FORUM: Ransomware risk management
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
FW moderates a discussion on ransomware risk management between Paul van Kessel at EY, Raj Samani at Intel Security, Jonathan C. Trull at Microsoft, and Simon Edwards at Trend Micro.
FW: To what extent are ransomware attacks a major risk in today’s business world? What impact can they have on business operations?
Samani: Cyber crime is a growth industry and ransomware is its poster child. Indeed, in the last 12 months we have seen an enormous uptake in attacks that have not only impacted consumer systems, but the migration now to target businesses of all sizes. Make no mistake, a successful ransomware attack has the potential to significantly disrupt operations. We have already seen examples where impacted organisations have been forced to cease all operations. Indeed, research suggests that a ransomware attack can take up to one week to recover from. With the dependency on technology by every business, this is a significant impact.
van Kessel: Ransomware attacks have increased 170 times year-on-year in the period 2014 to 2016. This growth trajectory will lead to an estimated $1bn in global losses this year. Since it is easy to remain anonymous and buy ransomware services, it is a very low effort and risk for attackers to conduct operations – vastly increasing the risk of the frequency and number of attacks. These attacks can have a devastating impact on businesses. Our research indicates that only 42 percent of companies are able to fully recover their data from their backup systems. The actual ransom money paid is only a small portion of the total costs companies have to incur to overcome the damage that is done. One also has to factor in other costs such as response team cost, stabilisation and restoration efforts and enhancements to the cyber security framework to prevent future attacks.
Trull: Ransomware attacks are a significant risk to today’s businesses. In the past, attackers infiltrated a company’s network, quietly stole and exfiltrated confidential information and then later resold that data on the black market. However, ransomware attacks are providing a direct path to remuneration for attackers as they hold a businesses’ most valuable data hostage until a ransom is paid. These attacks tend to be very disruptive to business operations and often result in moderate to heavy financial impact. The financial impact from such attacks is tied to both the ransom, if paid, but more significantly to the disruption caused to day-to-day business operations and lost revenue.
Edwards: Ransomware presents a clear and present danger to businesses and other organisations around the world. Its popularity has gone way beyond that of other threats like Banking Trojans. Why? Because the hackers can make a lot more money out of it than from other breaches. The impact can be very severe, depending on the precautions, or lack of, taken by companies. But good security practice can and does help.
FW: Are there particular sectors or industries that are typically targeted by ransomware attacks? Could you highlight any recent, high-profile attacks that demonstrate the potentially devastating consequences?
Edwards: We have seen attacks targeting many different sectors, but the two largest are probably legal and healthcare. Legal, because of the importance of documents to a company and with healthcare, because they are trying to shut down hospitals, which can clearly present a major danger to patients. In many cases, the attacks target network shares, so removing them from use by the organisation. The worst story of the last few months was probably the NHS Trust in the North East of England, which got shut down for nearly three days while it tried to recover from a cyber attack.
Trull: We anticipate that ransomware activity will continue to increase as attackers reap financial success through such attacks. The top attack vectors continue to be via email, drive-by downloads, and unpatched internet facing servers and applications. Globally, ransomware continues to be a problem. In particular, we have seen an increase in Italy and the eastern seaboard of the US. According to our research, the top 10 countries impacted by ransomware include the US, Italy, Canada, Turkey, the UK, Spain, Brazil, France, Taiwan and Australia.
van Kessel: Over the last year, attackers have targeted those industries that have been more likely to pay up. These are primarily healthcare, education, government organisations, critical infrastructure and small businesses. That said, all industries are under attack with the mechanical and industrial engineering industry suffering 15 percent of average ransomware hits, pharma and financial services 13 percent and real estate 12 percent. Locky was the most deployed ransomware in 2016.The malware is distributed using spam emails in which an invoice is presented. If the file is opened, the reader is asked to enable macros which then encrypts files and locks-up the system. A bitcoin ransom amount is then demanded to decrypt the data. Locky alone was responsible for over $500m in losses in 2016.
Samani: Ransomware attacks are impacting every sector. However, the question of targeting is particularly relevant. Historically, ransomware attacks would adopt a scatter gun approach, simply acquiring lists of email addresses and emailing the recipients, with malware laden messages meaning that many businesses would inadvertently get caught up with these attacks. However, in the last 12 months there has been a change in the tactics of many ransomware developers. In particular, we have witnessed specific industry verticals being targeted. At present healthcare, local government and education have been the key focus by criminals.
FW: When hit by a ransomware attack, what initial steps should companies take to restore normalcy to their operations?
Trull: Most critically, the company must immediately isolate the infected computer. This will help prevent this machine from infecting others on the same network. Additionally, the company needs to secure critical backup data and systems by taking them offline. It is equally important to ensure that backups are free of malware before restoring systems. Finally, the passwords for the accounts used to access impacted systems should be immediately reset.
Samani: The best form of defence against ransomware is preparation. Now is the time to prepare for a ransomware infection. This demands good hygiene. For example, data backups that are regularly tested will be the cornerstone of any strategy. However, this should be combined with awareness exercises to all employees in an attempt to reduce the likelihood that they open messages that attempt to install malware in the first place. Every measure should be taken to test out the restoration process before it actually happens. This will be essential in making the restoration process as efficient as possible.
Edwards: The first and most important thing is to indentify ‘patient zero’, in other words, the machine that got the initial infection. In recent attacks this can often be hard to find, as there is no actual evidence of the host, with no local files encrypted, however, every time you try to restore a backup, the infected host will attack again. It is this action that often takes companies out for long periods of time. But once identified and removed from the network, the job of rebuilding can start – and this then comes down to how good your backup strategy is. Many companies only find out that the backups have not been working when they try to recover from this kind of attack.
van Kessel: Much depends on whether the organisation has a recent backup of the affected data or not. It also depends on whether the backup itself has also been encrypted or deleted by the malware, and the thoroughness of that backup. Additionally, it also depends on which part of the organisation has been impacted by the attack – for example, whether it is in operations or in an area that includes sensitive data that requires reporting. If it has no backup or the quality of backup is poor, an organisation may consider paying the ransom. But if it does decide to pay, it is definitely a case of ‘buyer beware’. There is absolutely no guarantee that the data will then be ‘returned’ – also, by paying once, it becomes a more likely target for a follow-up attack. If a reliable backup is in place, the organisation needs to look immediately at how to refresh the systems, assess what needs to be replaced completely – whether that is hardware or software – and determine which stakeholders may have been affected by the attack. Appropriate communications with those stakeholders is then required, including any relevant regulators.
FW: What factors – such the potential violation of Office of Foreign Assets Control economic sanctions – do companies need to consider when facing a ransomware demand for payment?
Edwards: The first problem is often getting hold of the bitcoins required to pay the ransom. The process is not easy and, more often than not, this will be the first time that anyone has actually had to use the currency. The second problem is you really have no idea where the hacker is. There may appear to be evidence that points to the use of, for example, Russian command and control servers, but that does not mean that the hackers are necessarily based there. Ascertaining the offender’s nationality is therefore very difficult.
van Kessel: Potential violation of sanctions established by the Office of Foreign Assets Control – such as inadvertently contributing to terrorist organisations – is certainly one of the pitfalls. Another aspect to consider is the fact that negotiations with attackers generally have mixed results. Since the ransom money is only a small portion of the total cost, we advise being very careful with these negotiations. Also, even after the ransom money is paid, access to data is not always forthcoming.
Samani: There is one fundamental factor to consider in terms of paying ransomware demands. When the attack occurs it can be very tempting to simply pay a few hundred pounds and restore operations. But remember, you are paying criminals. There is no assurance that they will decrypt the data, but more importantly it encourages the criminals to continue sending malicious content. There is also evidence to suggest that they track where the payments come from in terms of geography. This would explain why countries like the US and the UK are targeted more than most countries.
Trull: When hit with a ransomware attack, it is essential that businesses activate their incident response plan and seek advice from either internal or outside counsel or both. Companies must evaluate not only the legal implications of paying the ransom but also the risk that the actor will not abide by the terms. Paying the ransom is not a guarantee that an organisation will regain access to the encrypted data or that the attackers will not return via a previously installed backdoor. Companies must seriously consider the risks and benefits involved and do so with the advice of legal counsel.
FW: Although preventing a ransomware attack by a dedicated actor is extremely difficult, what can companies do to harden their defences and mitigate any fallout? Are robust backup and recovery procedures essential in this regard?
van Kessel: Backups and robust procedures around ransomware are definitely the fundamental measures to take. The backups need to be isolated from the network, since many ransomware variants attempt to delete shadow or backup files as well to increase their chances of a successful ransom. Equally important are training in good practices, building awareness around the threat and establishing a process to monitor, detect and alert any suspicious activity that is noticed. Reporting requirements depend on the jurisdiction and on whether any sensitive data was stolen.
Phishing emails are typically the primary attack vector, so deploying solutions that block these malicious emails and attachments is necessary. Once on the network, an endpoint and network solution that detects ransomware behaviour can limit the spread.
Trull: There is no one silver bullet to preventing ransomware attacks. However, we have found that focusing on critical hygiene goes a long way toward preventing and responding to most attacks. We recommend a three-part strategy. First, block attacks at the front line. Second, contain compromised systems. Third, backup and restore data in case of successful attacks. For immediate front line defences, we recommend keeping all operating systems and applications up-to-date, training staff to identify and report phishing attacks, maintaining updated anti-malware signatures, restricting exposure of privileged access from endpoints and using secure baseline configurations. To contain an attack, we recommend removing excessive access to shared files, securing privilege access, and using logs and analysts to quickly detect and contain an attack. Finally, companies should ensure that there are offline, restorable backups for all critical business data. The backups should be offline, or access controls should be put in place to prevent the deletion or overwriting of online archives by an administrative account.
Edwards: Review your backup strategies and make sure that you have multiple copies, with at least one completely disconnected from the network. But also use advanced monitoring, known as sandboxing, to analyse emails coming into the origination. Email is without a shadow of a doubt the greatest attack vector and your email systems will be being targeted every day. By using detection technology emails, and their content, be it attachments or URLs, emails can be properly analysed before they reach the user. It is much better to stop it reaching them, rather than hope that they will not accidentally click on the link or attachment.
FW: What advice can you offer to companies on establishing policies to manage ransomware risks? Should regular staff training and education programmes play a central role?
Trull: Companies should review their security policies and ensure that they sufficiently address the ransomware threat. This should include reviewing the baseline controls required by policy and ensuring that they provide comprehensive protection. I would strongly recommend that companies focus on their data backup and business continuity policies and plans and validate that these plans will work should a ransomware attack occur.
Edwards: Education is absolutely key. ‘Think before you click’ should be a heavily enforced motto. But sometimes you can become infected by simply viewing an otherwise legitimate website. For example, the recent surge of malvertising attacks that infected networks with ransomware was due to network users viewing an advert. So a combination of staff education and awareness, and the deployment of advanced analysis tools to try to stop the attacks, works well. But also make sure that the company has a proper incident response plan, so that originations know what to do if they are hit and can then practice their response as they would a fire drill.
van Kessel: The most important and effective policies relate to backup and recovery. While most companies know this, in practice they focus on backup policies. However, recovery is equally important. Unfortunately, recovery policies are rarely tested. Restoring data is a very sensitive process and a minor omission can have far reaching impact. And yes, user awareness and education programmes are essential in making a difference. Having said that, be aware that a ransomware incident is around the corner and could happen to you. It is vital to make investments now, around questions such as ‘how would I respond?’ and ‘what would I do?’ The majority of companies are behind in preparing for an incident – whether that is related to a ransom situation, DDOS attack or any other hacking situation.
FW: How do you foresee the security challenges posed by ransomware evolving over the coming months and years? Do you expect companies to enhance their defence and response procedures accordingly?
van Kessel: The execution model of ransomware is evolving and has now reached a level of full maturity. Over time, the model has incorporated innovations such as digital currencies – for example, ransom money can now be paid in bitcoins – and the introduction of ransomware-as-a-service (RaaS), which offers unlimited access to ransomware on the dark web for one bitcoin a year. New innovations are expected, especially related to attacks on internet of things (IoT) devices. We expect that companies will respond, particularly by putting more emphasis on backups which are isolated from the network and by increasing user awareness around phishing emails and the usage of USB sticks.
Samani: As an industry, we are doing everything we can to stay one step ahead. This means that protection technologies will try to prevent the email reaching the company in the first place. Anti-malware technology equally will make every effort to prevent the infection if the threat actually makes its way into the perimeter. However, there will be circumstances when the infection actually finds its way into the company. Criminals will continue to evolve their attacks. But if we as an industry provide tools and technologies, but more importantly do not pay, then we can discourage ransomware developers from trying to hold our data to ransom.
Edwards: Ransomware is today’s big attack vector and in a few years something else will take its place. Last year we saw a massive increase in the number of distinct malware families, over 150 different variants. So we think that this will plateau over 2017. But this is really down to the fact that there now so many variations available. We predict that the types of devices will change, with more attacks focusing on the industrial IoT – small devices now connected to the internet that control industrial processes. We certainly hope that organisations will review and improve their cyber defences, and with the introduction of GDPR just around the corner, this will also drive improvements.
Trull: Ransomware attacks will continue to increase over time until the profitability of such attacks diminishes. Attackers will likely begin to target new industries and the availability of ransomware in commoditised and easily obtained exploit kits will begin to make small businesses a more likely target. Again, I do not see a silver bullet on the horizon for preventing ransomware attacks. Companies will need to continue to assess and update their defences as the delivery mechanisms for such attacks evolve. Education and maintaining a core set of critical security controls will continue to be the best option for preventing and responding to such attacks.
Paul van Kessel is the global leader of EY’s cyber security services. Throughout his career, Mr van Kessel has worked for major international clients mainly in the banking, insurance, retail, technology and gaming industry. He has also spent a number of years seconded into various organisations in leadership roles such as director of internal audit and chief risk officer. Since joining EY, he has held various leadership positions and in 1995 became a member of the firm’s global risk management team. He can be contacted on +31 884 071 271 or by email: email@example.com.
Raj Samani is actively involved with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the chief technical officer for Intel Security EMEA. Among other roles, he volunteers as the Cloud Security Alliance Chief Innovation Officer and as special adviser for the European CyberCrime Centre. He can be contacted on +44 (0)20 7608 2500.
Jonathan C. Trull leads Microsoft’s team of worldwide chief security advisers in providing thought leadership, strategic direction on the development of Microsoft security products and services, and deep customer and partner engagement around the globe. Mr Trull joined Microsoft in 2016 as an experienced information security executive bringing more than 15 years of public and private sector experience. Previously, he was vice president and chief information security officer with Optiv, where he developed and executed the company’s information security strategy and programme. He can be contacted on +1 (720)528 1838 or by email: firstname.lastname@example.org.
Simon Edwards has worked in cyber security for over 20 years. In that time he has worked for well-known vendors such as Internet Security Systems, Netscreen and Juniper, as well as being a contractor for HM government, for the likes of HMRC, MoD and NATO. He now works for Trend Micro as a cyber security architect, advising organisations on how best to design and implement their solutions. He can be contacted on +44 (0) 203 549 3300.
© Financier Worldwide