Ransomware attacks are dominating headlines. Solar Winds, JBS, Colonial Pipeline, and Kaseya VSA are household names not because of the products or services these organizations offer, but because of notorious cyberattacks against these organizations. Publicity aside, the $20 billion sum the world spends recovering from ransomware every year should have your Third Party Risk Program on alert.
Shared Assessments’ recent webinar “Ransomware Attacks And Third Party Risk: Steps You Can Take Now” offered an overview of ransomware trends along with steps TPRM programs should implement to prevent ransomware attacks and to mitigate an attack should it occur.
Ransomware Trends and Statistics
Attacked organizations not only pay ransoms, they experience costly factors including downtime, communication, and forensic specialist expenses. On average, organizations pay $233,217 in ransom. But, organizations experience 19 days of downtime after ransomware attacks, resulting in an average cost of $761,106 in remediating an attack. Globally, the expenditure is enormous: $20 billion is spent on ransomware recovery every year.
Phishing is a common avenue cyber criminals take to conduct a ransomware attack. After a victim has clicked, malware installs on the user’s machine and begins to reach out to command and control centers identifying file shares, databases, and other inventory information. The command and control center provides appropriate next steps including encryption.
There are junctures where you do have an opportunity to identify and stop ransomware. Email services that scrub malicious links and attachments and endpoint detection and response systems are good tools against ransomware. Minimizing a ransomware attack as early as possible is best and being ready to rapidly deploy corrective actions is next best.
Handling Ransomware Threats
In order to be prepared to handle a ransomware attack with agility, your organization should conduct simulated attacks and include the executive team in these exercises. In these simulations:
- Prepare
- Detect
- Analyze
- Contain
- Respond
In the recovery period, incorporate any lessons learned. Require these same exercises for your vendors. Your organization and your vendors need to outline a solid cyber policy and acquire cyber insurance.
To strengthen your approach to a potential attack, consider building a response team that includes these roles:
- Legal / Privacy / Finance
- Procurement SME retainers
- Cyber Forensics Specialists
- Cyber Ransomware SME
- Ransomware negotiator
- Client / Public Relations
Establishing a cryptocurrency account before an attack will help to facilitate ransomware payment should business leaders decide this is the best course of action. Of course, ensure your CEO and business stakeholders are briefed in the event of an attack.
While there is friction between law enforcement and the business community on payment of ransoms (businesses sometimes prefer to pay ransoms rather than suffer extended business disruptions), still brief law enforcement (FBI) in the spirit of building a safer, more resilient world.
While global government focus and coordination on stymying attacks has improved and sharing of ransomware intelligence and reporting has increased, malware has become more sophisticated, ransomware as a service and extortion after payment have become more common. Your organization needs to remain in a position to respond.
What to Cover in Your Assessments
To ensure your vendors are addressing ransomware threats, you want to examine the weakest links in your organization. Examine joint ventures, mergers & acquisitions, partnerships, trials and studies in particular. Pay close attention to your Nth Parties, Supply Chains and distribution channels. Be mindful of operations in tension-laced locations. Create the right policies, standards and cybersecurity controls internally and carry these to your third and fourth parties. Ensure that you are aligned with federal, NIST, and ISO standards – and again, apply these expectations to your vendors.
Importance of Immutable Storage
Legacy file systems are inherently vulnerable to ransomware as they store data that needs to be editable to support your business needs. However, when attacked, the architecture of legacy file systems allows your files to be altered. Immutable storage (within an immutable data architecture) is data storage that will remain static and pristine for its entire existence. Think of it as an airlock – not even an administrator can touch this data.
As you consider the best mode of immutable storage for your organization, consider the pros and cons of each kind of storage:
1. Hard Drives
–Pros: Capable of holding large amounts of data; relatively inexpensive; easy data access
–Cons: prone to physical failure over time; requires secure temperature controlled physical storage space
2. Solid-State Storage Disks
–Pros: capable of holding large amounts of data; easy data access
–Cons: relatively expensive; prone to physical failure over time; requires secure temperature controlled physical storage space
3. Tapes
–Pros: relatively inexpensive; capable of holding large amounts of data
–Cons: media may degrade overtime; inconvenient data retrieval; requires secure temperature controlled physical storage space
4. Cloud
–Pros: Highly reliable; easy data access; requires no physical storage space
–Cons: storage costs can mount overtime
Resources for Ransomware in TPRM
As a TPRM program, being ransomware resilient means being ready to respond. Through awareness, assessments, and exercises, you can stay ahead of increasingly sophisticated attacks. Remember…it’s not a matter of if….but when.
A full recording of the Ransomware Webinar is available here. Additionally, these compiled resources are excellent guidelines for building a tenacious TPRM approach against ransomware:
- Cybersecurity Ventures: Cyberwarfare – 2021 Report
- Institute for Science + Technology (IST): Ransomware Task Force Final Report
- Identity Force: 2021 data breaches
- CoveWare: Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
- US Department of Justice: InfraGard Connect to Protect
- US Federal Bureau of Investigation: Ransomware
- Doug Peckover: Complimenting Zero Trust
- NIST: Contingency Planning Guide for Federal Information Systems
- NIST: NIST Risk Management Framework
- US Office of Comptroller of Currency: OCC Bulletins (by Year)
- European Banking Authority (EBA): Guidelines on outsourcing arrangements
- Palo Alto Networks: Complete Zero Trust Network Security
- Ponemon & Experian: Eighth Annual Study: Is Your Company Ready for A Big Data Breach?
