Ransomware is one of those unique terms in cybersecurity with a name that tells you exactly what it is. It’s malware that holds systems hostage in exchange for a ransom of a cybercriminal’s choosing. Ransomware attacks have impacted research institutions, manufacturers, gas pipelines, government websites, school districts and sheriff’s offices – and that’s just a handful of headlines from a few days.
Ransomware is also unique in the cybersecurity world because it’s one that most people, regardless of their profession, have heard about. But beyond just knowing what it is, there are things we know about ransomware that should inform the ways we combat it – especially within the federal government.
With that in mind, here are six things we know with certainty about ransomware and six things agencies can do to better protect themselves from an attack, or to recover when they’re in the midst of one.
1. Everyone’s Going to Get Hit
It sounds fatalistic to say, but it’s true. Eventually, every agency is going to get hit with a ransomware attack. The success of that attack – from the cybercriminal’s point of view – depends on how well prepared you are. The closest things to silver bullets an agency can have are immutable backlogs (an unedited image of the data) and a Zero Trust strategy that quickly identify suspicious activity and restricts lateral movement across the entire network. Both go a long way toward prevention of an attack and mitigating one once it’s underway.
2. Cybercriminals Will Often Use Phishing to Get In
Call them a gateway drug or a gateway into your organization’s soul, targeted phishing emails are the way most ransomware attacks begin. In addition to robust employee training, like we have at GDIT, on how to recognize phishing scams, having a secure and locked-down Domain Name Services is a must. Once the attackers are on your network, again, a Zero Trust strategy can limit their movement since it requires validation and verification at every step. The attack will be like breaking into a building where every door has a second deadbolt lock.
3. They Use Worms to Move on A Network Laterally
When cybercriminals have gotten into your system, they’ll use “worms” to move around. These are mini programs that replicate themselves and spread the attack to other computers on the network. This is when your ransomware attack goes from bad to worse. And when you’re in the throes of the attack, you’ll often have a “golden hour” period to shut down attack vectors. Together, a Zero Trust strategy, automated threat detection and logging software, and solid endpoint detection systems can help ensure you locate the threat – and its worms – and aren’t left looking for a needle in a needle stack.
4. Cybercriminals are Banking on You Not Being Prepared
Finally, cybercriminals who deploy ransomware attacks do it because it’s easy for them. It’s even easier when you’re not prepared – and that’s what they’re counting on. Mitigations like Zero Trust, automated threat detection software, endpoint detection systems and more can help. So, too, can non-technical preparations, which we do at GDIT as well as helping clients perform them. Tabletop exercises simulate what everyone in an organization – from executives to communications directors to IT leads – will do in the event of an attack, and they’re a great way to get everyone on the same page about the potential threat, the consequences, and the appropriate response. Playbooks, often developed as an outcome of the tabletop exercise, can accelerate the speed at which you respond because you’re able to move right to execution versus developing a plan under duress.
Ransomware attacks, unfortunately, happen all the time. We know so much about them because they’re so prevalent. That’s why having an appropriate response and resilience strategy – and updating it often – is crucial.
5. Ransomware Attacks Involve Extortions at Multiple Levels
Ransomware attacks can cripple an organization in many ways. They can hold your systems hostage, negotiating on the basis of returning your systems to normal operation. They can hold your data hostage, threatening to sell or destroy it, or worse. They can also hold your contacts hostage and prevent you from communicating as you need to until their demands are met. Securing all of these assets in the ways discussed earlier in this piece is essential – as is bearing in mind that they’re all attractive to cybercriminals during an attack and during any subsequent negotiations.
6. Once You’ve Been Attacked, You Will Be Attacked Again
It’s another fatalistic statement but, unfortunately, it’s also another true one. Once cybercriminals have found a way into your network, they’ll assume they can find another one and they will try again. After all, you’ve been behind the eight ball before; the odds you’ll be there again are good. And the criminals know it. Related, after an attack, you’ll never know if criminals are completely off of your network. Are they hiding out somewhere you didn’t look? Did they leave time bombs? Ransomware as a Service exists and is a tool that the bad guys profit from. It’s their easy button; why wouldn’t they use it? So, once you’ve been attacked, expect to be attacked again – and do something about it.