How to Rescue Your Data Before it is Held Hostage

Accurate, accessible, and accelerated data and systems are the lifeblood of any successful organization.  Businesses build the perfect harmony between their people, processes and technology to ensure sales, service and support communicate at the speed of customer need.

At the same time, cyber criminals make it their business to disrupt that harmony and capitalize on the risk that discord creates. The problem is that the vulnerabilities in the way businesses manage their systems and data create quite the playbook for cyber criminals to execute.

A trending topic, ransomware, has gained emerging momentum in business security conversations due to several widely publicized breaches.

In effect, ransomware is a commonly used technique with history dating back to 1989. In the first documented ransomware attack, medial research data in 20,000 floppy disks was distributed to researchers across 90 countries. These floppy disks contained a questionnaire that could assess a person’s risk of contracting AIDS at the time. The disks were also infected with malicious software (also known as malware), and in what would later become known as the AIDS trojan, the disks were designed to hide directories and encrypt files on every computer that loaded it.

The unique technical detail of the incident is that the disks ran regularly but counted how many times the computer booted up. When it reached 90, the malware rendered computer files unusable, prompting the user to send payment to a post office box in Panama. The unique social detail of the incident is that the author of the ransomware code was a Harvard-trained anthropologist and prominent AIDS researcher who had purposefully sent the disks in the first place.

That’s in 1989; before social media, online banking and crypto wallets. Now, the trending topic “#ransomware” sees more than 2,500 tweets per day and an hourly average of 111 tweets with a peak sometimes over 300. LinkedIn shows 18,716 active followers under the same hashtag, and 32,802 active followers under the “#cybercrime” hashtag, with “#ransomware” as the most commonly tag-teamed topic.

What is it exactly, though? The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”

Simply put, it’s a cyber-attack method where someone who doesn’t have permission to a device gets access. They use this access to lock out everyone else, and then leverage it to charge for the key to the lock. Until the owner or user pays for the key, they will not have access to any of the information on the device.

There are several steps in how ransomware enters, engages and then ravages an organization. Unfortunately, the technicality of it all, from jargon to analysis to solution, is quite overwhelming and complex to even the most practiced experts.

The executive summary of it all is that there are three primary functions information technology and information security teams must perform – prevention, preparation and protection.

Prevention comprises of the policies, procedures and workflows an organization develops to harden their systems and data, while creating a layer of detection that gives the organization early warning to maneuver a potential cyber threat.

Preparation encompasses the awareness, training and application of people and resources used to identify, maneuver and resolve cyber risks. Protection entails the preemptive, proactive and active responses to an impending or occurring cyber-attack.

Most organizations are strong in one area but considerably weak in the other two; cyber criminals bank on that, exploiting weaknesses in one area to gain access to systems and data they do not have permission to engage. Once they are able to engage, they deliver malicious software to ransom a business’ most critical business assets – whether it be data, systems or access to that data and those systems.

Research from a vast cross-section of cyber events, incidents, risks and threats whittle down to a common core of organizational weaknesses and gaps that facilitate ransomware attacks.  Below are the analytics and intelligence body of work I’ve gathered compressed into the acronym “BACKUP.”

Executive leaders and organizational decisionmakers can easily and should immediately assess if their organizations are taking these steps in the prevention, preparation and protection of their most critical business assets.

These steps provide a comprehensive, high-level checklist to assess an organization’s ability to mitigate, if not repel, a ransomware attack.

  1. BACKUP YOUR DATA REGULARLY
  2. AUDIT YOUR TECHNOLOGY, CONTINUALLY
  3. CHECK YOUR ALERTS, ALWAYS
  4. KEEP UP YOUR AWARENESS
  5. UPDATE YOUR SYSTEM RIGHT AWAY
  6. PROTECT YOUR INVENTORY STRATEGICALLY
  1. Backup your data regularly. The silver bullet to a ransomware attack is to sync your network, systems and data to a backup environment REALTIME. The challenge with silver bullets is that they’re expensive. Ransomware attacks rely heavily on the premise that users and organizations do not sync or back their data up to a separate environment. Most organizations do not typically have a separate backup environment, and if they do, they do not regularly update their production data – more simply described as their day-to-day, ongoing, active business work environment and technology.

Additionally, 60% of data backups are incomplete and 50% of restores are unsuccessful. Cyber criminals using malicious software bank on this fact. If someone loses physically their house key, they can still access their home with a spare key. If someone gets locked out of their phone, they can go to the store to get an unlock with the appropriate identification, or they can buy a new phone.

In the case of ransomware, there’s no spare key or support store, and buying a new phone is only as good if you can connect with the data you need from the old phone. Additionally, having a backup is only as good as the most recent point of backup you can restore it to – and if that’s a long time ago, you lose all the work and data produced since then.

That’s why ransoms get paid. That’s why cyber criminals leverage ransomware to carry out more than 4,000 attacks daily since 2016 and against businesses every 11 seconds in 2021.

If a backup point is as recent as last minute, then if a company gets locked out, they can disable all systems affected, restore new ones to the last backup point and go on about their business.  Silver bullets can also misfire; the backup has to be complete and must restore all production data as can be verified by the user.

Backup programs can become very costly overall, however, as expensive as silver bullets may be, test firing them is necessary to make sure they work. The solution is to consider the probability of the threat, adjust data retention and restore processes accordingly.

  1. Audit your technology, continually. Determine which technologies are your critical go-to business solutions. Prioritize them from common to critical and continually assess if the people and processes protecting them are mature.

It’s important to note that 1 in 36 devices have high-risk applications installed, which create a pathway for cyber criminals to deliver malicious software. Additionally, 1 in 4 mobile applications include at least one high risk security flaw.

If audited, these applications and flaws can be identified before the malicious code starts to lock out or affect your critical go-to business devices. Inventory your data and systems, identifying which business assets have the highest probability to become targets. Determine which assets, if targeted, would have the worst impact to your organization if ransomed and implement the appropriate stopgap measures.

Adjust your internal and external audit and assessment schedule to test your most critical assets more frequently than others. By prioritizing your focus areas, you can conduct precision vulnerability scans (quarterly at least, monthly at best) and penetration tests regularly (annually at least, semi-annually at best) on targeted network assets, instead of all-encompassing, super-expensive security assessments across the entire organization once every so often. I know that 37% of organizations admit they do not even scan for vulnerabilities, which is a significant cross-section of immediately mitigatable risk.

  1. Check your alerts, always. 20% of all vulnerabilities from unpatched software are classified as high risk or critical, yet several alerts stemming from these identified issues go unresolved.

I’ve quite often assessed and worked with organizations that have incredible, robust information technology and cybersecurity solutions that do not have the personnel resources to process the issues identified in the systems they have implemented.

I liken it to ignoring a call from a relative; most likely, the call is not an emergency, but continually ignoring the call increases the probability that you won’t be aware of an emergency when it is happening.

Security technologies are designed to see the machine data signature of the cyber-attack.  Whether in email logs or network metadata, security tools identify the baseline symptom of a cyber threat and provide clues in alerts to organizational staff to triage.

  1. Keep up awareness. Ensure cyber awareness training are recurring and communicate the most pertinent threats to your organization, its people, and the specific systems in your inventory. There are a lot of ransomware techniques and variants out there, but identify which ones are specific to your business assets.

Further, scan your network and devices regularly. The Common Vulnerabilities and Exposures (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software. Scan against this list. If vulnerabilities and exposures are identified, PATCH THEM RIGHT AWAY; 80% of companies who had a data breach or failed audit could have prevented it by patching on time or doing configuration updates.

  1. Update systems right away. The average company takes 12 days to coordinate patches and updates across the enterprise. Organizations have extensive inventories. In the peak and wake of COVID, several of those assets are severely dispersed across a satellite, remote business office landscape. This responsibility is dual; both the organization and individual need to install updates to devices within their accountability sphere right away. Most delays to updates happen because users are reluctant to lose work in progress on an open application or program.

Companies need to update servers, network switches, storage devices and access platforms. Individuals need to update their laptops, mobile devices, applications and security settings. The average user has 11 connected devices and each mobile device connects to an average of 160- unique IP addresses or servers daily.

If they do not have the latest update, there are critical flaws in the device’s operating system that create an open door for cyber-criminal exploits. A best practice is to execute the update within 24 hours of the notification of the new update. A better practice is to save work, power down, and execute the update as soon as notification is received.

  1. Protect your inventory strategically. All too often I work with organizations that have previously implemented new technologies without a business use case or input from ACROSS the organization. It’s typically a shiny new technology a colleague, conference, or checklist tells them is needed.

Instead of taking a strategic breath to evaluate how that technology can optimize the business across departments and organizational units, they launch a tactical project to demo, procure, and onboard for the sake of progress and benefit of a small group of users. Stop; evaluate how your organization creates, stores, uses, and transmits data.  Map your data to identify what is most critical to the business, and in turn identify the community of individuals that should have specific rights, or permissions, to it (create, edit, send, save).

Subsequently, ensure the systems that your critical data reside in are only accessible by those individuals who have permission and authorization, and the data is stored and protected in them. 63% of companies compromised in the last 12 months were due to a new device or hardware issue. Shiny new toys attract shiny new bugs and bugs carry infections.

Ransomware is successful when a gap exists between prevention, preparation and protection functions for information technology and cybersecurity resources within an organization.

As it trends now, because of publicized breaches, focused legislative initiatives and increased cyber knowledge of the average user, it is both the most, and least, talked about issue in business data compromise today.

Start the conversation within your organization, run the above checklist and continually increase your awareness of emerging cyber-attack methods. By adjusting your cyber risk strategy, you’ll manufacture better armor and cheaper silver bullets.

Written by: Alexander White

Alexander White is a military veteran, cybersecurity professional and owner of The White Group & Company.