Ransomware, a growing threat to individuals, governments, and private companies, is a type of cyberattack that leverages malware to block access to a computer system and its content until a ransom is paid. 

In addition to the financial impacts of their ransom demands, these attacks can also impact safety or operations for the targeted company and beyond. Attackers may threaten to sell or leak sensitive data, as in a recent attacks on the Washington, D.C., police department that reportedly led to the leak of sensitive documents and officers’ personal information. The high-profile attack on Colonial Pipeline reported May 7, 2021, led Colonial to shut down its pipeline operations for several days, sparking widespread urgent gasoline purchases in several states due to the perception of shortages – which, in turn, created shortages in some areas. 

Why ransomware attacks are becoming more prevalent

• Large payoffs. In 2020, ransoms paid averaged at about $300,000, and ranged up to $10 million. Colonial Pipeline reportedly paid $4.4 million in ransom.
• Difficult-to-trace payoff. The advent of cryptocurrency enables ransomware threat actors to collect funds because the currency is difficult to trace.
• Adaptable and easy to share. In the Colonial Pipeline incident, the FBI identified the ransomware as that of the DarkSide group, “a ransomware as a service variant, where criminal affiliates conduct attacks and then share the proceeds with ransomware developers.” 
• Easy access to the weakest link. Ransomware actors have been successful at exploiting the weakest link in the cybersecurity lifecycle: humans. Employees are easily deceived into clicking links that provide threat actors the entry point to the organization’s systems. 

How to protect your organization

To avoid or mitigate ransomware attacks, organizations need to have insight into their enterprise-wide risk, including their third-party landscape and the security measures deployed across their business environment, as well as the extended enterprise as a whole. 

Consider these steps to help protect your organization against these sophisticated attacks:

• Conduct a cybersecurity risk assessment to help identify where critical data is located, how that data is classified, who can access it, and how it is protected. 
• Develop a formally documented and frequently tested incident response (IR) plan that details how to detect incidents and how to respond when they occur, from minimizing financial, reputational, and regulatory consequences to notifying all appropriate affected parties.
• Know which applications are running and whether they are patched and up to date. It is critical (whether for in-house or procured applications) that secure coding best practices are leveraged and that security impact analysis is done prior to pushing to production. 
• Enforce basis security measures such as multi-factor authentication, patching of operating systems in a timely manner, and employing need-based access controls.
• Ensure that regular backups are performed and a copy of the most recent backup is stored offline. Additionally, make sure to test that the backups are recoverable in the event that your systems and data are corrupted as a result of the malware attack and recovery. 
• Implement technologies and processes such as: 
  • A security information and event management (SIEM) solution that automates threat detection
  • Network monitoring tools
  • Endpoint threat detection and response
  • Anti-malware software on all devices and the network
  • Ongoing vulnerability scanning
  • Frequent penetration testing
  • Automated patch management tools for applications and operating systems
  • Data loss prevention
  • Situational awareness of the latest threats
  • Ongoing employee training and awareness programs

With the publication of President Biden’s Executive OrderImproving the Nation's Cybersecurity , the U.S. government has recognized that Colonial Pipeline and other recent incidents “share commonalities, including insufficient cybersecurity defenses that leave public- and private-sector entities more vulnerable to incidents.” The work needed to reduce the national risk will require strong partnerships across both the private and public sectors. 

Contact our team for more information on how to prepare for, detect, and respond to cyber incidents. 

Contact

Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy 

703.847.4418