Corporate Ransomware Protection

Recent headlines have touted the fact that the number of ransomware attacks are down. However, before you breathe a sigh of relief, it is important to understand that the number of attacks has dropped because fewer criminals are indiscriminately sending malware-infected files and links to anyone and everyone (although this technique, referred to as “phishing,” does still happen quite a bit!). Instead, many have shifted to targeting corporations, healthcare providers, schools, governments, and other entities with deeper pockets. We will refer to this as “corporate ransomware,” although it is important to remember that the criminals are targeting non-corporate entities, too.

Anatomy of a Corporate Ransomware Attack

To understand what is happening in a ransomware attack, it is helpful to understand both what the victim sees and the approaches typically undertaken by the criminals. If you are already familiar with these topics, you can skip ahead.

The Victim’s View of the Attack

A ransomware attack involves the criminal locking the victim’s data with a key that only the criminal controls. The criminal then holds the data for ransom which is frequently demanded in “altcoin” or cryptocurrecies, such as Bitcoin or Etherium. The criminals typically threaten to delete the key within a certain amount of time (e.g., 3 days) unless the ransom is paid.

The process of locking the data can take several forms, and is generally called “encrypting” the data. To gain access to the data, the victim must either purchase the key from the criminal (i.e., pay the ransom) or find a tool to reverse the encryption (called decrypting the data). While decryption tools do exist, criminals change their tactics frequently and will adopt new forms of encryption to render the decryption tools useless.

The Criminal’s View of a Corporate Ransomware Attack

Corporate ransomware attacks involve more up-front work on the part of the criminals. The criminals typically choose one of two attack vectors: social engineering and spear phishing, or exploiting vulnerabilities in Internet-facing software and systems.

Social Engineering and Spear Phishing Attacks

Social engineering is the attack method preferred by many cyber criminals because it is highly effective. Social engineering involves gathering information about a victim using publicly available sources (referred to as “open source intelligence” or “OSINT”), including corporate websites, social media, print/online media, government records, and even by simply calling the corporation. The criminals use this OSINT to build a profile of their target corporation, including contact information for key individuals. Many criminals know that corporations have put in place additional features to protect their senior management, and thus the criminals may bypass those people as targets. Instead they target those in the corporation’s upper-middle-management who are less likely to think they are the target of an attack, making them easier victims. Targeting a few individuals, a practice called spear phishing, reduces the likelihood that the E-mail, text, WhatsApp, or other messages that the criminals will send to the victim will be identified as a potential problem. Spear phishing can be made even more effective through business E-mail compromise, a technique in which the criminal sends a message that impersonates someone else in the corporation, such as the CEO or the victim’s manager.

When the victim opens the message and clicks on the link or attachment in the message, they create a path through which the attacker can gain access to the victim’s corporate network account. This access allows the criminal to install additional software and change settings on the victim’s computer, and provides a footprint from which the criminal can malware laterally within the corporation. The criminal can also use the access to the victim’s account to send E-mails and other messages from the victim’s account(s) to the victim’s contacts. This practice, referred to as “Island Hopping”, can be very effective, as illustrated by the recent attack on the Los Angeles Court System and the attack on the US electrical grid.

Vulnerabilities in Internet-facing Software and Systems

As we discussed in our post about vulnerabilities, exploits, etc., computer hardware and software frequently contain flaws which create vulnerabilities in the hardware or software. In some cases the vulnerabilities are severe enough that criminals can exploit them to take control of the software or hardware. For example, a recently discovered flaw in the Remote Desktop Protocol that ships with Microsoft Windows can allow criminals to quickly take complete control over the target computer.

Identifying a target corporation’s computers and the vulnerabilities they contain can take some time, although there are automated tools like OpenVAS, Nessus, and OWASP Zap that can make this easier. The criminal uses the information gathered from these tools to identify specific exploits that can be leveraged to gain access to the system. Since this style of attack does not require a victim to take any action, these attacks can be significantly harder to detect, allowing the criminals to persist in the victim’s networks for a long time and thereby ensuring comprehensive damage when the ransomware is triggered.

The Return on Investment

The return on the criminals’ investment in corporate ransomware attacks is huge. Instead of typical individual ransomware attacks in which the victims are forced to pay a few hundred to a thousand dollars to decrypt their files, corporate ransomware victims must pay thousands of dollars, and in some cases significantly more (some have reportedly paid over $900,000 to decrypt their files).

Should you pay the Ransom?

Although it may be the only way for some victims to recover their files, paying the ransom is not typically recommended by the US Federal Bureau of Investigation (FBI) and other law enforcement agencies. This is for a variety of reasons, including the facts that it:

  • incentivizes the criminals to continue to target others;
  • encourages other criminals to turn to ransomware attacks; and,
  • may not result in the recovery of your data (yes, there are dishonest criminals).

Ransomware Protections

The best way to avoid a corporate ransomware attack is to be prepared. As discussed in detail below, Fathom Cyber’s recommended approach includes a combination of training, attack surface reduction, data backups, insurance, and planning.

Training

As described above, your company’s employees are likely to be the targets of social media/spear phishing attacks like those described above. The best way to help them avoid falling victim to the attacks is to train them on how to recognize an attack and then to periodically test them to make sure they are keeping security top-of-mind.  Services like KnowBe4.com and Cofence’s PhishMe can help with this process.  Fathom Cyber also runs custom, spear phishing tests for our clients.

Reduce your Attack Surface

Employee awareness is critical toward reducing your organization’s likelihood of being the victim of a ransomware attack, but lets face it, everyone makes mistakes.  That is why employee training should not be your only defense.  Instead, your organization should reduce its attack surface.

Enable Multi-factor Authentication

Multi-factor authentication involves the use of more than just a username and password to login to a system.  It requires at least two of: something you know (e.g., the password), something you have (e.g., your phone or a “fob”), and something about you (e.g., your face, fingerprint, etc.).  In particular, the use of a fob or token-based code (such as  Microsoft Authenticator, Google Authenticator, or Duo), as opposed to SMS/text based codes, can make it significantly harder for ransomware to spread throughout your organization.  In fact, according to a recent Microsoft study, the use of multi-factor authentication would have prevented over 99% of recent account take-over attempts.  Since account takeover is a significant part of the way ransomware spreads, multi-factor authentication can reduce this portion of the organization’s attack surface.

Take Systems Offline or Require VPN Access

As we saw with the recent discovery of the Bluekeep vulnerability in Windows’ Remote Desktop Protocol (“RDP”), vulnerabilities in the software or operating systems running on any device that is exposed to the Internet can cause significant security problems.  Wherever possible, move devices behind a firewall that has only the minimum number of ports open to the Internet, and instead make the devices accessible only via a Virtual Private Network (“VPN”) tunnel through the firewall.  The VPN should require multi-factor authentication for all users and, where practical, equipment certificates as well.  Moving devices behind a firewall will significantly reduce the organization’s attack surface.

In the age of virtualization and containers, we also often see systems or containers stood up for a particular purpose (e.g., to test a new version of software).  However, what frequently happens is that those systems stay running even after they are no longer in use.  If a system or container does not need to be running, it should be taken offline.  This lessens the administrative burden and reduces the attack surface by reducing the number of devices that can be attacked.

Disable Macros

Macros can be powerful tools for automating repetitive tasks.  Unfortunately, macros are also used extensively by criminals when attacking a victim.  Disabling macros in Microsoft Office programs like Word, PowerPoint, and Excel, as well as non-Microsoft programs that have macro capabilities such as Adobe Acrobat will significantly reduce the organization’s attack surface.

Disable Unnecessary Browser Extensions

Browser extensions are a frequently overlooked source of vulnerabilities.  Depending on their source, the extensions may not be maintained to quickly remove newly-discovered vulnerabilities, and since the browser is the user’s primary interface with a malware-laden Internet, it is wise to disable all unnecessary browser extensions.  This should be done for all browsers permitted in the environment including Chrome, Edge, Internet Explorer, Firefox, and Safari.

Patch Systems

One way in which ransomware spreads is by exploiting known vulnerabilities in various software or hardware.  Keeping systems patched with the latest versions of software will significantly reduce the attack surface by taking away potentially exploitable vulnerabilities.  We typically recommend enabling automatic updates in an environment, especially for end-user devices.  As discussed above, users are targeted by phishing and spear phishing attacks, making their devices a common source of entry to the organization.  At the same time, many end-user devices run with few if any custom applications.  This makes any changes in an automated update much less likely to cause problems on the end-user device.

Automatically deploying software updates on servers and other equipment may require more analysis.  Servers frequently run custom software, and changes to the operating system or other software may have unexpected consequences that will have a more significant impact on the organization. Similarly, networking equipment plays a vital role in keeping the organization’s communications functioning properly, and any issues created by a software update may result in a significant impact on the organization. Therefore, we recommend more thorough testing before deploying updates to servers and communications equipment.

Back up Data

The steps outlined above are straightforward, and can often be implemented with little or no cost to the organization, but can result in a significant reduction to the organization’s attack surface.  However, the organization needs to prepare to recover from eventual successful ransomware attack. One of the best ways to recover from a ransomware attack is to restore the data from backups.

Online Backups

Some organizations use online, or cloud-based, data storage, such as Box, DropBox, OneDrive, Google Drive, etc., for their data storage.  This is very convenient, as it allows access to the data from anywhere.  However, online data storage should not be confused with backed up data.  Many ransomware authors actively search for and encrypt data stored in these online data stores.  Unless the online data is backed up (some online data storage providers offer this as an additional, fee-based option), the ransomware is likely to render the online unavailable just as it does the locally-stored files. 

One exception to this is online providers who store multiple versions of a file.  In that case, the customer may be able to recover an earlier, unencrypted version of the file.  You should consult with your online data storage provider to see if this option is available and, if not, consider backing up to offline media or paying the online data storage provider to back up the data.

Offline Backups

The best way to keep your data from being encrypted is to keep it out of reach by the ransomware.  This typically involves storing the data in an offline backup, such as tape or removable drive.  However, it should be stressed that this media must be taken offline except when it is being written to/read from for backup/recovery purposes. Otherwise, it will be encrypted by the ransomware!

Testing

Whether you decide to rely on offline backups, online backups, or an online data storage provider’s version control as your way of recovering from a ransomware attack, it is crucial that the backups are regularly tested to ensure they provide the information needed to get the organization up and running quickly.  It is also important to test for other aspects of a recovery scenario, including the installation of operating systems and software on new computers should that become necessary.  Testing can provide invaluable benchmarking data that can be used to show how investing in other cybersecurity tools (e.g., a properly configured Security Incident and Event Monitor, or SIEM), can be more cost-effective than relying on recovering from backups, especially when productivity and other losses are taken into account.

Cyber Insurance

Another important consideration in an overall ransomware incident response plan is whether the organization should purchase cyber insurance.  Cyber insurance is intended to give victims of a computer attack a way of covering their losses.  The problem is, many cyber insurers aren’t yet sure how to characterize the risks, and most policies are focused on one particular type of business (typically B-to-C like an E-commerce site (like Amazon) or a forum(like Yelp or Reddit)).  If your company is in the B-to-B space, you need to be much more selective about the policy you choose, because it may not cover the losses that are most likely for your business.  Just look at the First National Bank of Blacksburg, where the bank bought cyber insurance but it had a carve-out for exactly the kind of loss it had previously experienced.  The magnitude of the pay-outs are so unexpectedly large that some insurance companies are also finding creative excuses for why they shouldn’t pay a claim.

When the policy covers the risks/events, cyber insurance can be invaluable.  Some policy types give immediate access to expensive specialists who can help ensure the organization is in compliance with its legal, regulatory, and most importantly ethical/moral obligations, including providing assistance communicating with the press and customers.

It should be noted that many carriers, including some major insurers, are exiting the cyber insurance market because they do not yet have a good way of characterizing the maturity of the customers’ cybersecurity and data privacy programs or the potential damages.  The Department of Defense’s forthcoming Cybersecurity Maturity Model Certification may help with that.

Conclusion

A ransomware attack can have serious consequences for an organization. However, though careful planning and testing, the organization can survive, or at least recover from, a ransomware attack without having to pay the ransom. A Defensible Cybersecurity program includes ransomware planning and much more. Contact Fathom Cyber to learn more about how we can help your organization build a Defensible Cybersecurity program.

Vulnerabilities, Exploits, Patches, Threats, and Risks

Many in the cybersecurity industry use terms including vulnerabilities, threats, and risks as though they are synonymous, but they are not. Understanding the differences, and using the terms correctly and consistently, is an important part of creating a more systematized and defensible cybersecurity strategy.

Vulnerabilities

A vulnerability is a weakness or flaw in a computing device. Vulnerabilities can arise from flaws in the way the hardware is designed, such as those dubbed Spectre and Meltdown; from flaws in the software, such as those creating SQL injection vulnerabilities; or from simply being connected, such as Denial of Service vulnerabilities.

Exploits

An exploit is a tool or technique used by an attacker that takes advantage of a vulnerability to achieve a goal. Such goals can include causing commands to be executed by the victim’s computer, retrieving data from a database without authorization, and causing a device to stop providing service to others.

Patches

A patch is a software-based update that fixes a vulnerability. A properly patched vulnerability cannot be exploited.

Threats

A threat is a vulnerability that can be exploited. It is important to note that the mere existence of an exploit is not enough for a vulnerability to become a threat. The threat actor (i.e., criminal or hacker) must have the ability to use the exploit on the vulnerability before the combination can become a threat.

Risks

Risk is usually expressed as the product of the likelihood that a vulnerability will be exploited and the severity or impact of the vulnerability. Risks can be expressed in a variety of ways, including simple ordinals (e.g., low, medium, and high) or as a quantity (e.g., using techniques described by the FAIR Institute).

Cyber Criminals Targeting College-age Students

According to published reports, a threat actor dubbed “Silent Librarian” has been targeting individual college-age students (i.e., “spear phishing” the students). Silent Librarian is using information from the students’ social media posts to learn more about their buying habits, where they go to school, places they have visited, books they have read, etc. They then carefully craft E-mail messages with subjects and contents that are relevant to the student (e.g., “Overdue Library Books”). The E-mails include graphics and other information that mimic those used by the students’ school. The E-mails contain links to convincing but phony websites that capture the students’ credentials. The students’ information is saved and then they are automatically logged into the school’s website, helping to hide the fact that the login page did not belong to the school. The students’ accounts are then used for a variety of purposes, including accessing academic journals that are only available through a paywall, stealing intellectual property including research, mining the E-mail and other messages for information that can be used later for influence campaigns, and as a basis for sending infected E-mails to classmates and friends.

The three best things students can do: 1) remain aware and vigilant, including carefully scrutinizing every web URL to ensure it belongs to their school, 2) use unique passwords on every website and a password manager to maintain the information, and 3) insist that their school implement multi factor authentication and make sure it is enabled on their account. For more information about staying safe online, download our Top 7 Tips.

Top 7 Tips for Reducing Individual Cybersecurity Risks

Keeping cyber criminals at bay isn’t as hard as it may seem. Although no security system is perfect, following these 7 basic tips can significantly reduce your risk of becoming a victim.

  1. Stop and Think Before You Click a Link – Before you click on a link or open an attachment in an online message (i.e., an E-mail, text message, instant message, etc.), ask yourself if you were expecting the message, even if it was from someone you know and trust.  If you weren’t expecting the message, contact the sender via another means (e.g., call or text them) to see if they truly sent the message.  A few extra seconds of effort can save you a lot of headaches later.  For more information about common online messaging-based attacks, visit Stay Safe Online (https://staysafeonline.org/blog/5-ways-spot-phishing-emails/). Think you have the skills to spot a fake online message?  Try Google’s phishing quiz at https://phishingquiz.withgoogle.com/.
  2. Avoid Less Reputable Websites – Although some websites pay attention to cybersecurity and attempt to keep their sites safe, many sites do not.  Their primary focus is to drive viewers to the site to increase advertising revenue or sales, and the maintenance and security of the site often take a back seat.  Regardless of whether the link is in an online message, search engine result, or other source, before you click on the link you should ask yourself whether the site is likely to be secure, and if you are unsure, don’t visit the site.  Advertising-laden sites are also more prone to unintentionally posting advertisements that can push malware down to your device and should therefore be avoided where possible.
  3. Back up your data – Ransomware is one of the biggest threats facing organizations and individuals today.  Ransomware will encrypt your locally stored data and online storage, such as Carbonite, OneDrive or Drobox.  Some online storage companies keep multiple older versions of your data, helping to improve your chances of recovering unencrypted versions of your files.  However, we recommend that you back up your data to offline sources such as external hard drives that you keep unplugged from your computer except when backing up your data to them.  This allows you to successfully recover your data in the event the online backup provider is the victim of a ransomware attack or otherwise goes offline.
  4. Use Antivirus and Firewall Software – Old antivirus software used to bog down computers, but today’s antivirus software is both highly efficient and effective.  If you don’t want to pay for antivirus software, Microsoft Windows even comes with its own antivirus software called Windows Defender that consistently receives high ratings in independent reviews.  Similarly, Windows Firewall does a good job of helping to keep attackers at bay.  If you need help enabling Windows Firewall or Windows Defender, visit https://www.microsoft.com/en-us/windows/comprehensive-security.  Several well-known companies, including McAfee, Norton, BitDefender, and AVG also make antivirus software for Android devices, and if you own an Android device you should consider installing one of those.  We also recommend downloading and running an alternative antivirus program, such as Malwarebytes, as a safety precaution every few months.
  5. Enable Automatic Software Updates – Most operating systems, such as iOS, Android, and Windows, and most commercial software, such as Microsoft Office, Adobe Acrobat, Google Chrome, and Mozilla Firefox are regularly updated by their manufacturers.  Almost every update contains fixes for security vulnerabilities that were found in the operating system or software.  Most of these tools can automatically install the latest updates from the manufacturer, and it is a good idea to enable automatic updates.
  6. Use Multifactor Authentication Where Possible – Usernames and passwords are not enough to keep attackers at bay.  A third form of authentication, called multifactor authentication, is a necessity and should be used whenever available.  Multifactor authentication can take different forms, including text messages or synchronized pseudo-random numbers that change frequently.  Although some forms of multifactor authentication are stronger than others, any multifactor authentication is better than none.
  7. Use a Password Manager – Password mangers such as 1Password, Dashlane, and LastPass store your passwords in an encrypted form that only you can access and can automatically log you into your favorite websites.  The stored passwords can be synchronized across your mobile and desktop/laptop devices.  Password managers are safer than storing passwords in your browser, and they allow you to use unique passwords on every website.

For more practical cybersecurity news and tips, subscribe to our newsletter. Click Here to download a PDF version of this document, along with our impactful article on the role individuals play in cybersecurity.

The State of Connecticut’s Cybersecurity Action Plan

The State of Connecticut recently released a Cybersecurity Action Plan.  This plan makes it clear that if companies don’t start taking cybersecurity and data privacy more seriously, the state, and even the federal government, will be forced to step in and add even more legislation and regulations.  Can your organization quickly identify:

  • the kinds of data it holds, whose data it is, and where it is located;
  • the customers who are supported by a particular computing resource;
  • the internal business processes and functions that are supported by a resource;
  • the controls that are in place to limit access to authorized users; and
  • the dependencies between the different computing systems?

If not, how can your organization expect to show regulators or shareholders that it is taking cybersecurity and data privacy seriously?  The first step in taking cybersecurity seriously is to make cybersecurity make sense. Fathom Cyber can help.

https://portal.ct.gov/-/media/Office-of-the-Governor/Press-Room/20180503-CT-Cybersecurity-Action-Plan.pdf?la=en

“Reasonable” is changing for Boards of Directors

Boards of Directors are increasingly being held accountable for the organization’s cybersecurity shortcomings.  Some Board members have been able to hide behind the “business judgment rule” in the past to avoid having to take ownership of cybersecurity.  But that is changing, and it is no longer reasonable for the board to be hands-off when it comes to cybersecurity.

https://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/christopherskroupa/2018/04/19/cybersecurity-and-the-boards-responsibilities-whats-reasonable-has-changed/amp/

Creating a Culture of Enforcement

Without the proper cultural changes, any organization-wide efforts are likely to fail.  This is true whether the efforts involve business issues, like creating the right approach to customer service, or regulatory issues, like compliance with ethics laws, data privacy laws, or cybersecurity regulations.  Although many organizations initially try to change their culture, the effort can be monumental, and the repercussions can be tough.  In some cases, the organization’s top performers and senior leaders are the ones most resistant to change.  Is the organization ready to enforce its policies and procedures, even against these “star players”?  If not, the cultural efforts will fail, and the organization will soon return to its old ways.  The article below provides an approach to creating a culture of compliance.

Creating a Culture of Compliance

Cybersecurity and Data Privacy

Make Cybersecurity Make Sense

Most Boards and executives treat cybersecurity and data privacy as though they are the same.  That is a mistake.  Cybersecurity and data privacy are related but distinct concepts, as discussed below.

Cybersecurity

If you ask most people about cybersecurity, they almost always jump right to trying to keep criminal hackers from breaking into a computer or computer network to steal credit card numbers, bank account information, or intellectual property.  But cybersecurity is much broader than that.  The goal of cybersecurity is to prevent unauthorized access to information or resources.  This means that, from an external threat perspective, cybersecurity must also consider issues such as:

  • keeping others from using your online data storage to distribute malware to others, or to store information collected from malware;
  • keeping others from installing software on your computer that mines bitcoins; or
  • keeping others from exploiting poor software coding techniques to place fraudulent orders.

In addition to addressing external threats, Cybersecurity also addresses on internal threats.  This can include issues such as:

  • keeping unauthorized employees from accessing payroll, accounting, or other information;
  • using the organization’s resources for non-organizational purposes (e.g., using a server to host the employee’s internet radio station); or
  • using the organization’s computers for illegal purposes.

Data Privacy

Data privacy deals with how information about an individual, such as their name, phone number, national ID number, etc., is stored and shared.  More specifically, data privacy laws seek to inform the data subject (the person whose data is at issue) about a variety of issues, including:

  • what data is collected;
  • how the data is used;
  • whether and how the data is shared; and,
  • what the data subject can do to have their data removed or “forgotten”.

By being better informed about how their information is stored and shared, the individual can make a conscious decision as to whether to continue to do business with the organization, and whether to request the removal of their data.

Data Privacy Violations Without Cybersecurity Incidents

Most people seem to understand these distinctions, yet they still struggle with envisioning how you can have a data privacy violation without a cybersecurity incident.  Here’s a simple example:

Bill has been binge-watching some cooking videos online, and came across many interesting recipes for different nacho-style foods.  He knows his friends will go nuts for them, so he decides to throw a party next weekend.  He searches online and finds a small vendor (SmokedFishSalt.com) who has the halibut-smoked sea salt that he saw mentioned in one video.  Bill is a very savvy online buyer, and reads SmokedFishSalt.com’s Privacy Policy, which says that they only share information with partners to facilitate the transaction. Pleased with what he reads, Bill places his order, asking for it to be sent Priority Mail.  Bill’s order arrives, and the party is a big success due in no small part to the special salt.  A few days later, Bill begins getting E-mail and postcards from other specialty foods suppliers, including SpikedPotato.com.  So many, in fact, that both his inbox and mailbox are flooded. Bill gets annoyed, and decides it is time to take action.

In the scenario above, if SmokedFishSalt.com uses some of the Postal Services online shipping tools, SmokedFishSalt’s sharing of Bill’s information with the Postal Service is unlikely to be seen as violating the privacy policy.  They are a necessary part of the transaction.  But if SmokedFishSalt shared Bill’s information with SpikedPotato.com, this would likely violate SmokeFishSalt’s privacy policy.  Bill’s information would be exposed without his consent, and this would be a data privacy violation without there having been any kind of cybersecurity incident.

Cybersecurity Incidents Without Data Privacy Violations

Just as you can have data privacy violations without having a cybersecurity incident, you can also have a cybersecurity incident without having a data privacy breach.  As an example, there was a recent news report of a bank that had been hacked.  When the security team investigated, they found that the cyber criminals had installed software on many machines throughout the bank.  From what the security team could tell, the software was “only” mining for bitcoin.  No depositor, account, or other information was being accessed by the software.

Wrapping up

Cybersecurity and data privacy are two separate but related issues.  The issues they cause can, and frequently do, overlap, but an organization needs to carefully consider each separately, and officers and Directors must understand that the organization’s investments in one area do not necessarily equate to investments in the other.