Ransomware is the #1 cyber risk of 2021 with estimates that 50% of all businesses have been hit. In this episode of Culture of Compliance, Sabrina Serafin interviews Skeet Spillane of Pillar Technology Partners about the magnitude of the problem and how to protect your business.
Culture of Compliance | The Challenge of Ransomware
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series. I’m Sabrina Serafin, Partner and national practice leader of Frazier & Deeter’s Process, Risk & Governance practice.
Today, we’re revisiting the challenge of ransomware and our guest is Skeet Spillane, the CEO and Chief Information Security Officer of Pillar Technology Partners.
Pillar focuses on cutting edge cybersecurity, ranging from threat analysis to incident response and everything in between. They published the very popular Cyber Defense Intelligence Live Security Briefings which regularly offers insights into recent incidents and trends. Skeet, thank you for returning to the podcast.
Skeet Spillane Thank you very much for having me back, I always enjoy these conversations.
Sabrina Ransomware attacks got very real for consumers earlier this year with the shutdown of the colonial pipeline, but that was just one of dozens of high-profile situations so far this year.
Let’s start with the basics. Ransomware has quickly become a household word, but remind us what the significance of the threat is to you and I?
Skeet Well, ransomware is absolutely a threat to everybody. Unfortunately, the way the ransomware organizations attack, they aren’t very targeted. They will go after anyone and everyone and see who they actually can get their hooks into, and once they do there are multiple ways they will handle things. I may start off with just a quick definition, ransomware is malicious software that’s designed to block access to a computer until ransom, a sum of money, is paid to the attackers. In the traditional model, they would actually take that ransom and upon having the ransom paid would release your files and you would be able to go back to accessing those. What we’ve seen in more recent times is that the ransomware objectives have somewhat developed. They have now started adding extortion and double extortion type of schemes on top of the ransom where it’s not enough that they just locked the files, now they may actually lock the files and exfiltrate the data before they lock them. So not only are you having to pay a ransom to unlock the files that you have access to, they actually have your data. So, it’s kind of a combined breach as well.
Then, we’re actually now seeing where they’re using multiple variants of ransomware and when they’re calling it a triple extortion, where they may lock your files, they steal your files. There’s also another variant of ransomware out in your environment and you’re paying for one while another one is actually active and lurking, waiting to launch. So, you end up getting hit more than once. It’s a developing world, we’re seeing lots of changes going on. But, as you said, it’s been kind of the “attack du jour of 2021.”
Sabrina Thanks, Skeet. I mentioned the term of ransomware becoming a household word earlier and considering there have been attacks in the news pretty much every week this year. And in the case of colonial pipeline, with some pretty significant consequences to us individually, could you talk about the magnitude of this problem overall?
Skeet Absolutely. It’s a very prevalent problem, about every 11 seconds a business falls victim to ransomware, and the average ransom demanded is approximately $234,000 per incident, so it’s a fairly sizable ransom out there. In a recent study by cloudwards.net, they actually found that 51% of businesses surveyed had been hit by ransomware within 2020.
There’s a pretty large number of organizations that are dealing with this.
Everyone knows about the Colonial Pipeline impact, where it actually hit their control systems and were able to actually take off all of the processing and delivery of fuel for multiple days. Obviously, this can have wide ranging economic and operational impacts to not just an organization, but an entire economy.
Sabrina Exactly right, and unfortunately for Colonial Pipeline, many probably never heard their name before but it’s sitting on their lips now as a result of this event. One aspect of ransomware that has led to significant debate is whether or not to comply with the ransom request. Can you explain why law enforcement continues to advise companies to never pay the ransom?
Skeet Sure. There’s actually multiple reasons, and that absolutely is the position of the FBI is to not pay the ransom, the reasons for that vary. First off, it may be illegal. The governments, not just the US Government but also the French Government, have started to pass legislation that makes it illegal to pay ransom. The organization that conducted the attack could be on the terrorist watch list and in the US, if you actually transfer money to them, that can actually fall under government statutes that actually control paying of money to terrorist organizations, so you may be in violation of the law, even today. But, we’re seeing new legislation proposed that actually will be making it illegal to pay the ransom demands. There’s also no guarantee that they’re going to unlock your data, you may pay the ransom and they may lock the data, they may unlock the data for you, but they may not. They may just disappear with your money and there’s no guarantee of successful completion. In the case of the newer attacks, where they’re double extortion, they already have your data so it’s already a breach, and if you’re in a protected space like HIPAA, the PHI data is already exposed. You may already be in a reportable incident right from the beginning, regardless of whether you paid.
Skeet They can also escalate the ransom. The old adage, well, if you’ll pay $10 you’ll definitely pay $20. They’ll come right back at you and say “great”, but they’ll increase their ransom demands.
I think there’s also the underlying component which is it’s just bad form. Don’t negotiate with terrorists. If you pay them, you’re facilitating their engagement. You’re making sure they’re well-funded and they’re going to go attack others so you’re just propagating a criminal enterprise. You’re better off with a strategy that actually employs the ounce of prevention instead of the pound of cure.
Sabrina Great advice, Skeet, and wonderful examples. So, with that in mind, what can businesses do to protect themselves or invest in that ounce of prevention?
Skeet There are a lot of different activities that should be done related to cyber hygiene that will make sure that organizations are not only preventing the ransomware from taking hold, but also minimizing the impact should it actually get into your organization. Those can be things from keeping your computer systems up to date, making sure you’re applying patches as they come out and that you’re hardening the systems against attack by removing additional services that don’t need to be there, turning off remote services when they’re not necessary.
In addition to that, you should be using advanced endpoint protection which is able to identify some of these malicious behaviors and lock it down and isolate the machine before it’s able to spread the ransomware out to other machines in the network. Those are not foolproof, but they do absolutely make it more difficult for the attackers to gain that necessary foothold in the organization. You can also implement secure email gateways which will filter some of those attack emails before they ever get through, because a lot of the ransomware attacks are driven off of an email threat vector. If you can stop those from getting in the environment, you prevent users from clicking on it and moving down the path. You can implement strong authentication like multifactor and password complexity to ensure that accounts can’t be compromised, which further exacerbates the situation by allowing the attackers to impersonate a legitimate user so that the ransomware email may actually look more attractive. You can also limit and tightly control remote access to the other. One of the other attack vectors for ransomware tends to be remote access servers, and they will try and attack those so any of your remote desktop protocols, like for 3389 making sure they’re not exposed to the outside world and if you’re going to have that type of service that it’s behind a VPN of some type.
One of the things that I actually recommend to all organizations is that they really look at their network architecture and implement network segmentation to isolate user networks from server networks and data networks so that should ransomware actually take hold in the environment, it has to come up through a firewall to get to a different segment. If your data is on a different network than your users, if the user clicks on it, it won’t allow that to easily true traverse the network and get into the data side of your environment.
There’s also intrusion prevention systems to make sure that it’s picking up these odd behaviors on the network when they’re occurring so that you’re able to respond more quickly and isolate and contain the attack to a smaller portion of your environment, thereby limiting all of the machines being part of the attack. I come back to the number one thing, I think, you have to make sure you stay in front of in an organization is making sure that you’re conducting effective security awareness training. Making sure that you are really getting people to understand the ramifications of their actions when they click on these links, getting them to stop clicking on links and really staying in front of them. It’s not enough. Traditional security awareness training is a one time a year type of activity and everyone gets it. Everyone snoozes through it. They move on and they go back to their life, they get busy and emails come through they’re not thinking about it and they click on it.
So, one of the things that we recommend is a continuous program that throughout the year is staying in front of the users and reminding them of these types of attacks and what happens and how do you actually prevent them and what to look for during an attack and making sure that they’ve got the requisite knowledge to identify when they’re trying to be scammed.
The other thing that I would suggest is making sure that it can happen anybody, so let’s make sure that you’ve got the pieces in place to respond appropriately. One, if it does happen and those are going to be making sure you’ve got a good, tested incident response plan so that everyone knows their actions, everyone knows how to move quickly and knows how to isolate and contain the attack to minimize the spread throughout the network. Thereby being able to isolate the damage to a smaller impact on the network and then also being prepared in case it does get out there, making sure that you’ve got good backups that are not just backed up and stored on your network, but that they’re actually stored in a remote location so that the network can’t reach out to it, because one of the first things we see with ransomware is that it actually conducts a hunt for backup files and tries to encrypt those as well, so you don’t have the ability to recover. So, making sure you’ve got a good backup methodology that gives you the ability to restore from a remote location is vital to recovery.
Sabrina Let’s talk a little bit about incident response in more detail. In what you’ve observed during your incident response procedures, what vulnerabilities tend to create the highest risk?
Skeet What we see a lot of times, from a vulnerability perspective, is attackers tend to be lazy. They tend to go after known vulnerabilities that exist and have been out there for some extended period of time, so it comes back to that making sure you have a very solid patch management program in place that you’re assessing for vulnerabilities, you’re finding these known vulnerabilities and then you are closing those holes as soon as you’re able to as quickly as possible and also making sure that you don’t expose any services that don’t need to be exposed so that your threat surface is minimized. So, there are less potential risks out there and I think on the incident response detail, what I would really stress is that first tier triage is very important with ransomware. What’s going on, what is impacted right now, what can we do to isolate and contain that attack to the machines that are there, and that may include separating yourself from the Internet. We’ve had an incident in the past where we recommended a client literally just turn off their Internet because we saw the risk, we saw what was going to happen, and it was easier to just turn it off. Let’s get our arms around it and then we can get us back to operational. That was somewhat extreme, but you do want to be able to isolate and contain the attack to a small number of machines, if at all possible.
Sabrina Thank you, Skeet, for being with us today and sharing this very valuable advice. For our listeners who are interested in subscribing to Pillar’s Cyber Defense Intelligence Live Security Briefings you’ll find a link in the podcast notes. To our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss compliance as a competitive advantage in today’s marketplace.