Insights on response readiness to a Ransomware Attack

Alvaro Lozano, founder of Pracsec Information Security

Alvaro Lozano, founder of Pracsec Information Security

While there is a continuing presence of state-sponsored threat actors targeting critical infrastructure owners, the threat of a ransomware attack in recent times has become much more indiscriminate.

Criminal profitability has become better structured through large scale offerings of Ransomware as a Service targeting any organisation and business of any size globally. Access to expensive zero-day exploits makes perfect business sense at this scale. These available exploits of zero-day vulnerabilities present the most dangerous cyber weapons used in ransomware attacks today.

For years, payloads of a ransomware attack have included the threat of data leaking in addition to data encryption. The health sector and other custodians of sensitive or private information have been particularly vulnerable to this double threat approach.

In addition to file encryption and data leak extortions, we have seen an increase in additional Distributed Denial of Service stressors on victim’s websites and other externally facing information infrastructures while victims are still mulling over the extortion note and ransom payment demands. Attackers employ these multiple techniques with no regard to human impact, driving a sense of urgency that the capability for a timely restore from backup tapes will simply not mitigate.

The assumption that a traditional systems disaster recovery plan with working backups will suffice in the event of a ransomware attack is flawed. This belief will most times end in paying up the ransom or losing systems and data.

There are two key reasons for this:

1. The guarantee of restorability of the individual state of each system and data to a point in time allowed by the victim’s backup regime alone does not guarantee an end state prior to compromise.

Restoring an entire network to an uncompromised state that is also free from the original vulnerability is a task that requires very detailed threat and activity information and intelligence obtained before and during an attack as well as after the network and systems have been restored to an (assumed) pre-compromised state. The process of gaining an understanding of the attack as part of the recovery plan is vital. How it started, how it propagated, what systems it has affected. One single affected system restored to a point in time that proves to be after its individual compromise, will lead to a resurgence of the attack. Disaster recovery in the face of ransomware is so much more complex. The existence of the greatest backup and recovery systems and procedures without an extensive and effective network and system activity visibility and relevant threat detection will most times lead to a poor outcome.

2. The simultaneous recovery and investigation operation that follows a ransomware attack takes time (a lot of time) and resources.

The recovery and investigation process, even when assisted with great visibility and system/data point-in-time-state management can take weeks. It can cost millions. It is going to frustrate and exhaust your IT department more than any other event in their careers. System inter-dependency will complicate the order of restoration and the investigation part of the process will often force the recovery process to stop or go backwards. It is slow to do it right.

It is estimated that 20% of victims who are able to restore from backups end up paying ransoms. Very recently Colonial Pipeline operators and their recovery contractor Mandiant had backups which were sufficient to restore the network, yet the company ended up paying over US$4m in ransom.

It is as important to be aware of the limitations of recovery plans and technologies as it is to have them in the first place. These limitations and considerations need to be factored in your business continuity and risk management plans.

In addition to effective data backup and recovery procedures, a full and timely recovery will require effective cyber-reconnaissance. This is enabled by extended network and systems visibility that is collected and correlated in real time with up-to-date threat intelligence sources relevant to organisation’s digital risks, delivered with minimal noise.

Achieving low noise while maintaining breadth of threat observability is hard. This can only be achieved by mapping the risks specific to an organisation’s information assets, not just every cyber-threat out there. One must be able to isolate and prioritise.

There are many systems out there that are able to aggregate, sort and prioritise threat intelligence data. There are few that deliver intelligence that is relevant to your risks without making you spend a lot of time filtering through vast amounts of data and alerts.

Every business and government organisation big and small is responsible for its practices in monitoring the threats to its digital assets across all environments of exposure. It is also responsible for ensuring that activity and threat intelligence is collected and preserved. The continuity of your business in the face of a Ransomware attack will depend on it.