The weekly news reports about the ransomware cyberattacks just keep getting worse and worse, and the ransoms being requested just keep getting bigger and bigger. Ransomware is not a new threat. It has been around for almost 20 years. But it has become a trending threat, and unlike other trends, this one you can’t afford to ignore. In fact, ransomware has become a veritable cyber pandemic.
Just the other morning, one article reported about a recent attack:
Even multinational tech companies, which understand firsthand the value of cybersecurity, can be targeted by ransomware groups.
“The XYZ Corporation, a publicly-traded electronics and tech company headquartered in Taiwan, was hit by a ransomware attack on November 29.
The hackers responsible say they encrypted data related to its North American operations and have told the XYZ Corporation to pay roughly 1,804 Bitcoin (currently worth about $34.5 million) for a decryption tool.
A ransom note from the hackers, a group known as DopperPaymer, stated, “If no contact made in 3 business days after the infection[,] first portion of data will be shared to the public.”
See “Ransomware Gang Demands $34 Million in Bitcoin from _____”, available at https://decrypt-co.cdn.ampproject.org/c/s/decrypt.co/50702/ransomware-gang-demands-34-million-in-bitcoin-from-foxconn?amp=1.
And the list of other ransomware attacks for the year is lengthy. See “the State of Ransomware 2020”, available at https://www.blackfog.com/the-state-of-ransomware-in-2020/#nov. (listing ransomware attacks for the year and noting, “Ransomware cyberattacks are a big business, so big in fact, that research anticipates a business is attacked by a cybercriminal every 11 seconds and damage costs from these attacks will hit around $20 billion by 2021.”).
The plethora of ransomware attacks is even more startling given the timeline of attacks starts at least from 2017 onwards, with the catastrophic Petya/NotPetya attacks which caused an estimated $10 billion of losses. See “The Untold Story of NotPetya,” available at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Since then, there have been hundreds of blog articles, and hundreds of seminars and webinars devoted to ransomware.
Why have these mass outpouring of enormous amounts of information not been totally successful in eradicating ransomware attacks? Probably a couple of reasons: (1) clarity of message and defensive measures proposed, meaning, e.g. “what do I do first?”, (2) too many different messages and attacks, meaning, e.g. “there is so much information out there, I am … confused…what do I do?” and (3) changing ransomware attack tactics have morphed more into data exfiltration and encrypted file problem, rather than just “encrypted file problem” that could be remedied by the timely application of business continuity measures to back up the affected networks. Reason (3) can tend to be more problematic for defenders than the other two reasons given that it can be hard to guess the method and mode of attack. A lot more things can go wrong if an attacker is poking around on your network for weeks and months, rather than for hours or days.
What America needs is a ransomware “vaccine.” Though we are not the FDA or the CDC, we have a four-part vaccine that any corporation can inject themselves with to ward off the ransomware pandemic. These measures can be taken at the same time. Parts 1-3 of the vaccine can be implemented immediately and without a lot of effort. Part 4 of the vaccine will take some time to implement, but if you do parts 1-3 first, you should be relatively safe from a catastrophic attack until you implement encryption. We have it within our grasp to do so, so let’s beat the ransomware epidemic ASAP with these vaccines:
Enact multi-factor authentication: a big problem in the cyber ecosystem today is the 15 million credentials that are available on the Dark Web today. Attacks can use stolen credentials to access corporate networks, then once inside they can move laterally and set traps and backdoors in an attempt to steal your most valuable information. Setting multi-factor authentication can help stop this attack pattern, or at least make it harder for attackers to get in with freshly purchased credentials.
Patch, then Patch some more: as we know from Petya/NotPetya and Wannacry and many other attacks, some of the most destructive cyber-attacks have stemmed from unpatched vulnerabilities. As one recent article noted, “Cybercriminals exploiting unpatched system vulnerabilities continue to be one of the top reasons enterprises suffer unauthorized intrusions. With the increasing number of interdependent online infrastructures and devices, proper patch management and procedures is more critical than ever. And while the task of patching systems can cost enterprises a few hours, past incidents have shown that failing to patch systems with the latest security updates can prove to be more costly.” Vulnerabilities should be patched within two weeks of publication. More critical vulnerabilities, as defined by software developers and US CERT should be patched within 72 hours. As we know from some very high-profile attacks, waiting 4-6 months to patch a CVE simply is unacceptable in today’s threat filled environment.
“Segment” critical data: if you assume that you will eventually be hacked, then you probably will at some point have to defend against a ransomware attack. If you haven’t started planning for the worst, then you are not left with a lot of good options.
We first assume you will be backing up your network and will keep one backup segmented, off-line, and nowhere near the internet. Whether on backup media, or in the cloud, some off-line backup solution is imperative to quickly recover from an attack. See “Backup Strategies,” http://www2.mitre.org/public/industry-perspective/documents/05-ex-backup-strategies.pdf (“Ensure the backup data is isolated from other enterprise services to protect the backups from being impacted by adversary attacks.”).
But what happens if you don’t find out until it is too late that your attacker was on your network for months, and exfiltrated critical data — say, e.g., the plans to the next joint strike fighter, the F-40, or the next great SAAS application — that he or she plans to ransom back to you, or, if you don’t “pay up,” will publish the same on a “name and shame” affiliate website. Either option is repugnant to you, but if you don’t pay the ransom, your name in the marketplace or with the regulators will be “mud.” Instead of facing this consequence doesn’t it make more sense to place your “Crown Jewels” on a developmental server, off-line, segmented, and safe from prying eyes? Not everything needs to be connected to the internet, and not all data needs to be accessed from everyplace by all employees. Or by attackers. Segment your Crown Jewels. You won’t regret the decision or the extra cost of a developmental server.
Encrypt your most critical data: Encryption is the cousin of segmentation. Instead of segmenting offline your most critical data, encrypt it. Though encryption got a bad name a few years ago, it is back now in better shape than before, with more options than ever before. Data can be encrypted at rest. See for example “Azure Data at rest,” available at https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest. Data can be encrypted in motion. Data Protection: Data In transit vs. Data At Rest, available at https://digitalguardian.com/blog/data-protection-data-in-transit-vs-data-at-rest (“For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit”).
Data can be encrypted now even when it is in use through homomorphic encryption. In a nutshell, homomorphic encryption is a method of encryption that allows any data to remain encrypted while it is being processed and manipulated. It enables you or a third party (such as a cloud provider) to apply functions on encrypted data without needing to reveal the values of the data. See “Homomorphic Encryption,” available at https://www.thesslstore.com/blog/what-is-homomorphic-encryption/.
Thus, data stolen, if encrypted, should have no value to an attacker since he or she cannot read the data in any format without breaking the encryption key. Our only caveat here? Segment your encryption keys so they too cannot be stolen by an attacker.
Paul Ferrillo focuses his practice on corporate governance issues, complex securities class action, major data breaches and other cybersecurity matters, and corporate investigations.
Paul has throughout his career represented public companies and their directors and officers in shareholder class and derivative actions, as well as in internal investigations. In particular, he has coordinated numerous internal investigations on behalf of audit committees and special committees, and handled the defense of securities class actions alleging accounting irregularities and/or financial fraud.
Paul represents clients across a wide range of industries, including retail, aerospace contractors and sub-contractors, apparel, financial services, investment banking, private equity, hedge funds, 1940 Act funds, energy, oil and gas, and real estate.
Paul also has extensive experience in cybersecurity corporate governance issues. He has previously assisted clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements that govern them.
Paul maintains an active pro bono practice and has acted as pro bono Counsel/Litigator for the Humane Society of the United States in connection with successful effort to close a puppy mill accused of improper sales tactics and abuse of puppies.
He is also the author of Navigating the Cybersecurity Storm: A Guide for Directors and Officers (Advisen 2015) and Co-Author of Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives (Advisen 2017).
Chris Veltsos is a Professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches cybersecurity courses and oversees a cyber risk graduate program.
Beyond the classroom, Chris helps leaders and their organizations take stock of their digital risks and manage them across the intricate landscape of technology, business, and people.
Chris is co-author of the book Take Back Control of Your Cybersecurity Now (2017) and The Great Reboot – Succeeding in a World of Catastrophic Risk and Change (2020).
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and evangelist for Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech Experts to Follow on LinkedIn.” Chuck was named as a 2020 top leader and influencer in “Who’s Who in Cybersecurity” by Onalytica. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was named by The Potomac Officers Club and Executive Mosaic and GovCon as at “One of The Top Five Executives to Watch in GovCon Cybersecurity. Chuck is a two-time Presidential appointee who was an original member of the Department of Homeland Security. Chuck has been a featured speaker at numerous conferences and events including presenting before the G20 country meeting on energy cybersecurity. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES. He has also been featured speaker, author on technology and cybersecurity topics by IBM, AT&T, Microsoft, General Dynamics, Xerox, Checkpoint, Blackberry/Cylance, Malawarebytes, and many others.
About High Performance Counsel (HPC)
Founded by international lawyer and successful legal technology founder, David Kinnear, High Performance Counsel (HPC) is the leading business media resource covering the modern legal industry and the people, technology and economic forces driving its future. Described as the “voice of the modern legal industry” HPC provides world-class media coverage via one-to-one feature interviews with leading legal professionals and the publication of key insights via articles, white papers and industry commentary.
Visit us online here: https://HPC.law
Follow us on Twitter: https://twitter.com/HipCounsel
Connect with David Kinnear on LinkedIn: https://www.linkedin.com/in/davidkinnear/
Connect with HPC on LinkedIn: https://www.linkedin.com/company/hipcounsel
For more information, click here.