Running Away is Not a Good Cyber Strategy for Ransomware

Running Away is Not a Good Cyber Strategy for Ransomware


There’s one common characteristic of folks who are in the cybersecurity world: we have an (admittedly dark) fascination with reading about hacks in the news. The intellectuals will try to understand what happened and what could have been avoided; the opportunists will jump on the phone to offer their latest solution; and some of the more cynical will partake in some schadenfreude at the sheer impossible scope of the problems and threats facing organizations today. Of many forms of cyberattack wreaking havoc lately, ransomware presents an interesting combination of human and technical failures that almost always leads to an intriguing story.

Pay up or lose it

Ransomware is a type of malware (malicious program) that’s designed to map networks, identify files (and recently, also backups) and then encrypt them all, rendering them inaccessible to users and systems. The attacker then demands a ransom of hundreds to thousands of dollars (often in untraceable cryptocurrency) in return for a cypher key to unencrypt the files.

Often ransomware enters through phishing, where someone inside the network inadvertently clicks on a presumably legitimate link in an email, social media, etc. that invisibly downloads the malware in the background. Once installed and executed, there is usually very little recourse. There are only two ways to recover from a ransomware attack: One is to pay the ransom, the other is to restore the whole network from a clean backup.

Have you heard the news?

Most organizations do not report ransomware attacks, especially if no data has been lost or operations have not been affected in any meaningful way. They simply either restore from backup or pay the ransom and move on. No sense announcing you were hacked and dinging your reputation. However, when you’re a global leader in your industry and ransomware takes down your whole production system, or impacts drugs that save patients, everyone notices.

In healthcare, hospitals (in the US, anyway) are required report ransomware attacks, so the news is filled with reports of ransomware at healthcare facilities (here’s a typical weekly update with five getting hit). There are also so many machines still vulnerable to ransomware attacks, that we’re sure to keep hearing about ransomware, despite the availability of patches. Indeed, even two years after the initial attacks, 40% of health organizations suffered a WannaCry ransomware attack in the past 6 months.

Just run?

Granted, there is one other way that some organizations have dealt with ransomware.

By running away.

Some might be shocked to read of a two-doctor practice that decided to close up shop after getting slapped with a ransom of $6,500. After getting hit, the docs realized it was easier to accelerate their retirement than pay the ransom and preserve the data on all their patients.

Indeed, some cyberattacks can have devastating business-ending effects beyond the value of the data or ransom. For example, a large medical bill collection company, with ties to some of the largest US diagnostics companies, has decided to liquidate the company after a massive breach. One can imagine the knock-on effect of such a central “vendor’s vendor” vanishing after a cyberattack, but that’s best left for another post.

To be fair, the implications of the ransomware might have been more than the $6,500 ransom for the two doctors – perhaps the cost of lost business, remediation, and potential lawsuits – and there is really no guarantee in paying the ransom. Sometimes the attackers take the money, then turn around and ask for more in order to unlock the files.

What you can do

To address ransomware, companies need to train staff and have systems in place to counter phishing, keep machines up to date with security patches, have secure and clean backups or data vaults from which to restore network data, and have a properly tested remediation plan that includes continuity of business.

One other quite helpful network security policy is to properly segment your network. Often, ransomware hits one part of a network and is able to laterally move across a flat network taking over the whole system (including backups). A properly segmented network, especially using hardware-enforced one-way data flow, can isolate ransomware to a network segment, reducing the overall impact to the business.

What are you doing to avoid the impact of ransomware?

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Daniel Crum Director, Product Marketing

AI’s Role in Defense – Accelerating Decision Dominance in the Next Era of Warfare

"AI is not just another technology. It is a transformative technology that will change the way we fight and defend our nation." Kathleen Hicks, Deputy Secretary of Defense   Techn...
November 26, 2024
Daniel Crum Director, Product Marketing

Hidden Threats in AI Data: Protecting Against Embedded Steganography

As the 2023 Executive Order on Artificial Intelligence (AI) specifically lays out, "Harnessing AI for good and realizing its myriad benefits requires mitigating its substantial risks." On...
November 19, 2024

Owl Cyber Defense Featured on Fed Gov Today Television

Data Mobility: The Edge Advantage in Real-Time Operations Originally Broadcast on Fed Gov Today, November 3, 2024 Dan O’Donohue emphasizes that data’s power is in its mobility. ...
November 13, 2024