Panel: Understanding the Extensive Ransomware Threat

By Paul South

Spencer Wilcox remembers the first time he heard a respected security expert talk of “it’s not if, it’s when” in terms of ransomware attacks.

“I remember thinking at the time, ‘Well, that seems defeatist,’” Wilcox, chief security officer and executive director of technology at PNIM Resources, said. “Of course, like everybody else in the industry, I matured to finally get to a point where I can accept disaster. This [though] is a level of disaster I don’t think any of us are prepared to accept. So, as a result, we’ve got to figure out better ways to prevent ransomware. And more importantly, we have to have great ways to recover.”

Wilcox was part of a panel for a highly rated ISC2 webinar called “Your Data Held Hostage –Understanding the Extensive Ransomware Threat.”

Joining Wilcox were Tarik Saleh, senior security engineer and malware researcher at DomainTools, and Jeramie Brown, information security officer for the Nevada Department of Transportation.

Cybersecurity professionals are well aware of the damage ransomware can, and has, wrought since it gained popularity among malware developers. In addition to locking down corporate and government devices, these online extortions have been blamed on actual deaths, as evidenced by the fallout from a September 2020 attack at Düsseldorf University Hospital.

The average ransomware payment in the first quarter of 2020 was more than $175,000, and that didn’t include costs related to downtime—believed to be five to 10 times the actual ransom amount.

This begs the question: Should a company, hospital or municipality pay to regain control of its machines and networks?

“From a business perspective, we want to go ahead and pay the ransom so we can quickly get back to operation,” Saleh said. “And then there’s the other perspective of, no, we’re not going to pay, we’re not going to give in to demands. We’re going to go ahead and try to recover on our own independently. Really, I don’t think any answer is necessarily right or wrong. It’s really a business decision for what’s best for your company or your organization. It really also depends on the resources you have available.”

Brown noted that for many in the public sector, the decision on payment has already been made—and included in the budget.

Along similar lines, it’s wise to maintain a line of communication with the department that handles insurance policies and claims, Wilcox advised.

“They are looking to you as the CISO to help reduce the overall cyber insurance cost. If you’ve got your controls listed out, and you’re able to present those in a cohesive, coordinated fashion, it will help you a lot in reducing costs. That’s going to make your insurance team your best friend, because you’re managing their costs for them.”

He also suggests getting to know your insurance broker. And beware that most insurance policies contain a clause that there is a duty to disclose, Wilcox said.

Of course, the best way to fight ransomware is to prevent it from infiltrating a network or system. That takes user education and applying security controls that minimize an attack.

“Just because our particular data may not be life-altering, that doesn’t mean that it’s not important,” Brown said. “If you’re not talking about what you’re going to do when or if you get infected with ransomware, you need to start having those conversations now. The prevention phase; the detection phase; what you’re going to do to recover; how quickly you need to recover—all of that needs to be discussed and planned during the preparation phase. So, the more you talk about it, and the earlier you talk about it, the better off you’re going to be.”

That also means having discussions around other potential damage, like customer privacy, operational downtime, loss of resources and damage to customer confidence.

“You’re going to have to employ multiple techniques that these ransomware authors are doing,” Saleh said. “A lot of this is automated. Once the ransomware has a foothold on a victim’s box, there are different techniques that ransomware authors will use such as like your basic sleep, where the ransomware sits idle on a box for a certain amount of time depending on the time zone that they’re in.”

But as bad actors—whether individuals or state cyberterrorists—grow more sophisticated in their playbook, the fundamentals of defense for organizations remain the same: strong cybersecurity hygiene, enforced enterprisewide. This means boosting antimalware detection systems, employing sandboxes as needed, remaining vigilant on user education and awareness and, don’t forget, testing backups…just in case they are needed.

Paul South is a freelance writer based in Alabama.