Lessons learned from ransomware attacks on SMBs in Latin America.

It's Friday, and the alarm clock rings at 6:00 AM to let you know that you have to get up and get ready for work that day. On the way to the office, you receive an early call; a user reports that his machine woke up "crazy," and when you ask what is going on, you hear the following sentence: There is a skull with a red background appearing on the screen, the machine won't boot, and I can't access my files.

Welcome to your worst nightmare; you have been infected with Petya ransomware!

This scene is not straight out of a science fiction novel. It is a real and potentially devastating situation for organizations because it compromises not only the integrity, confidentiality, and integrity of information but also the production processes associated with them, in many cases leaving the company wholly paralyzed for days and even weeks with their employees at home or with their hands folded.

Ransomware attacks are increasing year after year worldwide. In 2021, 66% of organizations were affected by this threat, compared to 37% in 2020, according to the report "The State of Ransomware 2022"(1) from the firm SOPHOS. It is no longer only large organizations that are targeted by these criminal actors but also small and medium-sized companies, and for a simple reason: no cybersecurity culture exists.

Large organizations spend thousands of dollars in their efforts to keep attackers at bay, relying on robust information security policies and frameworks (ISO 27001, NIST), teams of specialized people (SOC, CSIRT) prepared to monitor and address any incident, and an arsenal of technological tools to protect the company's information assets; however, there will always be a weak link in this chain: People.

Why are SMBs so attractive to these malicious actors? For starters, we have one constraint: money. It's no secret that small and medium-sized companies fight for every penny that the IT department (if they have one) asks them to spend on infrastructure investments, including the information security side. This leads to the protection of everyday devices, such as computers and servers, being put on the back burner because it is not considered a priority. Simple measures such as having a paid antivirus installed on every computer in the company are seen as outstanding expenses. Cybercriminals use this mental model to exploit computer vulnerabilities through malicious code that can come in an attachment to an email or a link within it.

What measures can the Davids (IT support) take against the Goliaths (hackers) regarding ransomware prevention? Well, here are some suggestions based on lessons learned with some companies:

Zero pirated software:?In Latin America, we habitually use pirated software for almost anything we have installed on our computers. Many companies do not see why they have to pay for any of these licenses from Windows to Office. To resolve the issue, the IT tech guy begins to run the "activators" and even install "all-in-one" copies of these programs. Well, nothing is free in this life. That action leads as a consequence that we have Trojan horses in our infrastructure, where we will have an army of bots available to some hacker group, to say the least, without taking into account the theft of credentials and information to which we are exposed, and of course, ransomware. Nowadays, you can get original OEM licenses for quite affordable prices, and you will avoid exposing yourself to the risks mentioned above.

Keep your computers up to date:?Although it may seem trivial, keeping computers and systems up to date will mitigate any risk of actors seeking to exploit their vulnerabilities. You don't have to invest large sums of money to build a platform that keeps our computers up to date, besides being a titanic task if it is done by hand. For some time now, Microsoft has been offering free Windows Server Update Services or WSUS, which is a feature that is included in every Windows server and that just by adding the role and with some adjustments at the Domain GPO level, we can distribute the latest fixes and security updates and updates for our computers. It is a simple but efficient solution from a security point of view.

Incident response plan:?When an organization is the victim of a ransomware attack, the first thing that happens is panic, and this is where erratic actions occur in trying to contain the incident. As a common insurance phrase goes: It is better to have it (plan) and not need it than to need it and not have it. In a situation like this, a well-designed incident plan will allow us to be calm and activate a series of pre-established actions to contain the threat and prevent it from spreading further into the infrastructure. Let's remember this: An Incident Plan responds to unexpected changes in operational conditions to keep the business running, while a Business Continuity Plan allows the business to keep running during the crisis, and finally if the first two plans fail, the Disaster Recovery Plan is activated to help the business get back to normal as soon as possible. It is best to have all three plans up to date.

Backups:?It is our Holy Grail when it comes to ransomware attacks. Having a recent and valid backup will allow you to recover most of the compromised information with a loss of work of a few days, depending on how often they are made. Now, many SMBs resort to using external devices such as USB drives to save the information there. Although it is a good practice, I have seen cases where these same devices have been encrypted and unusable, including complete backups of virtual machines. So what can help us mitigate the risk of compromising our on-site backups? Well, keep off-site backups. An example is the backup clouds; today, many options are available. You can take, for example, the 15GB that Gmail gives for backup. Of course, having a backup on magnetic tape is an excellent option because, physically, having the cartridges outside the unit is almost impossible to be compromised by this type of attack.

User Awareness: Most ransomware attacks are successful because they exploit the weakest link in the enterprise cybersecurity chain: people. That is why investing time in training our users to identify social engineering attacks is fundamental because they are the main targets of these threats. Of course, there is the issue of how to do it economically and without incurring high training costs; well, things as simple as placing a flyer on billboards, tips sent by email, daily routine tours of the departments, and even short talks of 15-30 minutes to groups users will not only polish these skills to detect such attacks. Still, they will provide enriching feedback for the IT manager to strengthen areas for improvement.

Keeping these cybercriminals out of our organization is similar to a marathon race. It requires training and discipline to reach the finish line and keep them at bay. That is why keeping up to date with our IT infrastructure in cybersecurity is essential to understand all those attack vectors, vulnerabilities, etc., that hackers use to compromise organizations.

The most significant challenge when justifying investments in cybersecurity is to convince the company's owner. For this, we must speak in their language, that is to say: In numbers! It is not worth wasting time trying to translate the technical aspects of why to have one solution or another and the reason for it; instead, we must cut to the chase and say: If our systems stop, the company will stop billing hundreds of dollars per day, employees will not be able to work on their computers, and not to mention that the production process will halt until operations are recovered, then we will see how the tone of the conversation changes, and things begin to flow in favor of strengthening cybersecurity in the company.

-------------------

(1) https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophosstate-of-ransomware-2022-wp.pdf

"image: Freepik.com". This cover has been designed using assets from Freepik.com