There were seven people seated around the table: the CEO, the VP, the CFO, the Special Agent from the FBI, the owner, the forensics technician and the company’s CISO (Chief Information Security Officer).
“Don’t pay,” was the CEO’s vote. Same for the VP.
“Pay it,” was the owner’s response. The CFO nodded in agreement.
“Paying could be a violation of federal law,” stated the FBI representative.
The CISO had a hard time getting words out, as this was the largest ransom he had dealt with at the time. The amount — $1,200,000 — was a lot of money. “I don’t see another option given the status of our backups. Either we pay the ransom or we begin liquidating the assets of the company as soon as possible. Which is the lesser of two evils?”
The CISO negotiated the ransom down to $410,000. The Bitcoin took several hours to amass. The cybercriminals delivered a decryption key, but 30% of the company’s data was gone forever — some of their hard drives filled up during the ransomware encryption process, and the encryption software kept running after the drives couldn’t hold any more data. Every file encrypted after that point was irretrievable. The total recovery took three months to ensure that no backdoors were left in the company’s systems, and the lawsuit to get the insurance company to cover the incident lasted almost two years.
Stopping ransomware includes three key areas: cybersecurity hygiene of the business’s employees, proper practices by its IT department, and its data backup strategy.
Here are eight ways to prevent a ransomware attack, and eight ways those who fall victim to an attack can recover from it.
Ransomware Defenses to Help Prevent Attacks
- Add Multi-Factor Authentication (MFA) on all company email accounts and on all external access to its network(VPN, TeamViewer, WebEx, etc.). This will help prevent a cybercriminal from taking over an email account using a compromised username/password.
- Those companies that use Windows Active Directory should NOT log in to computers with Domain Admin accounts. There is an attack called “Pass the Hash” that will steal encrypted (hashed) credentials left behind. If it should be necessary to log in with a Domain Admin account, it’s important to change the password.
- Patch the PCs. Workstations and servers. Every month. No exceptions. That includes conference room PCs, loaner PCs, HVAC computers, etc.
- Patch the networking gear. Firewalls, switches, UPSs, phone system, etc.
- Install good antivirus software everywhere. All PCs. All Macs. All servers. Everywhere.
- Geofilter the internet traffic and emails. Companies that don’t do business with a foreign country should block traffic and emails to and from it. This keeps out lazy cybercriminals. No, it won’t keep out the cybercriminals that VPN into the country before attacking the company, but it’s surprising how many cybercriminals don’t take the time to do that.
- Companies with many workstations should use the Microsoft Local Administrator Password Solution (LAPS) to randomize the local administrator password on all PCs. If the same initial local admin username/password is used for every workstation, then if one machine gets compromised, it’s very easy for them to all get compromised.
- Businesses whose users have local admin credentials may want to rethink that. Today. Right now. Once cybercriminals compromise a computer, they normally inherit the permissions of the user for that computer. If that user is a local administrator, the bad guys are going to use that access to do more damage.
Ransomware Victims Need to Act
Businesses should note, however: Most of these need to be done before the attack takes place.
- OFFLINE backups. These are backups that are kept off the business’s network. Cybercriminals try to delete a business’s backups. If the backups are not on the business’s network, the bad guys can’t destroy them.
- Tested restore procedures. Businesses that try to restore their backups only when they’re needed are rolling the dice every time they are in a real bind.
- Offline restore methodology. It’s important to not begin a restore with the company’s network still attached to the internet. Ransomware cases often unfold where the cybercriminals still have hooks into a company’s network, and they destroy the used-to-be-offline backups as soon as the restore process begins.
- Workstation reimages. Businesses will need a clean workstation image to restore workstations quickly if they suspect the workstations have been compromised.
- Server rebuilds. Businesses will need a clean server image to recreate the servers quickly.
- Pre-negotiated incident response team contract. Businesses should find a cyber incident response company and get a contract in place. That way they will know how to “call in the cavalry” very quickly as opposed to going through contract negotiations in the middle of a crisis.
- Thirty-five percent free drive space on all network drives. Ransomware often bloats the data on the drives it encrypts. As soon as a drive fills up, the encryption process will keep trying to move forward, but every file it encrypts after the drive is full will be unrecoverable.
- Companies that have cybersecurity liability insurance should call their insurance company ASAP! There are many stories of insurance policies with a clause stating that the customer must inform the insurance company of a suspected incident within 24 hours of the initial discovery. If they take a few days to confirm that the incident was real, it can be an expensive mistake.
If all companies followed the specific recommendations above, ransomware cybercriminals would become a thing of the past. With proactive action and a good cybersecurity awareness training program for the employees, cybercrime is a solvable problem!