Why We Will Lose The Ransomware War Too.

We all know that Ransomware is the celebrity malware dujour and we have all read about the various responses from medical centers and hospitals who have largely been the primary targets of the recent attack wave.

Now, we have the results of a survey conducted through Spiceworks, an IT community with over a million members, mostly small and medium sized business IT managers and administrators.

They were asked whether they had been victims of ransomware, how they responded, or if not yet hit, how they thought they would respond, and how the threat of ransomware had affected their jobs and their organizations.

The most common theme was not surprisingly, the immediacy of the event/response cycle. The majority of survey respondents said they were aware they had been compromised within an hour of the event and 9 out of 10 said they were aware of the attack within 24 hours.

Unlike traditional data breaches, where the average time of discovery tales months, ransomware attacks are (in their present form) almost immediate; you’re locked down and/or your data is inaccessible and/or encrypted and useless.

What you are supposed to do is pay up and then get your key so you can begin recovering. What the survey said instead was that most respondents began isolating the infection and starting a restoration process. This is interesting, because today’s ransom malware almost never affects a single machine or set of files.

The other surprising response was that the vast majority said they refuse or would refuse to pay the ransom. Surprising because the FBI has most recently recommended paying the ransom* and most of the affected hospital administrators have responded to ransom attacks by paying as well.

The survey respondents were overwhelmingly certain that paying would not yield the restoration keys so the data would be lost anyway and they had sufficient backups from which to recover.

It turns out however that among actual victims of ransomware attacks, only 42% were able to fully recover their data and that the typical restoration when they could recover fell short by as much as 24 hours of lost data.

I would say surprisingly, but I am rarely surprised these days, that when these IT administrators were asked to describe the process changes they had made to their security following a ransomware attack, less than 10% of the victims said they had changed their backup strategies.

Instead, most had implemented increased restrictions on data access and phishing/social engineering training to improve user awareness.

This survey is depressing.

The takeaway is that we have a bunch of IT “professionals” who are focused on the rear-view mirror, refusing to understand the actual natures of the current and future ransomware threat profiles, ignore the obvious necessity of well-designed and frequent off-line backup procedures, and try to move the problem back to the users.

There was not a single comment about attack rehearsals, policy regarding ransomware demands and payment, recovery and restoration drills and protocols or organizational communications processes and targets.

The attempt to move the problem to the users is disturbing because we know that the future (as in next week) strains of ransomware are going to penetrate networks and backup protocols without regard to or assistance from any users whatsoever. What good will improved user awareness do then I wonder?

The survey respondents did say they wanted new tools to help detect ransomware, and they said they wanted to be able to recover without paying the ransom.

Yeah, and I would like to be having a cocktail at the Kamalame Cay Resort in the Bahamas right now too, but that ain’t happening either.

To assume that tools to detect and prevent will magically appear and that somehow software will figure out how to stop these attacks anytime soon is just plain silly.

The reality is that ransomware is going to be around for a long time, it will morph to become deadlier than a few locked files and it will become much more difficult to detect. The future holds not just useless data, but useless backups, not just frozen assets but compromised controls on operational medical devices, not just a few hundred or thousand dollars but millions.

Not just data but actual human lives.

So, we need to bite a big bullet. We need to segregate our networks, move our IoT devices to shielded grids, move our backups offline, invest in network behavioral analytics systems, install microVMs on every endpoint, create new and protected networks for medical devices in hospitals, kill all the BYOD programs and invest time and energy in policy and protocols for conditional responses. Oh and sure, continue raising awareness in the user community about what a phishing attack looks like and how social engineering works.

If we don’t, we should not be surprised that the frequency, volume and complexity of ransomware attacks will increase, the size of the demands will start resembling real money and people’s lives will be put at risk.

All unnecessarily.

At the end of October last year, while giving a presentation at the Cyber Security Summit in Boston, Joseph Bonavolonta, Assistant Special Agent in Charge of the FBI’s Cyber and Counterintelligence Program, disclosed some details about how the FBI handled companies and individuals that were infected with crypto-ransomware.

Mr. Bonavolonta said that, in most cases, because the FBI can't help these companies recover files, their agents often end up recommending them to pay the ransom to get their data back.