary

  • A description of alternatives to payment considered

  • All diligence performed to find alternatives to payment

  • All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control

Plans are nothing Planning is Everything

There’s no doubt that if these amendments were to pass it would impose significant new requirements on covered entities cybersecurity event reporting policies and procedures. If your Incident Response plan does not specifically address the companies policies and procedures for responding to and reporting ransomware events, then it would be worthwhile to begin that process now. With the impact ransomware has had the last several years, there’s little doubt that some form of ransomware notification will make it to the final regulation. The time to prepare is now.

Categories
Computer & Network Security

7 Questions to Ask Before Deciding Whether to Pay a Ransomware Attacker

Intro

  • Ransomware is on the rise, owing to the pandemic. In 2020, ransomware exceeded $1.4 billion in the US alone, according to an estimate from Emsisoft.
  • Definition: When threat actors prevent a company from accessing their systems, network, or data until a demand is met.

7 Questions to Ask Before Deciding Whether To Pay a Ransomware Attacker

  • 1. & 2. Do You Have a Backup? Will it Work?
    • Today’s ransomware groups take backups into account. Even if you have backed up your critical files, it’s important to know the capabilities and functionality of your restoration services. If a threat actor has access to your backups, there is a good chance they will attempt to encrypt or even delete them. If you haven’t done so before and haven’t deeply investigated your capabilities, you won’t know how lengthy or difficult such a restore could be. You may also not understand whether there are backdoors in your restores or whether attackers have accessed any online backups.
  • 3. How Much Will the Ransom Really Cost You?
    • Many organizations wind up making the calculus that making the ransom payment is cheaper than losing data and/or business continuity. How badly does your company need the impacted system or the data stored on that system? if the machine is integral to business operation? There is also a cost to public perception and reputation. Paying ransoms may cast your organization in a negative light.
  • 4. Do I Call Law Enforcement?
    • Statistically speaking, law enforcement faces a low chance of catching ransomware groups. They also may not have the capacity to crack encryption or obtain decryption keys. However, that doesn’t mean there’s no utility to the act. One may reach out to law enforcement because it may be more likely the perpetrator will be caught, for the possibility that technical assistance from law enforcement may help, or because it helps show regulators and the public that you took all reasonable actions. It may also fulfil a requirement in cyber insurance coverage.
  • 5. Have You Considered the Risk of the Ransom Being Reneged?
    • Threat actors must maintain credibility in their claim that receiving the ransom payment will restore the victim’s systems. For the most part, that’s been the case, but further deception has occurred on more than a few occasions (Such as demanding another payment). Given that possibility, it’s in your interest to speak with ransomware experts about how your particular group has handled ransom payments.
  • 6. Have You Considered Law Enforcement Guidance?
    • Anyone who’s seen an action movie knows that the US doesn’t negotiate with terrorists. Perhaps surprisingly, the FBI doesn’t require or encourage not paying a ransom under any circumstances. What do they say?
      • “Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”
  • 7. Can You Forstall The Attack on Your Own
    • Ransomware attackers use many of the same methods as typical attackers. It’s possible that there’s guidance out there that could help you resolve the hack on your own. 
      • The “no more ransom” project, a collaboration between European law enforcement and cybersecurity companies Kaspersky Lab and McAfee, offers decryption tools for more than 85 ransomware varieties.

Conclusion

  • Deciding to pay a ransom or not is a difficult question to answer. Ultimately, it should be an informed and calculated decision based on due diligence and support from internal and external parties. However, if we want to do our part to try and curb ransomware attacks, we should design our systems and protect our organizations such that paying the ransom is left as a last resort.