Miss out on any of the six items on the ransomware-resilience checklist and risk facing a US$30m ransom plus disclosure extortion!

Quick current affairs quiz: What do AXA Asia, FujiFilm and the world’s largest meat packing company have in common?

If the firms SolarWinds and Colonial Pipeline come to mind, then your guess was probably correct. These are large companies that have been victimized by ransomware in the past half a year, with the threat group DarkSide being the Ransomware-as-a-Service for the attacks on Colonial Pipeline and JBS meat packing.

Other than the big money to be earned from launching such attacks, state-sponsored agenda and competitor espionage add to the reasons why such attacks have been surging in the past months. Add to that the increased attack surfaces arising from remote-working and over-stretched IT teams and budgets, and you can see how the perfect ransomware storm has brewed.

According to Forrester analyst Steve Turner: “Companies are rarely prepared because they may not have touched or tested their incident response plan since it was created. A lot of companies haven’t run tabletop exercises that include folks outside of their IT/Security teams simulating a ransomware attack. We need to increase our preparedness on both of these fronts.”

Especially where critical infrastructure is concerned, the merging of IT with operational technology in many sectors has been a magnet of attacks. “Critical infrastructure is an easy target because attackers feel like they’ve backed those companies into a corner and they don’t have any choice but to pay the ransom. Until there’s requirements or penalties for companies in these critical sectors, they’ll continue paying the ransom and ransomware operators will continue to target them,” added Turner.

With ransomware toolkits readily available nowadays, attacks will continue to accelerate. They cost virtually nothing to execute when compared to the huge payoff by victims that have reason to be afraid of double or triple extortion. “These threat actors have ephemeral infrastructure, which means that what they’re using can quickly be stood up and torn down; or are running RaaS, where they’ve got a lot of affiliates that are actually executing the attacks.”

With such a high level of motivated threat actors against organizations and critical infrastructure, a checklist of six key measures from Forrester may be a useful quick evaluation tool to gauge if your network is resilient to such attacks:

  1. Has your team identified where all the critical data sits and enforced a regular backup and recovery workflow involving multiple immutable storage pools disconnected from your corporate networks? Are your teams testing emergency disaster recovery and restoring of the data religiously and achieving perfect end-to-end outcomes? If not, please stop reading right now and come back to this list when you have that nailed down SOLID!
  2. Is your IT team patching systems and apps on at least a monthly basis if not more regularly? In particular, prioritize the patching of systems and apps that are connected directly to the Internet. Give your team top marks if you have already set up an additional safety net for testing the safety of any patch on a small air-gapped network.
  3. Multifactor authentication has been something Forrester still observes to be not so common. Yet it is one of the best security controls to stop attackers dead in their tracks. Despite the obstacles to painless implementation, it is paramount that companies try to centralize their identity systems and require multifactor wherever possible.
  4. So please secure your privileged accounts immediately and require MFA.  Make sure to include your admin accounts that are used to manage your cloud environments as well.
  5. Has your IT team ensured that endpoint protection is deployed to all computers and servers? Make sure that it is turned on, updated, and working. Most companies can get a health check from their endpoint protection vendor for free, so take advantage of that.
  6. If it is not already in place, consider a move towards Zero Trust Networking—this can be in bits in pieces by implementing least privilege, segmenting critical pieces of your network, or even by starting to implement multifactor authentication. All third-party vendors and entities that have access to your network MUST be included in the Zero Trust policies.

No matter what happens in the worst-case scenario, the accepted wisdom is to not pay any ransoms or need to worry about double- or triple- extortion—easy when you do not need the stolen data back, and any sensitive data would have been well-encrypted and not susceptible to attackers’ public disclosure.