Expectations vs. Reality: Are you ready for a ransomware attack?

Have you ever thought, "that couldn't happen to me?" There are events all around us every day that people think are so far away from us that it simply couldn't happen to them. Most corporations think that they have the right safeguards in place to protect themselves again Ransomware attacks that it could never happen to them.

You might be thinking 'that's just the little mom and pop shops,' and you'd be completely wrong. Looking at every different organizational vertical, the average percentage of companies in every professional area is 66% affected. The lowest percentage is in IT companies at only 50% (yes folks, half of IT companies!), and the highest is in education.

We've seen the headlines about certain companies like the Colonial Pipeline, MGM, and Kronos, but every day there are new articles with new stories about another company that has had to pay millions of dollars to get their data back after a successful data security breach.

Face it. It's no longer a matter of if you get attacked, but when that attack is going to happen. It's only a matter of time before someone clicks on a link that they weren't supposed to, replies to an emailed request for a password giving a social engineer access to your environment, or someone sets up a server without following all of your security protocols. When that happens, you're in for a long couple of weeks.

Anymore, security tools just aren't enough. Does that mean you shouldn't have them? If you're actually asking a question like that, let me suggest that you go find a different line of work. Of course you should have your security tools. Those are focused on detecting and preventing those threats from becoming breaches. They just aren't perfect. Malware and Ransomware attacks are getting so sophisticated and so forceful that they can slip in undetected, defend themselves once they're in, and bring a company to its knees in a matter of days.

What should you know about ransomware?

1. Ransomware does not destroy your environment as soon as it gets in. There is almost always a "dwell-time" involved, and we've seen that time come down in recent years. There are still a few variants that will sit in your environment for 90 or 120 days, but the average in 2022 was 27 days, and I've seen some reports that newer, more aggressive variants detonate in as little as 5 days. You need to prepare for the longer variants and hope for the shorter ones.

2. Detection always lags infection. This is a different way of saying point #1, and the statement points to the fact that front end security tools like EDRs, XDRs, AV, SIEM, and Firewalls don't always catch the bad guys. For zero-day threats, your security tools won't see them, so they can slip in under the radar and spread throughout your environment undetected for quite some time.

3. Not all malware has the same objective. I see three different common functions that malware does to businesses.

   1. Ransomware will encrypt the environment and the gangs will demand payment which will grant a decryption key. This is all about the money.

   2. Other forms of ransomware have to do with extortion. They will exfiltrate the company's data and demand payment. If the payment is not received, they threaten to release that data in a variety of places. This is 21st Century digital blackmail if you ask me.

   3. Destruction, plain and simple. Proofpoint released This Article in June, 2022 highlighting the fact that hackers can steal your administrator credentials and change the version limit in your M365 environment from the default of 500 down to as little as 1. At that point they can simply encrypt the one remaining version, and unless you've got a reliable backup of that data, it's simply gone. Loss of data can cause many organizations to crumble, and the gangs doing this are trying to achieve just that.

4. 42% of successful ransomware attacks happen because security patches are out of date. I survey my customers fairly regularly and I have found that a majority of companies are between 2 and 6 months out of date with their security patches. This is because it can be time consuming, and they want to verify that the patches aren't going to result in problems when they are implemented. However, the longer you wait, the more likely you are to suffer a successful attack.

5. 93% of ransomware attacks go after your data backup environment, and over 50% of those attacks result in companies losing data. Still think the backup tool you're using that has 30 year old code is good enough for today's threats? Think again. It's crucial that you think of your backup environment as an extension of your security suite, and get away from the old way of thinking.

6. To pay or not to pay? Did you know that paying the ransom could earn you a free vacation to an iron-barred resort for the next few years? (That means prison, folks). If the ransomware attack you've been hit with comes from a state-sponsored ransomware gang in places like Russia, China, or North Korea (to name a few), it is considered a felony to pay the ransom. Just by trying to do the right thing you could wind up the one facing jail time.

7. Insurance: Read the fine print. Most cybersecurity insurance policies anymore have fine print regarding ransomware attacks. If a cyber incident is the result of ransomware, some policies will either not pay, or they may pay a greatly reduced route. They do this through clauses such as 'act of war/terrorism.' Because these kinds of attacks have been so prevalent in the past few years we are now seeing rates rise and coverage fall. Be sure to read your policy very carefully.

8. Incident Response Plans (IRPs) are outdated. Most IT and InfoSec professionals think of their IRP in terms of business continuity. This outlines what will happen if a building goes up in flames, or a region is impacted by a natural disaster. Most of these IRPs have as much dust on them as the phone book I keep on top of my refrigerator, and less than half (~42%) have updated them to include anything about ransomware attacks. Who is responsible for what? What tools will be used for forensics? When do we notify the FBI and/or our insurance agency? Tabletop exercises are great to help answer some of these questions, but often times they are the blind leading the blind. Find a company that specializes in recovering from ransomware attacks and pay for the training. It's worth it!

Now that you know a new nugget or two about ransomware, what should you do? I admit that I don't know all the answers, but I do have one. I mentioned thinking about your data backup tool as an extension of your security suite. This is what I do in my day job. I help people change from thinking about data recovery to thinking about cyber recovery.

What is cyber recovery?

Great question. Email me and I'll be happy to discuss it with you.

In the meantime, stay alert and be proactive. Watch and listen for the technologies and training that will keep you one step ahead of the threats that you face every day.

About the Author:

JP Bachmann began his professional career in electrical automation, and transitioned into professional sales in the IT industry in 2016. He is now a national sales leader specializing in account success and company growth. JP was awarded a Business Coaching certification in 2019, and has helped to lead the Toastmasters International volunteer organization by serving as a District Director in Colorado and Wyoming from 2022 to 2023 serving 140 independent clubs and 2000 members. In 2023, JP founded TheDashLegacy.net which is devoted to enriching the personal and professional lives of those around him through continuous growth, humor, and thought leadership. JP is a professional speaker focused on Career Health, and leads workshops helping people develop career and personal goals using his own unique goalsetting method. Connect with JP by emailing him at jp@thedashlegacy.net