Not coordinating with the FBI, failing to establish a secure channel to a device's firmware and focusing solely on the immediate problem and not the broader security issue underpinning it can make a bad situation worse, members of the Braintrust say.
When a company is in the thick of a major security event like a ransomware attack, it is hard to see around the corner to what the next challenge is going to be. Organizations are often thinking about shutting down the attack by cutting access to the affected device(s); the thinking being that if isolated, it cannot continue to infect. The unfortunate side effect of this, especially in the new remote/hybrid world, is that cutting off an infected device also means that IT cannot access it — making it useless to help diagnose the infection or remediate the risk. The organization then finds that they are fighting a second issue getting devices, and users, reconnected and back online.
That's why it is critical to ensure there is a secure channel to access the device firmware, which allows you to freeze or wipe the device while also remaining connected to it — meaning you are able to bring it back online once you have remediated the risk and stopped the attack.
Ransomware activity is at an all-time high right now. One of the biggest mistakes an organization can make when dealing with this disaster is immediate self-blame, embarrassment and guilt for having fallen for it. Organizations shouldn't try to hide an attack because they feel at fault. It's important they engage the FBI to let them know what's happening. Trying to hide the attack by providing payouts to ransomware thieves only serves to encourage them to continue harming others and provides resources to further other criminal activity. The truth is, there is no guarantee in any other ransomware scenario that payment would speed up system and service restoration. Biting the bullet and cluing in the FBI immediately will ultimately help all of us scope the problem with better intelligence and better statistics.
It can be difficult to fully prevent a ransomware attack, but if organizations share information about attacks and put in the effort to ensure they can rapidly re-image and reinstate systems from backups, we all stand a solid chance of a fast(er) recovery without the need to encourage further criminal activity by paying ransom demands. While there are reputational issues around ransomware, those reputational issues get less significant when disclosure becomes more common, so sharing that data will ultimately help us all beat back this crime wave.
The sense of urgency following a ransomware attack can be all-consuming, and often centers around retrieving data and getting the business back up and running as soon as possible. However, organizations must remember ransomware is the ultimate, most obvious expression of an underlying truth: A malicious actor gained access to their environment, undetected, and was lurking there for some time.
Today, sophisticated and amateur hackers alike will try to hide among the noise, living off the land within an environment beyond the point of file encryption and ransom. This allows them to continue accessing data, and plan future return visits. In the immediate aftermath of ransomware, organizations that fail to prioritize completely extricating the attackers and eliminating the root cause entry points only ensure repeat or follow-on attacks from the same, or simply the next, ransomware group.
However, the process of taking a more considered approach to security is not always easy. Post-malicious file encryption, the pursuit and removal of the attacker hinges on the amount of visibility and understanding the security team has into internal or east-west traffic. Many companies that have historically focused on prevention and perimeter are, in today's post-SolarWinds and Colonial Pipeline world, realizing the inefficacy of relying on rules and signatures alone.
Organizations that are tackling ransomware well have prioritized understanding their own networks, and, in particular, beefed up their detection and response capabilities so they can help teams build the resilience necessary to recover quickly from intrusions as well as disrupt their next ransomware challenges.
Recent attacks such as Colonial Pipeline and JBS show how pervasive ransomware incidents are around the world. In fact, this year alone we've seen over 1,025 ransomware incidents across the globe, averaging to about 46 events per week, and the average cost of ransomware demands has reached $5.6 million. CrowdStrike has observed cyber-threat actors mostly target health care, technology, manufacturing and others, and we anticipate these types of attacks to increase on a global scale.
The biggest mistake any organization of any size can make is getting caught out by assuming a ransomware attack won't happen to them. In today's threat climate, it's no longer a matter of "if" but "when" an organization will get hit.
In the wake of an attack, organizations that don't have the proper technology, people and processes in place, and instead have settled for outdated legacy solutions, will be at the full mercy of cybercriminals and their demands for ransoms and other extortion fees. Ransomware actors often prepare their target environment well in advance for maximum damage. Organizations that aren't prepared for this level of sophistication often find their hands forced to pay the ransom or else risk losing their entire business.
Sticking your head in the sand is not a sustainable cybersecurity strategy. Modern-day organizations need to adopt machine learning-based next-generation antivirus, threat-hunting, threat intelligence and regularly perform tabletop exercises as just some of the puzzle pieces needed to take a solid, proactive defense against ransomware threats.
When a ransomware attack hits, we're quick to make rash decisions or keep details close to the chest so as not to alarm employees or stakeholders. This needs to stop. An incident response plan for ransomware with a clear plan of attack will help keep all parties streamlined. The plan must detail the roles, responsibilities and response actions of all relevant parties, but most importantly, how to communicate the situation to the entire company. Being transparent with employees and engaging with them quickly may help to contain and recover from the situation faster.
We need to update IR plans to reflect the new workplace environments — many companies are embracing either fully-remote or hybrid environments. This, in addition to the increased adoption of new workplace apps, software and tools adds another layer of complexity for security and IT teams to keep everyone protected.
Today's threat actors are smart, well-funded and always one step ahead. Responding to a ransomware attack has been a reactionary approach, but if we're going to catch up with increasing threats, all companies — regardless of size or industry — need to understand the threat landscape, be proactive with security and take a data-centric view of security.
Invest in endpoint security, prioritize the testing of security systems, regularly hold security trainings and focus Zero Trust projects on the data. These efforts will help to mitigate the destructive potential of ransomware attacks and limit the company's downtime.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.