Ransomware: US Government Takes Action
If ransomware were a legal industry it would most likely win multiple awards for innovation. Few services have done a better job of staying ahead of the technological curve.
- · Not so long ago, current backups were an adequate defense against most attacks. If your business was compromised, you could simply restore your data and be back up and running with minimal interruption. Now, most ransomware attacks have morphed into extortionware, where an organization’s sensitive data is published to the Dark Web if ransom isn’t paid. In other words, your backups alone don’t protect you anymore.
- · No programming skills? No problem. Ransomware is no longer the province of the skilled coder, as Ransomware as a Service (RaaS) has become the new norm. Now anyone who can access the Dark Web can buy ransomware off the shelf, as long as they agree to share the proceeds with the developers.
- · And why attack a single organization when you can target hundreds? The recent Kaseya attack opened new dimensions in ransomware possibilities. The best current estimate is that somewhere between 800 and 1,500 small to midsize businesses were compromised after hackers compromised Kaseya, a cloud-based software firm with customers in ten countries. Even more frightening, those companies represent only about one-tenth of one percent of Kaseya’s client roster, so there may be more to come.
In short, what was already a very serious situation has become something of a perfect storm as all this innovation encountered a bonanza of security flaws wrought by the pandemic and the sudden shift to a work from home (WFH) environment. Further, the advent of cryptocurrency makes tracing payments difficult if not impossible. The more successful attacks there are, the more funding these modern pirates have available to pursue new and better methods. It’s a textbook definition of a vicious circle.
Into this breach – belatedly, perhaps – steps the United States government, as the Department of Homeland Security (DHS) and Department of Justice (DOJ) have jointly launched a new website, StopRansomware.gov. The new site is intended as a one-stop resource, consolidating information from multiple federal resources into a single platform that includes guidance on preventing attacks as well as reporting and responding to them. Much of the information is consolidated into a 16-page .pdf, available here. The new site also features access to a variety of other resources including webinars and training videos.
While any consolidation of resources is a worthy effort, much of the information available on the new site falls into the Ransomware 101 category (“maintain regular backups,” “prepare a cyber incident response plan,” etc.), while the bad actors seem to have moved on to graduate-level work as noted above.
There are, however, some interesting nuggets, especially in the sections about responding to a breach. For example, following detection of a compromise, communicate by means other than your network to avoid alerting hackers that you’re aware, which might force their hand into launching a full-scale shutdown.
The government also recommends against ever paying ransom. This is a widely debated topic, as the majority of incidents seem to involve ‘honest criminals;’ that is, once the ransom is paid, an organization’s information is decrypted as promised. In some cases, paying up may be the path of least resistance. There are no guarantees here, though.
The site also advises contacting authorities because decryptors are available for some ransomware variants. This is likely to be a low-percentage play, but worth a try in any case.
The proverbial elephant in the room, of course, is how much of this ransomware activity is state-sponsored. The federal government has accused both Russia and China of supporting these efforts to inflict lasting damage on the American economy. There is almost certainly quite a bit happening behind the scenes that may never come to light.
For all the changes, ransomware remains an existential threat to businesses of every size, and hoping for the best is no longer a viable strategy. Every organization needs a prevention plan that addresses both technological factors and training of personnel, as well as a detailed response plan should a breach occur.