A message from Perpetual Storage’s CIO, J.R. Maycock, about practical ideas to protect your business operations from the predominant cybersecurity threat.
Ransomware attacks are continuing to evolve into an ever more potent threat requiring proactive attention from business leaders. In 2020 extremely few businesses can truthfully declare their market value to exist in only physical, tangible form. Digital assets are the norm across all industries and business sizes, data is either the existential core of the business or a critical mechanism to organizing operations and achieving market presence. Any company hit with ransomware will certainly lose competitive advantage and face immediate costs in ranges of hundreds-of-thousands to multiple millions of dollars, or could entirely cease to exist. With these stakes in mind let’s break down the changing nature of the threat and what actions are required to reduce or remove exposure to this risk for your company.
Common knowledge about ransomware from the last 7-10 years expects attacks to be low-effort, indiscriminate, and immediately trigger automated encryption of the first machines or data discovered by malicious software. This knowledge is no longer accurate in 2020, there has been a marked pivot within the last 12 months toward human-operated ransomware. To make correctly informed business decisions it is vital to understand this shift in adversary behavior. Instead of being reserved for the largest enterprise companies, tailored attacks with high levels of skill and hands-on attention are now standard for business and government entities of all sizes and industries, from a 5-person architecture firm to a 15,000 head count chemical manufacturer. An attack begins by using some means of gaining initial access to a business’ digital estate, forming a foothold on one machine or within one application. Attackers then spend time moving laterally in the digital estate by gaining access to additional connected systems and compromising accounts with powerful system administrator permissions. Attackers will stay resident in the network for days or weeks to carefully identify the highest-value data for that specific company, and they will pay special attention to locating all network-accessible backups of the data.
It’s worth highlighting one further change in cyberadversary tactics specific to 2020: ransomware attackers who identify what data is most valuable or most confidential for a specific business will now exfiltrate a copy of that data to somewhere outside the business under the attacker’s control prior to finalizing their attack. Data theft was almost never paired with ransomware until two novel attacks in November 2019, but the high-visibility success of those attacks have rapidly altered the behavior of other attackers to make exfiltration a common and mainstream tactic. The motivation for investing time into data theft is to gain additional leverage over the targeted company by threatening to publicly release sensitive information such as customer identities, pricing contracts, proprietary designs, internal financial statements, or HR records. This leverage will be used to either shorten the timeline for a business to decide on its response to the ransom demand by threatening to release the data on a specific near-future date, to demand a higher ransom sum in exchange for a promise to delete the exfiltrated data copy, or to demand an independent second round of ransom payment if a company chooses to pay to unlock their files.
The encryption or data lockout stage of the attack will only be triggered once the attackers are certain they can simultaneously affect all production systems and destroy all backup copies a business would use to recover those systems. Attackers will deliberately try to time executing this final stage for when a business is most vulnerable: concurrent with scheduled time off for key decisionmakers, just ahead of critical deadlines promised to clients, overlapping key seasonal spikes in sales volume, and so on. Attackers will also try to ensure they disable monitoring systems or security operations alerts just before triggering the final stage to buy time for the attack to succeed in completely locking out business operations before any stakeholders notice or intervene to limit the scope of impacted systems.
If your company is on the receiving end of a successful attack the temptation to pay the ransom could be powerful. My best advice based on 10 years of real-world experience is to not select that choice – do not pay the ransom. There are a few justifications behind that advice, possibly chief among which is that the size of ransom demands is growing rapidly. The average ransomware payment in Q2 2020 now exceeds $175,000 dollars, up by 60% from Q1 2020 and an astonishing 390% from one year earlier in Q2 2019. That average figure represents what an attacker might choose when targeting a company with a headcount between 25-150 employees, but maximum figures for ransom demands are much higher. Successful attacks against either a company with 5000+ employees or a smaller company with large volumes of cashflow now involve ransomware payments in excess of $2,000,000. This rapid growth is feeding incentives for more attackers to participate in the “ransomware economy” and target additional businesses; widespread refusal to pay ransoms would deflate the momentum of this growth and improve the collective risk exposure for all companies.
Paying the ransom is no longer a viable strategy for reasons beyond just the initial cost, there is a very timely conversation required in this Cybersecurity Awareness Month around regulatory implications and civil penalties. Two agencies within the US Dept of Treasury, the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC), released updated regulatory guidance on October 1, 2020 that substantially changes the landscape for business decisions around ransomware response. Ransomware payments are required to be made via untraceable transfers of cryptocurrency, with Bitcoin specifically being the near-universal demanded payment method. FinCEN’s guidance alerts financial institutions and incident response firms that their role as intermediaries in facilitating ransomware payments carries regulatory and reporting requirements under the Bank Secrecy Act. OFAC’s new guidance is more broadly applicable and points out that many ransomware operators are named targets of US sanctions which disallow any financial transfers to those entities. Given the anonymous nature of the payments for ransomware, anyone paying a ransom demand risks incurring US sanctions violations. OFAC emphasizes its intention to use its enforcement authority to encourage policy shifts toward refusing to make ransom payments and will reserve special attention for entities who make ransom payments without disclosing the attacks to US law enforcement agencies. Collectively, these announcements lay out the possibility of exposure to $150,000+ in civil penalties per statutory violation (there could be multiple violations involved in a single attack) for not just ransomware victims but also any companies involved in incident response, threat actor negotiations, and cybersecurity insurance. OFAC has the authority to enforce “strict liability” in deciding civil penalties, meaning ignorance of the destination of a ransomware payment is insufficient defense for any party involved in making payment. The message is clear: not paying the ransom is greatly preferred by law enforcement. Companies should instead place significant emphasis on proactive efforts to prevent successful ransomware attacks and be prepared with remediation plans that allow successful recovery from ransomware without paying demanded ransom.
Beyond either of the prior paragraphs, calculating the full impact to a business from a successful ransomware attack requires quantifying the cost of downtime and loss of market reputation. Research consensus in 2020 places the amount of time where a business is 100% inoperative at 4-5 days and total downtime where a business experiences material interruption at 16 days. Worst-case 100% outage events above the average easily last 45+ days and typically end in the permanent closure of the affected business. I know of almost no companies where that timeline would impose immediate costs of less than $250,000, but depending on operations volume it becomes quickly plausible for the cost to be 10X or 25X that number.
As with any decision involving risk it is important to know the probability of a ransomware event occurring at your company. I want to emphasize that 2020 really is unique and different with respect to probability without venturing into the territory of hyperbole; I’m not interested in scare tactics, just real-world information gathered from multiple reliable sources to correctly inform business decisions. Ransomware attack volume has grown sevenfold year-on-year when comparing the first six months of 2019 to the same six months in 2020. The specific growth in highly targeted human-operated ransomware covered earlier in this article is visible in a different statistic: the cumulative count detected for this type of attack from all of 2019 was exceeded by June 2020. Depending on survey demographics the likelihood that a US-based company has experienced a ransomware infection in the past 12 months varies from 52% on the low side to 69% on the high side. Ransomware is no longer an abstract concept that can be ignored as unlikely to ever happen to your company, the resultant odds of the decision to take no action are worse than calling a coin flip.
Any reasonable analysis of these risks would agree that prevention and preparation are mandatory, the cost of doing nothing is too high. Investments now into better technologies, processes, and knowledge can happen within cost ranges of four- and five-figure totals and will yield large returns against six- and seven-figure risks. The first brick in the foundation of ransomware response is to have backups that follow a modernized version of the 3-2-1+ paradigm: have at least three copies of your data located in two separate administrative realms with at least one backup copy being kept offsite and totally inaccessible from the production business network, ideally in offline storage. The offline copy must always contain recent data, must be authentically airgapped, and must be able to return to live operations fast enough to limit downtime costs to the business. Perpetual Storage is a partner organization dedicated to delivering these capabilities as-a-service via Granite Cloud and its Isolated Data Tier (IDT). Working closely with our clients we can reduce the difficulty of implementation and speed up the timeline of your business achieving a protected end-state.
Isolated backups are a necessary prerequisite, but not solely sufficient for achieving appropriate protection from ransomware. Additional important actions include the following.
- Take personal responsibility for understanding the facts about cybersecurity. Do not make superficial decisions. Do not underfund proper IT practices or allow unacceptable amounts of risk to silently lurk within your company.
- Limit the number of remote access methods to the minimum required for successful business operations. Be especially certain to never expose direct Remote Desktop access for servers or workstations too the public internet, always connect through a VPN or other limited-scope network tunnel instead. Require security baselines on all remote access methods, without exception, of multi-factor authentication + audit logging + actionable alerts when changes from established patterns are detected.
- Continuously install software updates in a timely manner to remove vulnerabilities attackers can use to enter the digital estate of a business. One recent high-risk example is the Zerologon vulnerability for Active Directory, but it is just as important to keep network equipment and non-Windows computers up to date.
- Enforce least-privilege access to all business data. Also ensure permanent separation of “daily driver” productivity accounts and administrator accounts, do not let the same credentials be used across both roles. Enforce multi-factor authentication on all administrator accounts, ideally using security keys requiring proven possession of physical hardware.
- Protect maximum-sensitivity business data with tools that actively block exfiltration and data theft. Good examples include using mandatory unremovable encryption for files or databases no matter where they are stored and requiring real-time authentication of users each time they request access to sensitive data.
- Practice restoring your business operations from a simulated ransomware attack. Understand what real-world limitations you are going to encounter before encountering them for the first time during an emergency.