We already know ransomware is out of control. According to SonicWall’s mid-year Cyber Threat Report, there were more ransomware attacks in the first half of 2021 than in all of 2020 — 304.7 million of them just by June of this year. Attackers encrypt and delete backups, exfiltrate and sell data, and even sell access to compromised environments — and they’re adapting and adjusting as they go to maximize the likelihood of getting paid.
So, what can organizations actually do to deal with this tidal wave of attacks? There are already many prevention techniques and technologies. Yet attacks still happen, are still successful, and attackers are still getting paid. It’s time for organizations to ask themselves the question, “Are we ransomware ready?” And then think about what ransomware readiness really looks like.
What is ransomware readiness?
Many organizations think that if they have a robust patching program and secure backups, they’re all set. But that's not the case anymore. How do patching programs handle zero- and one-day vulnerabilities? And how quickly can your organization really get significant patches applied? Backups are good, and secure backups are better – but what about when the attackers exfiltrate data and are threatening to release sensitive information?
These are just a few of the reasons that it’s essential to prepare proactively for an attack, so investigation and recovery methods are in place before an attack occurs. Forensic data collection is important, but many cloud service providers (CSPs) don’t actually store that data for long. Plus, attackers are all too ready to delete forensic data to make it harder for incident response teams to investigate effectively.
For organizations in the early stage of cloud modernization, it took 231 days to identify and 98 days to contain a cloud-based breach.
Source: IBM's Cost of a Data Breach Report 2021
The importance of forensic data
Incident responders use forensic data to understand how attackers infiltrated the environment and how long ago they got in, so it’s possible to prevent them from attacking again an hour after they've been paid the ransom money. Yet, if you have just seven days of forensic data from your CSP, how will you be able to look back far enough if you found out about the breach 231 days later?
In the case of ransomware, many organizations don’t have access to their forensic data, endpoints, and backups, which it makes it particularly challenging to investigate the incident. That’s one of the reasons it's important to store that data separately, assuring that it will stay intact and accessible when needed. It's ideal to store a thousand days of forensic data, so a ransomware attack occurs, there are three years of data to analyze and review for indicators of compromise. This data and analysis enable faster investigation.
If you pay the ransom, are you safe?
Many organizations believe, or at least hope, that if they do choose to pay a ransom and receive the private key to decrypt their data, they’re ready to return to business as usual. Unfortunately, the incident is not necessarily over at that point. It’s important to review and analyze forensic data to understand when the environment was last clean and to learn how to prevent the same attackers or other attackers from taking advantage of the same vulnerability to repeat the attack. Cybercriminals scan for vulnerabilities, leveraging them to launch new attacks. So payment alone is no guarantee that an organization is safe from another ransomware attack; it's important to find and patch the vulnerabilities and return to a clean environment.
Don’t pay the ransom... and still manage risk
In some cases, organizations choose not to pay the ransom, but making that decision can be quite difficult. Assume your organization gets hit with a ransomware attack, and you have 48 hours to make a decision about whether you need to pay. What information is needed to make an informed decision not to pay?
The first hours of a ransomware event are a time of immense pressure: the cybercriminals increase pressure by threatening to release data, which in turn increases the potential for reputational, regulatory, and even litigation damage. While technical teams struggle to understand the situation and get services back online, they also need to understand the threat:
- How much data has been exfiltrated?
- How significant is this exfiltrated data?
- How much is this data worth?
- What is the impact of this data being released?
- Are the criminals just bluffing?
How quickly could your organization launch an investigation, and do you have the readiness training and forensic data you need to make complex decisions quickly? Here are a couple of examples of recent ransomware attacks that we've seen through our emergency services.
Case Study 1: regulated healthcare provider
This healthcare provider hosted significant volumes of patient information on cloud infrastructure. A ransomware gang gained access to their environment and encrypted exposed data, demanding immediate payment of a nine-figure ransom or the attackers threatened to publish patient information. The healthcare provider had 72 hours to comply.
With an ever-shrinking deadline, the healthcare provider had two priorities:
- Get operations back up and running from the affected database
- Understand how real the threat to publish the data was and mitigate downstream risks (reputation, regulation, litigation)
To address these priorities, the provider considered whether they needed to pay the ransom. Technical, legal, and PR teams were already at work, preparing how to handle the next steps. Insurers were preparing to pay the ransom to mitigate risks. The provider also called in Mitiga as an expert in incident response in the cloud.
Within a day, Mitiga established the scope of impact, identified the specific databases affected, and proved that it was feasible for the provider to recover immediately. Mitiga also demonstrated that the cybercriminal gang was unable to exfiltrate any data. The threat to publish private patient information was a bluff! With this information, the healthcare provider decided not to pay the ransom and all their services were restored within a day.
Case Study 2: international financial services and investment house
This international financial services and investment house deployed using a hybrid environment, combining a cloud environment with end-points (laptops). The ransomware gang again encrypted exposed files and claimed to have exfiltrated client financial data. Again, they sent a nine-figure ransom demand, in this case with a deadline of 48 hours.
The investment house considered the stolen data affected to be of low value and believed that the attack had limited operational impact. Nevertheless, they needed to determine the level of risk and the sensitivity of the data. If client data had indeed been stolen, there would be a regulatory impact and affected clients needed be informed as soon as possible. But which clients?
To get the information they needed to make the right decision, without unnecessarily informing clients who were not impacted, the organization called on Mitiga to analyze and investigate both the attack and the impact. Mitiga quickly confirmed that data had been exfiltrated, that the exfiltrated data contained client information, and which clients were impacted.
Based on the investigation, Mitiga found the credentials of the repository that the attacker used to store the stolen data. The Mitiga incident responders used these credentials to access the repository, to define exactly what data was stolen, and to support the customer as they decided on next steps. The organization appropriately notified the regulator and the specific clients impacted in the event. The organization was able to avoid paying the ransom because they had the information needed to identify the exact level of risk and act quickly.
Ransomware readiness and risk management
These intense hours and the need to answer critical questions quickly can cloud judgement and hamper decision making. Rapid insight and analysis can help leadership teams and BODs cut through this fog of confusion and stress, but for many it remains a challenge to respond to ransomware attacks quickly. Taking a proactive approach and adopting a readiness mindset can help organizations manage risk.