One of the nation’s highest profile ransomware attacks occurred in February 2016 when Hollywood Presbyterian Medical Center paid $17,000 in bitcoin to criminals in order to retrieve access to its data.
There have been many more attacks of varying sizes since then and, just this past quarter, there was a ransomware attack demanding a seven-figure payment. For the most part, however, the average ransomware demand hovers around $10,000.
Small and medium-sized businesses (SMBs) are big targets for cybercriminals looking to hold data for ransom for several reasons.
First, the market itself is big. SMBs, defined as organizations that generate less than $1 billion in annual revenue, account for about 99.9% of all companies, 47.5% of all jobs and as much as half of annual GDP.
In the first nine months of this year, 71% of all ransomware incidents handled by our breach response services team were for companies of this size.
Second, SMBs are also less likely to have backed-up their data, meaning it is easier to pay the ransom, move on, and get the business back up and running.
Lastly, an unfortunate trend we are seeing today is that after cybercriminals break into a server they are doing reconnaissance and “advance work,” getting into a company’s network and disabling the back-up before deploying the encryption mechanism. While SMBs may have adequate first lines of defense, they less likely to withstand this kind of premeditated, sophisticated cyberattack.
Fortunately, for the business owner, there is a lot of readily available information on how to protect a business from ransomware attacks and what to do if you have been hacked. Here an excerpt from our “best practices” recommendations, which can be accessed here.
- Ensure anti-virus software is up-to-date.
- Regularly train employees to avoid phishing attempts and not to open unsolicited attachments and links, particularly from unknown sources.
- Periodically test employees through phishing campaigns, monitor the effect on response rates, and consider a formal sanctions policy.
- Block emails with .js, .wsf, and .zip extensions and macros at your email gateway level. If possible, disable the following commonly used attack vectors: Adobe Flash Player, Java, and Silverlight.
- Block macro-enabled malware files from running on Microsoft Office 2016 programs like Word, Excel, or PowerPoint by using group policy setting.
- If you use JBoss, review the developer information on configuring and hardening it.
- Evaluate whether application whitelisting makes sense for your systems.
- Disable autorun/autoplay functionality on your operating system to prevent malicious software from running on your computer. This will prevent an external hard drive or fixed drive from automatically running a program.
- Enable automated patches for your operating system and web browser. Robust network segmentation can often reduce the impact of ransomware.
- Enable strong identity and access management, with the use of established principles of least privilege (“need to know”), and limit local administrative rights.
- Invest in an intrusion detection system to monitor signs of malicious activity. Implement (and test) a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location (preferably offline). Backup copies of sensitive data should not be readily accessible from local networks.
Response to a Ransomware Infection
- Infected machines should be disconnected from the network (wired and wireless) as soon as possible.
- Evaluate extent of infection, attempt to identify the type of ransomware variant, and determine whether the infected machine was connected to shared or unshared network drives, external hard drives, USBs, or cloud-based storage. You may also want to check for a registry or file listing created by the ransomware.
- Evaluate whether there are any other malicious scripts or malware running on the infected machines. If so, preserve a copy of the ransomware variant and any other malicious scripts or malware for later forensic analysis to identity the capabilities of the particular ransomware variant or malicious scripts or malware.
- Clean the ransomware, malicious script or malware from impacted systems (a variety of free and paid disinfection tools exist for this purpose) and reinstall the operating system.
- The best situation is often to restore from a reliable backup. A well thought out backup and restoration plan is one of the most important countermeasures against ransomware. It is critical for organizations to ensure that there is adequate network segmentation and/or off-line backups in place to protect your backups from corruption by the ransomware. In addition, organizations should regularly test their backup to ensure that the process is functioning as designed and there is no data corruption.
- There is no guarantee of honor amongst thieves; the attackers might just take the money and run, or their decryption code might fail to work. There is also no guarantee that you’re paying the right criminal.
- Some types of ransomware can be decrypted with the right tools. Find out what the variant of ransomware is and see if a legitimate decryption tool is available. Be cautious of companies telling you they can “break the encryption.” Many ransomware variants employ commercial-grade encryption against which brute force attacks are difficult or impossible. Additionally, be careful about the source of any “decryption tool” so that you are not causing more harm by downloading another piece of malware.
- Consideration should be given to how and to what extent you should try to communicate with the criminals. Often, ransomware that comes with an extortion demand has a hotline or even webpages dedicated to guiding affected victims through the payment protocol.
- If you intend to communicate with the criminals, set up an anonymous email account for that purpose. Do not provide any additional information about your organization; doing so could lead to an increased ransom demand.
- It is possible to negotiate a lower price with the criminals, as well as to ask them for additional time to pay to buy yourself time.
- Keep in mind that it is possible that the criminals have no idea what type of data is at risk, nor do they usually know the status of your backups. Do not share any type of identifying information with them. If they find out your data is very sensitive, the ransom demand could jump significantly.
- Some types of extortion arrangements come with a “proof of life” which can help you verify that the criminal has the ability to unlock your files.
- Thoughtful consideration and caution should be used if you are accepting any file from these criminals. Any decryption keys or “proof of life” could contain additional malware.
- Purchasing bitcoin online can take up to 3-5 business days in some cases. Typically, you can purchase bitcoin from an exchange or broker. Reputable U.S-based exchanges require payment by ACH bank transfer, which takes a few days.
- It is possible to speed up the process by using a credit card or debit card at an exchange based outside the U.S., but the risks are greater. Not all exchanges are trustworthy. Even if the exchange is reputable, these types of sites usually charge a larger premium for the transaction because of the high risk of fraud.
- If the bitcoin amount is relatively low, obtaining bitcoin from a physical ATM may be the quickest option. A network of physical Bitcoin ATMs exists in most major metropolitan areas where bitcoin can be bought in person.
About the Author:
Brett Anderson, CISSP, is Breach Response Services Manager at Beazley. As part of the Breach Response Services team, Mr. Anderson guides policyholders in crisis to rapidly respond in the event of a suspected or confirmed data privacy and/or cybersecurity incident. Prior to joining Beazley, Mr. Anderson held various Information Security leadership positions within the Healthcare, Higher Education, and Financial Services sectors. He also holds several professional designations such as the CISSP, Certified Information Security Professional and is a former PCI-ISA, PCI Internal Security Assessor. He also earned a Bachelor’s of Science in Information Security & Assurance from Kennesaw State University.