You’ve heard of ransomware-as-a-service and ransomware attacks through supply chains. Now there’s a new tactic of gangs: Pay us before the attack starts.
”We’re seeing attackers bold enough to launch ‘pay to stay away’ attacks,” Sumit Bhatia, director of innovation and policy at Ryerson University’s Rogers Cybersecure Catalyst, told a ransomware webinar Wednesday.
“They demonstrate [to an organization] their ability to attack but do not actually do so. Instead they warn the organization to pay them before they launch a full-scale attack. This is usually made against organizations that do not have the resources or expertise to modify or adjust their [IT] systems in time for a future attack.”
Bhatia was one of four experts on the panel, organized by The Globe and Mail. The others were Brad Stocking, associate partner for cloud and infrastructure security at IBM; Suzie Suliman, an associate at the Norton Rose Fulbright law firm; and Randy Walinga, director of IT, teaching and learning services at McMaster University’s DeGroote School of Business.
Coincidentally the webinar was held the same day the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partners in Australia and the U.K. issued an alert because of an increase in “sophisticated, high impact ransomware incidents against critical infrastructure” around the world (see below).
Suliman pointed out what most organizations know: Ransomware encrypts data, which causes operational disruption and raises the possibility of serious business interruptions and financial loss – and legal and regulatory obligations. Partners and customers know ransomware attacks happen, she said. As a result, “you’re not going to be judged on the fact that you had a ransomware attack most of the time. You will be judged on how you manage and respond to the incident.”
To prepare for a ransomware attack, an organization first has to understand its key lines of business, said Stocking, including how a breach could affect customers. Only then can the firm start discussing the potential protections it could put in place.
The goal, he said, is to not shut the company down after it realizes it’s been hit but to keep as much of the business running as possible.
“If you’re able to understand what is key to your business success, then turn it around and think about the motivation of attackers and how you would protect against a motivated attacker,” he said. “Then you can think about how you’d put a defence in place, and create an incident response plan.”
Small businesses shouldn’t think they won’t be targeted, Stocking added. In fact, he said, attackers may go after the small businesses who are partners of larger firms they hit, either because they may hold valuable customer data or intellectual property.
Small firms can have good cybersecurity, he added, if they focus on the basics. Attackers go after easily exploitable vulnerabilities, including misconfigured systems. “Just doing the fundamentals – a solid [application] patch program, knowing the assets you have, knowing where you will be targeted, employing vendors to support you where they can – you’ll be much further ahead of the game than a lot of companies who go to advanced technology and ignore the fundamentals.”
Walinga emphasized the importance of having a good data backup strategy to blunt ransomware attacks. Awareness training needs to cover everyone in the firm, including executives, he added. Training has to be continuous, with positive feedback for staff who ask, ‘Is this a lure?’
US/UK/Australia ransomware alert
In the US/UK/Australia ransomware alert, the agencies noted that last year they saw attacks against major critical infrastructure sectors including defence, food, government, IT, healthcare, financial services, energy and higher education.
“If the ransomware criminal business model continues to yield financial returns for ransomware actors,” the report predicts, “ransomware incidents will become more frequent.”
The alert outlines behaviours and trends of attackers, as well as recommended mitigations.
Those mitigations include:
- patching operating systems and corporate applications;
- securing and monitoring remote access services used by employees and partners;
- requiring multifactor authentication for as many services as possible;
- requiring the use of strong passwords, especially service, admin and domain admin accounts;
- using Linux security modules on systems running that OS;
- segmenting networks;
- using end-to-end encryption on online communications;
- ensuring all backup data is encrypted;
- and more.