Thousands For Defense, Not One Cent For Ransom
Students of American history may remember the “XYZ Affair” in which a French demand produced a response “Millions for defense, not one cent for tribute”. Cybersecurity technology expert Steve King has a similar approach in his online article “Ransomware: Spend a Little; Defend a Lot” (https://www.linkedin.com/pulse/ransomware-spend-little-protect-lot-steve-king/?published=t).
Ransoms are projected to reach $11.5 billion this year, more than double $5 billion in 2017. In 2018 there was a ransomware attack every 40 seconds; now it’s every 14 seconds. (According to McAfee there was an average of 504 threats per minute in the first quarter of 2019.)
Most recent publicity has focused on ransomware demands to large and small cities, with Atlanta suffering $22 million in losses. Small and medium size businesses are also vulnerable, with average downtime and lost revenue costs of $100,000 and indirect costs that could exceed $500,000. These indirect costs include recovery expense, damage to reputation, contractual penalties and fines.
Part of the reason for the growth of ransomware is that victims are willing to pay demands in exchange for a key to unlock their files. (However, 52% of victims do not successfully recover their files after payment.) Another part is that “ransomware-as-a-service” is easy to use and cheap to purchase. In King’s words, “All anyone needs to get into the ransomware distribution racket is moral flexibility, a browser, and an Internet connection”. Ransomware kits sell for $50 and exploit kits for $15.
Most ransomware campaigns look for open Remote Desktop Protocol servers, but they will target any vulnerability. Other attacks come through phishing campaigns. Attackers use anonymous email services to manage these campaigns to evade detection.
Compared to potential losses, fixing vulnerabilities is not expensive. A penetration test as part of a risk assessment, and subsequent patch applications, should cost less than $25,000. (For comparison purposes, the advertising budget for the Atlanta City Council in 2019 was $103,000; 25% of that would have prevented the city’s $22 million loss.) Security awareness training programs and phishing countermeasures cost about $6,000 annually.
Determining and fixing vulnerabilities and implementing countermeasures cannot be a one time fix. As King states, “Slapping some software in place and scheduling a few classes is not going to prevent a Ransomware attack”. There must be an ongoing commitment from top executives on down to cybersecurity risk management. If organizations do not have people with cybersecurity skills, they should hire a qualified managed security service provider. King lists 11 key requirements:
- Backup systems, locally and in the cloud, which must be tested.
- Segment network access so attackers are limited and cannot compromise all data.
- Use least privilege controls limiting users to what they need.
- Implement early threat detection and monitoring systems, plus email security best practices. Download and install all software updates and patches. Use continuous vulnerability assessment and management systems which constantly scan your network, including mobile phones, tablets and connected IoT devices.
- Install anti-malware and anti-ransomware software, updated regularly.
- Train employees in cybersecurity practices including recognizing a phishing attack, not clicking suspicious links or providing personal and confidential information, not using public Wi-Fi, and reporting suspicious activity. Training must be repetitive – 66% of ransomware attacks can be traced to lack of training and education.
- Insist on strong password security. Despite all the warnings, 75% of people use the same password for multiple sites and 1/3 use weak passwords.
- Filter and reject incoming mail from unknown sources.
- Manage vulnerable plug-ins such as Java and Flash; either update them or block their use. Limit or eliminate “bring your own” data and computer programs.
- Purchase cyber insurance that covers first and third party claims, including ransomware, fines and penalties, and cyber terrorism.
- If you don’t have insurance, don’t pay the ransom. Paying ransom supports cyber criminals and perpetuates attacks.
Unless and until the federal government and/or the insurance industry insists on specific preventive and protective measures and criminalizes ransom payment, every organization must be prepared to defend itself against a ransomware attack.