One of the leading healthcare institutions fighting the COVID-19 scourge, the University of California at San Francisco, was shaken down by ransomware gangs in late June to the tune of $1.14 million dollars. A malicious hacker group collected its loot in bitcoin after originally requesting over $3 million. The ransomware attack sequestered key data from the university’s prestigious medical school.
Rather than face the prospect of ongoing disruption to clinical work and research, UCSF, frequently ranked among the top 5 medical research institutions globally, negotiated a payment and accepted the costs. Their decision is understandable. Law enforcement agencies have struggled to stop these attacks, many of which originate from regions where cooperation with local law enforcement can be challenging.
Why every IT team needs a ransomware prevention plan
This attack is symbolic of a shift in ransomware targets from smaller, lower profile and less technologically savvy organizations – such as mid-sized managed services providers – to larger corporations and institutions that can pay bigger ransoms. A spree of 2020 attacks has cost organizations hundreds of millions of dollars in recovery and mitigation costs. Victims include Cognizant, a publicly traded IT services company, copier company Xerox, and foreign exchange company Travelex. Those are the ones we know about – in reality, it’s likely to be the tip of the iceberg, since many companies are hesitant to disclose a data breach.
What’s more, the attackers are now targeting tech organizations with a new variant of ransomware that works against Macs, as reported by Wired.com. Until now, Macs have largely avoided ransomware attacks but with key staff at some of the world’s most valuable companies favoring Apple devices, it’s no surprise ransomware is following the money. Ransomware attackers often gain initial entry into networks and systems on the devices of trusted individuals and then search for misconfigurations in security controls to escalate privileges.
The bottom line? Every IT organization must have a ransomware response plan in place to quickly identify what assets might be at risk and remediate security weaknesses.
A quick history of ransomware
Ransomware is a variant of malware that holds data or access to systems for ransom. The first ransomware, “AIDS Trojan”, appeared in 1989, was spread via floppy disks distributed by mail to AIDs researchers. In 2006, the “Archiveus” trojan became the first ransomware to use encryption to hold victims hostage. The rise of cryptocurrencies fueled ransomware growth as attackers embraced bitcoin and other payment vehicles as a way to receive large, untraceable sums which could be quickly converted into real fiat. Today, attackers offer victims short time windows – usually 72 hours or less – to fork over bitcoin or face escalating prices to recover their data. For organizations like UCSF or Travelex, each day without control presents a bigger and bigger risk and cost in terms of disruption, reputation, and likelihood that attackers will dump sensitive data on the internet.
Numerous major ransomware families
There are many and they keep evolving. Many incorporate not only ransomware capabilities but also sniffers and keyloggers to capture payment information and login / password combos to assist with attacks. Ransomware can lie dormant on a laptop for months until it is activated. While some ransomware attacks exploit unpatched systems, the majority result from social engineer attacks that encourage users to inadvertently download the Ransomware from a malicious URL, email, document or other vector.
Four basic steps for a ransomware prevention plan
Your team surely has plans for other types of incidents. Ransomware is a special case because it can be so high profile and is more like a hostage taking incident than a traditional security breach. The best way to stop an attack is to prevent them from happening. Here are some basic steps your organization can take.
- Make sure you have a complete and accurate inventory of all endpoints and servers. This must include the owners, IP addresses, and status of patching or security controls. One of the biggest problems with ransomware attacks is identifying the entry point to assess whether it is a real or fake attack. To do this, you must be able to quickly identify the source, the owner of that endpoint or resource and where it is located. Similarly, an accurate and complete inventory of exposed systems is necessary for any comprehensive patching or security controls audits. This is where you need a comprehensive integrated ITAM that can reconcile across multiple point solutions and give you a “golden database” of IT asset information.
- Backup and replicate all critical data in the cloud: Doing this removes the business continuity risk. This eliminates much of the attackers’ leverage over your organization. They retain the risk of disclosing your sensitive information which is dire but not nearly as dire as keeping your entire organization frozen out of their systems, a favorite flavor of ransomware attacks. Run these backups daily or often to ensure you always have fresh data.
- Deploy early ransomware threat detection. Ransomware protection software has matured and become relatively reliable. It can help you quickly identify and block potential attacks, and should be integrated with your SOAR (Security Orchestration, Automation and Response) and security operations tools.
- Segment your networks and have a robust privileging schema. Segmenting networks allows you to block privilege escalation attacks more easily and to apply different levels of scrutiny and rules to different networks. So more sensitive networks and connected assets, for example, may be assigned more robust multi-factor authentication and stricter rules for system and configuration changes.
Conclusion: ransomware is getting worse, so be prepared
With high-profile wins like the quick and easy $1.14 million caper at UCSF, more attackers will be drawn to ransomware as a low-risk, high-reward form of cybercrime. This will likely yield more attacks of differing levels of sophistication. IT organizations that have a comprehensive ITAM and a plan to prevent ransomware will have a leg up in ensuring that their organization does not suffer the pain of a nasty ransomware attack.