How to avoid this thought: “Does my accountant know how to accrue ransom payouts on the balance sheet?”

The average ransomware payout is now more than $41,000. In July of 2020, the University of Utah paid $457,000 in order to avoid the litigation that would follow the extortion concerning some of their critical data. The payouts occurring in July and August of 2020 have far exceeded the average as the criminal organizations are now threatening to expose data in addition to “only” encrypting files.
Ransomware is a class of malware (Malignant Software) with the goal of eliciting payment for retrieval of sensitive, critical, and/or confidential data. Ransomware will, typically, hold your data hostage behind a cage of encryption or logical barrier until you pay the (literal) ransom, usually in Bitcoin or other less-traceable currency. Ransomware is an ingenious and dastardly vector of attack and has the potential for severe reputational and emotional damage to a business, not to mention cash flow.
Big companies and large universities are suffering significant monetary damages and reputational losses from ransomware. These are organizations with the deepest of pockets, the best public relations firms, and the finest connections to the political elite. If it can happen to them, can your organization survive even one ransomware attack?
The most reasonable strategy of avoiding a successful compromise arising from ransomware involves the adage, “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”1 Meaning the bad-guys are on the lookout for the lowest hanging fruit and the least prepared organizations. In all seriousness, mitigation strategies for these types of attacks are generally low cost, and the time spent implementing these controls far outweighs the potential shattering cost of compromise.
Training #
Every company needs security awareness training that includes examples of social engineering emails, phishing attempts, and what-if scenarios. Your employees (or you) are likely going to be the ones to make the mistake that results in the frenzy that follows a successful ransomware attempt. Get a trainer, give examples, and don’t underestimate the reality of the repercussions.
Security awareness training vendors are plentiful. Some are automated “watch-and-click-through” presentations, while others are hosted by an expert in the field. Live sessions are quite useful if you have an organizational population that consists of individuals with differing levels of experiences. Also, it is important to have an expert answer the challenging questions those in your organization may have regarding your particular information security controls. Whether you go with a robot or human, look for content developed by individuals with information security credentials; Certified Ethical Hackers (CEH), Certified Information System Security Professionals (CISSP), or Offensive Security Certified Professionals (OSCP), to name a few.
Mitigations #
Back up your data in multiple locations. If the risk to your organization is based upon data loss, this will save you! Updating applications and patching software are critical. If ransomware or other malware payloads can be dropped onto your systems or in your application because you have not maintained adequate security patch levels, no need for a phishing campaign! Finally, mechanisms and controls focused on reducing access to your critical data from the internet or from internal systems are crucial to mitigating the risk of any type of malware touching the backend. If the risk to your organization is based upon the legal fallout over data disclosure, engage with a cybersecurity/ransomware insurance provider as a last line of defense.
Best Practices #
Give users only the access they need to perform their job. Allow only trusted programs and applications to run on your infrastructure and lock down email with some basic phish and spam protections. Anti-malware solutions are still your good friend, and they may be the last guard at the door before an executable is able to run in the background with the intent to encrypt your critical data. Ensure that your administrators know which software and firmware require routine patching and validate that all security patches are installed in a timely manner. Finally, stay up to date with US-CERT vulnerability alerts and find a trusted external partner to act as a check against internal policies and procedures to ensure that the critical cybersecurity controls you depend on to protect your organization from a ransomware attack or in place and operating effectively.
1 Quote from author Jim Butcher, and countless grandfathers
Tyson Savoretti, Senior Security Consultant, CISA, CEH, SSCP, CySA+, Pentest+, PCI-ISA