With the current state of ransomware attacks, the White House and many cybersecurity agencies worldwide are urging business leaders to increase cybersecurity against these attacks. In recent months, we have seen large companies fall target to ransomware, and some even giving in to the ransom. Why do some companies give in when the best practice is to never pay the ransom?
What is Ransomware & How Does it Work?
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom, typically cryptocurrency such as bitcoin from the victims in order to gain access to their data. Ransomware infects a system with a simple delivery method, such as a phishing email that looks like it is from a coworker, with a malicious attachment. Over 90% of ransomware attacks begin with an innocent looking email. The attacker gains the victim's trust through social engineering, then tricks the victim into opening the malicious file that installs the ransomware without the victim even realizing it. Once the malware is successfully installed, it encrypts all of the files on the system, then demands payment in order to get the data back. Some individuals and even companies have given in and paid the ransom to get their data back. Some try to get a decryption key or try restoring from a backup. Ransomware attacks cost companies in one way or another, with the total costs up to billions of dollars globally. Other than the financial and or data loss, your company risks damaging its reputation should data be exposed in a data breach, or concerns due to lack of security.
The Aftermath of an Attack
What do you do if you happen to fall victim to a ransomware attack? What have large companies done in the aftermath of an attack? Just last month, JBS, the world's largest beef supplier, paid $11 millions dollars to the Russian-speaking hacking gang REvil who breached JBS's computer networks. This lead to meat plants across both the U.S. and Australia to shut down for at least 24 hours. JBS indicated in a statement that they were able to get most of its systems running without paying up, but they ultimately decided to pay the ransom to keep their data safe. "At the time of payment, the vast majority of the company's facilities were operational," JBS said in statement via email, adding that they "made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated." The CEO of JBS, Andre Nogueira further defends their decision to pay the hacking group. "This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers."
On May 7th, the Colonial Pipeline, the largest fuel pipeline in the U.S., suffered one of the worst ransomware attacks to impact an oil infrastructure. Just hours after the attack, the company paid the ransom of 75 BTC, which amounts to an incredible $5 million in order to restore operations. The Colonial Pipeline network was breached by a different Russian-speaking group by the name of DarkSide. In the Senate Testimony on June 8th, Colonial Pipeline CEO Joseph Blount admitted that the company had basic cybersecurity plans in place, but had no discussion or plans of what to do in the event of a ransomware attack. The attack ended up shutting down operations for five days while they tried to get back online safely. This caused some gas shortages and panic in some U.S. areas. Blount defends the companies decisions to pay the ransom, stating it "was the right thing to do for the country" in his testimony to the U.S. Senate. Unlike most companies that choose to pay the ransom, the Colonial Pipeline was able to recover some of the money they paid to DarkSide. The Department of Justice announced Money June 7th that it had recovered $2.3 million of the payment, which is an extremely rare success for ransomware recovery. Lastly, stay aware of new tactics. Read news articles and blogs like ours to stay Vigilant on the latest cybersecurity news.
Ways to Stay Vigilant Against Ransomware
There are many simple things you can do to educate and protect yourself from a ransomware attack. One of the most critical is to be wary of phishing and social engineering. Since most ransomware attacks begin with these kinds of social engineering, it is important to know how to spot a suspicious looking email and not click links or open attachments from unknown individuals or suspicious emails. Another simple step is to have an anti-virus in place. Most anti-viruses now enable malware protection, including Windows Security. The Ransomware protection page in Windows Security has settings for both protecting you against ransomware, and recovering data in you do fall victim to an attack. OneDrive also has built-in ransomware recovery tools. You can access them through the OneDrive interface. Select View files and you can use OneDrive's Files restore capability to restore any pre-attack versions of the files that may be there. While it can be annoying, it does work - two-factor authentication. Seriously. In the Colonial attack, CEO Blount confirmed that the hacking group gained access by hacking into an old account that did not use two-factor authentication, meaning the account was only protected by a password. A basic and often essential cybersecurity step, two-factor authentication requires someone trying to log in to prove they have a second way of verifying their identity besides just a password, such as access to a smartphone associated with that account. A great resource to educate yourself on ransomware and be prepared is a best practices and incident response checklist from the Cybersecurity & Infrastructure Security Agency (CISA).
How Vigilant Can Help
Our engineering team has vast experience in helping companies recover from ransomware attacks, both big and small. To get customized advice on how to protect your business and IT infrastructure from ransomware and other cyber threats, fill out our quick and free form and one of our engineers will get in contact with you!
Learn more about our innovative cybersecurity solutions!
Sources & Further Reading:
https://www.nbcnews.com/tech/security/colonial-ceo-no-ransomware-plan-place-rcna1143
https://www.cisa.gov/publication/ransomware-guide
