Ransomware is a malicious type of cyberattack that originated roughly 30 years ago and, unfortunately, is becoming more elaborate and common. A recent, highly publicized example of this type of attack occurred in early May 2021 involving Colonial Pipeline, a company responsible for ample distribution of oil and gas to the East Coast. An entity known as DarkSide launched the cyberattack, which caused Colonial Pipeline to halt its operations. The ransomware attack resulted in the inaccessibility of many, if not all, critical systems, as malware spread throughout the company’s network, affecting not only the systems but other sensitive, proprietary information. The entry point has not been disclosed; however, the breach could have resulted from vulnerabilities in internet-facing systems, with the attackers potentially utilizing known exploits or, possibly, less commonly known exploits known as zero-day vulnerabilities. Zero-day vulnerabilities are exploits available to hackers for which a patch has not been made available to address the concern. Another attack method, and more common approach, for gaining access to a company’s resources is through any variety of social engineering attacks (e.g., phishing or vishing). While determining the entry point is essential when in a breach situation, you must also be mindful of timing and next steps.
The first question many people ask after a ransomware attack occurs is “What can we do to fix this?” In Colonial Pipeline’s case, executives agreed to pay a ransom of $4.4 million in the cryptocurrency known as bitcoin to regain access to their systems. If your company encounters a cyberattack and does not have a suitable backup solution, paying the ransom may be the only option and, unfortunately, is not a very good one for many reasons. Though your company leadership may authorize and distribute payment, there is no guarantee that system access will be granted, a fairly common trend. Additionally, if you do regain access to your resources, you will likely need a digital forensic investigative team to research your systems to verify that the attackers have not built “backdoors” into your systems, which grant them continued access and potential for another breach. Simply stated, ransomware attacks are destructive and costly.
So, what is the best solution? You must establish proactive procedures to give your employees and IT team the best opportunity to prevent a successful attack and restore, if necessary, your company’s resources. Outlined below are three steps your company must take to prevent a ransomware attack.
- First, you should implement at least one backup solution for your company’s data and perform regular tests to ensure your data is current and easily accessible. Companies with moderate to large IT environments should implement a mirrored site-to-site backup solution in which data is replicated in real time or several times a day to an off-site/off-network location. Cloud-based solutions similarly exist for this type of replication and can serve the purpose of having an off-network backup copy to protect against ransomware threats. We suggest a mix of on-network and off-network backup solutions so that multiple copies of the data are available, with at least one stored off-network to avoid ransomware attacks encrypting all backup copies. For off-network backups, an encryption solution should be utilized to further reduce the risk of data being compromised. If your company elects to have data managed by a third party, you should review the party’s security documentation. For more information on backup solutions, see our article, Best Practices for Backing Up and Managing Data.
- Additionally, all employees, regardless of position, should be provided security training. Requiring employees to complete training reinforces key security principles that help to reduce the likelihood that an individual will click on a link within an email, disclose sensitive information to an unauthorized individual or group, and/or grant an unintended individual access to a potentially sensitive location to which they should not have access. We cannot overstress the importance of this area, as the human element is typically the weakest and most easily compromised layer of security within a company.
- Last, your IT department and/or any third-party network service provider should regularly review security information related to your network security appliances and systems. Additionally, your company should schedule annual attack and penetration tests to ensure the company is aware of any vulnerabilities that exist within its environment. As a best practice, you should opt to have these assessments performed with authentication, meaning testing with credentials, such as a Windows login. Doing so typically provides more relevant information and a complete review of all software services to confirm proper patching and configuration.
Employing these proactive steps gives your company, and, specifically, your IT department, the best opportunity to combat ransomware.
If you have questions related to ransomware and/or security controls to mitigate this concern, please contact Chris Kreutzer at firstname.lastname@example.org or Jeremy Burris at email@example.com or call 724-934-0344.