Combatting Ransomware

Rex Johnson
Director, Cybersecurity Practice
CAI
rex.johnson@cai.io

Recently, ransomware attacks have received a great deal of national media attention. These attacks have
impacted many organizations, including Colonial Pipeline, JBS Foods, and even the National Basketball
Association, and they do not appear to be slowing down anytime soon.

Ransomware is malicious software that encrypts a computer systems files and blocks access to them
until a sum of money is paid. It has proven to be one of the most successful and profitable methods used
by hackers.

Hackmegeddon, an independent project launched in 2011 that studies breaches, tracks the incentives
behind cyber-attacks such as ransomware. According to their Q1 2021 report, 86.0% of all reported
breaches were motivated by cybercrime (such as fraud, identify theft, ransomware,
data theft, or violating privacy), with espionage (theft of intellectual property) at a
distant second at 8.3%. Hacktivism, which promotes an ideological, political, or
social agenda, trails at only 1.1% of total breaches in this study. In the past, these
threat actors were thought to attack only huge organizations, leaving small
businesses and charities safe from threat. But a recent study shows that 43% of
cyber-attacks target small businesses and non-profits3 .

The biggest challenge to stopping these threat actors is jurisdiction. Organizations
responsible for these attacks such as REvil, Evil Corp, and DarkSide operate
outside of the U.S., making it difficult for U.S. authorities to prosecute them.
However, it is not entirely a lost cause. Recently, the U.S. Department of Justice was
able to recover $2.3 million of the ransom paid to the attackers of the Colonial
Pipeline. Subsequently, the new U.S. Executive Order lays out directives to modernize security and
infrastructure, share information about cyber-threats, and improve detection and response to prevent and
mitigate the impact of a breach, and even fight back against these attackers.
Below are some best practices organizations of any size can adopt to prepare themselves and develop a
stronger defense against these threats:

• Establish a security awareness program: An effective program includes training events and
  meaningful messaging throughout the year, such as bulletins, newsletters, or other types of
  internal communications. Also include social engineering tests such as simulated phishing
  exercises. According to a recent report, 85% of breaches are caused by human error. This may be
  due to multi-tasking, fatigue, or lack of awareness. It is important that simulated phishing
  exercises encourage learning as opposed to shaming those who may fail the occasional test. This
  will heighten awareness of suspicious activities by internal employees so they can address threats
  before they happen.
• Conduct periodic risk assessments: A regular check-in by an independent party will help an
  organization understand its posture. Organizations should consider their business model and
  budget to right-size these assessments. For example, consider a rotating schedule for an
  annual risk analysis. This means you have a different type of assessment every year to cover a
  broader spectrum of security opportunities.
• Maintain an incident response (IR) plan: A well-developed plan that outlines how an
  organization will respond to a breach can save time and money. It should include roles and
  responsibilities, so stakeholders understand their part of the plan. Periodically testing this plan
  through tabletop exercises and reviews will improve the effectiveness and keep the plan
  current.

The increasingly interconnected nature of our world will continue to create opportunities for threat
actors. However, cybersecurity now has the attention of our nation at the highest levels. Exercising best
practices like those outlined above can help organizations prepare to mitigate, and potentially prevent,
the impacts of an attack.

We look forward to sharing additional Cybersecurity information and ideas
with you at the PCCYFS Conference on September 30th.