It’s Raining Ransomware

Did you bring your umbrella?

You’ve undoubtedly seen the recent news about ransomware. Who hasn’t? It’s a daily news topic whether you are on social media or mainstream news, and it’s a bigger problem than ever.

Cybercriminals use ransomware to encrypt the information on your computers and servers, eliminating your ability to access your system. In most cases, these criminals will leave a message and direction on how to pay them, for which they may give you a decryption code. In many cases, the ransomware is designed to spread laterally across other systems on your network, and that is where often we see its’ devastating effect.

Paying the ransom may sound like the best way to restore the data, but there is no guarantee that the decryption code will work or restore files in a timely manner. Take Colonial Pipeline as a ransomware example; it’s reported that the largest pipeline system for refined oil products in the US paid nearly $5M to attackers to restore its disabled computer network and that the decryption code was so slow that they continued using its own backups to help restore the system.

It may also be against U.S. law to make a payment to an attacker. On October 1, 2020, US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to companies providing services to victims of ransomware attacks, informing them of the potential “sanctions risks” for facilitating ransomware payments to individuals or entities on the SDN List. U.S. companies are encouraged to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.

Ransomware for all

The large enterprise organizations that you hear on the news aren’t the only ones impacted by ransomware. Smaller companies are impacted every day; it’s just not written in the news for all to see. In York, ME, a small veterinarian clinic was hit with a devastating ransomware attack with an $80,000 ransom. Since the average small business owner cannot pay such an amount the owner lost its’ patient records, and the time they would have spent caring for their patients.

Defendify sees these situations frequently. As another ransomware example, the Defendify team was recently contacted by a 250-person company that had experienced three months of downtime due to a ransomware attack. In this case, the only choice was for them to rebuild their network, which took a significant amount of time. Bottom-line: Ransomware is now a real threat to ALL organizations, not just the large enterprise.

IT Providers weather the storm

In a wicked turn of events, now Managed Service Providers (MSPs) are deliberately being targeted by bad actors as malicious actors see the cascading opportunity to use a one-to-many attack. MSPs have remote access to their client’s networks, and if there is a way for them to get into the MSPs network, they may find the key to get to all of their customers. We saw that with the recent Kaseya attack. The result? An estimation that over 1,500 companies were impacted in this massive ransomware attack and the MSP community monitored reports daily to keep up-to-date with the incident.

It’s not the first time we have seen MSPs being the target of a ransomware attack. The FBI sought out APT 10, a hacking group associated with the Chinese government, from 2006 to 2018. During that time, the nation-state criminal group conducted extensive hacking campaigns that targeted various industries, such as health care, biotechnology, finance, manufacturing, oil and gas, and MSPs. MSP breaches allowed APT 10 members to indirectly gain access to confidential data of numerous companies who were the clients of the MSPs.

Using a third party as a gateway to conduct a massive breach can be traced back many years ago. Remember the Target breach in 2013? It was reported that the HVAC company Target had contracted with had used a remote portal to support the companies’ systems – which became the conduit that allowed the cybercriminals to gain access into Target’s broader network.

Protecting yourself

Cyber-criminals and state actors have become more capable of, and interested in, targeting businesses of all sizes, including MSPs. While the thought of a ransomware attack happening can be daunting, you can take measures to have ransomware protection for your organization.

There’s no one single solution to the growing threat of ransomware. Still, a comprehensive cybersecurity solution that builds in assessments and testing, training and policies, and detection and response should be a key part of a successful cybersecurity program. You can’t stop all cyber incidents, but taking steps to improve your cybersecurity posture can put you in a better position to mitigate the threat or lessen its impact.

More Cybersecurity Resources:

Want to learn more about ransomware? Check out this webinar with Rob Knake, Defendify Senior Advisor and Former Director of Security for The White House.

Check an in-depth guide to achieving holistic cybersecurity: What’s the ‘F’ in Cybersecurity