Ransomware Prevention: Interview with Brian Burke
“Have the appropriate team to combat a ransomware event.†– Brian Burke
Ransomware Trends
As a cybersecurity advisory firm that focuses on forensics, our team is in the trenches every day. And we’ve seen some interesting trends as of late 2018. In 2018, ransomware trends showed that attackers were going after the low hanging fruit – companies that didn’t have the resources or motivation to mitigate their cyber risk. The ransoms were relatively low, as low as even a fraction of a bitcoin. But as 2019 rolled around, cyber criminals upped their game and more serious attacks have developed.
Now attacks are far more impressive, spreading like wildfire, not affecting just one or two servers, but an entire environment including the backup. Once you’ve affected a business’s back-up, their business interruption time drastically increases, affecting revenue and reputation. The ransomware can also now scan the environment for specific information like Personally Identifiable Information (PII). As a result, ransoms have become much higher. We’ve even seen requests for six-figure ransom demands.
There are still less sophisticated attackers who ride on the heels of the new trends. There are individuals who are using old variants for which you may be able to find the encryption key. And they will most likely affect small to medium-size businesses. Now, though, we are also looking at nation-state attackers and cyber-attack groups with complex attacks that can affect significantly sophisticated organizations. The stakes have been raised.
Business Interruption – What is that?
The definition of business interruption (BI) is the time and subsequent income a business loses due to a disaster, in this case, a cyber attack. The amount of time a business is unable to produce income due to an attack is very situational – depending on their environment, network security, what provider they are using for IT support, and the sophistication of the client’s network security. It is also contingent on if you have the appropriate team in place to combat it, and if you don’t, then how long it takes you to figure that out.
For a small business, there’s going to be more roadblocks and missing information which prolongs the business interruption, but for a sophisticated business, you could be looking at a much more sophisticated attack. Generally speaking, you should expect at least a week of downtime.
To minimize downtime, your business should consider: Are you prepared? What do you have in place? Who are your partners? Do you have an Incident Response (IR) plan in place? All of these factor into the length of your BI in the event of an attack.
Crypsis always responds as quickly as possible once a client or partner makes an inquiry. But sometimes we find that it has taken people a few days or even a week to contact us. Then it becomes a question of what happened in the meantime? Did the ransomware spread? Has it become more serious? Were there things that happened that were detrimental to the company and the backups? If a business doesn’t have a plan and team in place before an attack, it makes it that much harder to get them back up and running after one does happen.
What does it look like when a business engages Crypsis?
When a request comes in, I communicate the issue to our forensic team, finding the individual with the expertise needed for that business and the attack. We assess the issue over the phone as soon as possible with the client, preferably someone in the IT department who can speak to a more granular level, because we understand urgency is paramount. There are other parties like insurance and legal teams who need to be involved as well; we initiate quickly.
One of the services we offer is recovery, specifically recovering the ransomed information. The key here is that we initiate communication with attackers and facilitate payment on behalf of the client. In addition, we ask for proof of life – that the attacker actually does have the ability to decrypt the files.
Once payment has been facilitated, the attacker will give us the decryption tool and we’ll reverse engineer it to make sure there are no additional attacks contained within it. Then we’ll walk the client through the decryption. Once recovery has been completed, we’ll perform a forensic investigation that complements the recovery to provide the source of the attack and how to prevent it in the future.
Business Email Compromise –Tips & Tricks
A business email compromise is an act of giving up PII or funds to a criminal via a spoofed email. First off, be aware that if an attacker compromises one email they can move laterally to another address and even deeper into the environment. Be mindful even if you don’t fall for the email trap they still may have compromised your email. The biggest way to combat it is Multi-Factor Authentication. It’s so easy and cost-effective to use that you should just do it.
The other major step you can take to prevent business emails from being compromised requires setting up policies and procedures for events like wire transfer requests and PII requests. Use an out-of-band communication method to confirm the request. For example, if the request comes in through email, confirm over the phone or even in person. Yes, it is another hoop to jump through and it may slow down business, but it will stop 80-90% of these types of attacks. Finally, as you are looking at emails regarding these requests, keep a critical eye. Hover over the email address to see if it is correct. Take a look at the signature blocks. Does anything look out of place?
At the end of the day, it is entirely about preparation. Cyber attacks will come, but your business can be prepared with the right team in place to defend and recover as needed.
Brian Burke, Director at The Crypsis Group, works as a trusted security advisor before, during, and after data breaches and privacy events. The Crypsis Group is a cybersecurity advisory firm focused on data breach response and risk management. Brian and his team at The Crypsis Group use a combination of deep security knowledge and proprietary technology to rapidly identify, contain, and eradicate attacks for organizations.