Ransomware attacks have been increasing and it is now common for the threat actors behind these attacks to not only encrypt data to prevent access, but also to steal data prior to file encryption and then threaten to sell or publish the data if the ransom is not paid.
Data exposure or data loss can have major consequences but the biggest threat for businesses is often the downtime caused by a successful attack. It is often this downtime, rather than any ransom payment, that contributes the most to the high cost of recovery. Even when the ransom is paid and the keys are supplied to decrypt data, recovery can be slow and businesses can face weeks of disruption.
Each day that systems are out of action can have major financial consequences. The ransomware attack on Universal Healthcare Services (UHS) in September 2020 caused outages of its electronic health record system at all 400 of its care sites for around 3 weeks. That downtime cost UHS $67 million in lost revenue, which is far in excess of the ransom payment demanded by the attackers.
The recovery time can be greatly reduced when organizations are prepared for an attack. Businesses need to fully understand the risks involved in an attack, how they will impact the business, and business continuity plans need to be developed and tested to ensure they can be immediately implemented in the event of an attack and that they will work.
Over the past few months there have been many major ransomware attacks on businesses in the United States and Europe. These attacks have caused major disruption to businesses and organizations in the public and private sector, including disruptions to critical infrastructure that have threatened fuel and food shortages, with the disruption to healthcare services placing patient safety at risk.
Following the Colonial Pipeline attack, President Biden made combatting these attacks a key priority, not only ensuring the resources are in place to bring the individuals behind these attacks to justice, but also to disrupting the infrastructure used by these ransomware gangs to make the attacks less profitable. President Biden will also be having conversations with President Putin at the upcoming Geneva summit on June 16 to try to get Russia to take action against ransomware gangs, many of which operate out of Russia.
Press Secretary Jen Psaki said following the ransomware attack on the Food production company JBS Foods, that President Biden “has launched a rapid strategic review to address the increased threat of ransomware, to include four major lines of effort.” These involve disruption of ransomware infrastructure and actors, building an international coalition to hold countries harboring ransomware gangs accountable, expanding cryptocurrency analysis to pursue criminal transactions, and reviewing internal ransomware policies.
Anne Neuberger, the chief cybersecurity advisor of the National Security Council, recently wrote an open letter to the business world on behalf of the White House warning about the threat from ransomware and providing basic cyber hygiene steps that can be taken to defend against attacks. She also urged the business community to take the threat from ransomware seriously and treat it as a threat to core business operations, rather than a data security threat, and to ensure corporate cyber defenses are in place to match the severity of the threat.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” said Neuberger. “To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”
In the letter, Neuberger suggested 5 best practices to adopt to reduce the risk of a successful ransomware attack:
- Backup data, system images, and configurations. Test them and keep them offline.
- Update and patch systems promptly.
- Develop and test the incident response plan.
- Check the work of the security team using a 3rd party pen tester.
- Ensure networks are segmented – Separate corporate business functions and manufacturing/production operations and limit and filter internet access to operational networks.