Running Away is Not a Good Cyber Strategy for Ransomware

Running Away is Not a Good Cyber Strategy for Ransomware


There’s one common characteristic of folks who are in the cybersecurity world: we have an (admittedly dark) fascination with reading about hacks in the news. The intellectuals will try to understand what happened and what could have been avoided; the opportunists will jump on the phone to offer their latest solution; and some of the more cynical will partake in some schadenfreude at the sheer impossible scope of the problems and threats facing organizations today. Of many forms of cyberattack wreaking havoc lately, ransomware presents an interesting combination of human and technical failures that almost always leads to an intriguing story.

Pay up or lose it

Ransomware is a type of malware (malicious program) that’s designed to map networks, identify files (and recently, also backups) and then encrypt them all, rendering them inaccessible to users and systems. The attacker then demands a ransom of hundreds to thousands of dollars (often in untraceable cryptocurrency) in return for a cypher key to unencrypt the files.

Often ransomware enters through phishing, where someone inside the network inadvertently clicks on a presumably legitimate link in an email, social media, etc. that invisibly downloads the malware in the background. Once installed and executed, there is usually very little recourse. There are only two ways to recover from a ransomware attack: One is to pay the ransom, the other is to restore the whole network from a clean backup.

Have you heard the news?

Most organizations do not report ransomware attacks, especially if no data has been lost or operations have not been affected in any meaningful way. They simply either restore from backup or pay the ransom and move on. No sense announcing you were hacked and dinging your reputation. However, when you’re a global leader in your industry and ransomware takes down your whole production system, or impacts drugs that save patients, everyone notices.

In healthcare, hospitals (in the US, anyway) are required report ransomware attacks, so the news is filled with reports of ransomware at healthcare facilities (here’s a typical weekly update with five getting hit). There are also so many machines still vulnerable to ransomware attacks, that we’re sure to keep hearing about ransomware, despite the availability of patches. Indeed, even two years after the initial attacks, 40% of health organizations suffered a WannaCry ransomware attack in the past 6 months.

Just run?

Granted, there is one other way that some organizations have dealt with ransomware.

By running away.

Some might be shocked to read of a two-doctor practice that decided to close up shop after getting slapped with a ransom of $6,500. After getting hit, the docs realized it was easier to accelerate their retirement than pay the ransom and preserve the data on all their patients.

Indeed, some cyberattacks can have devastating business-ending effects beyond the value of the data or ransom. For example, a large medical bill collection company, with ties to some of the largest US diagnostics companies, has decided to liquidate the company after a massive breach. One can imagine the knock-on effect of such a central “vendor’s vendor” vanishing after a cyberattack, but that’s best left for another post.

To be fair, the implications of the ransomware might have been more than the $6,500 ransom for the two doctors – perhaps the cost of lost business, remediation, and potential lawsuits – and there is really no guarantee in paying the ransom. Sometimes the attackers take the money, then turn around and ask for more in order to unlock the files.

What you can do

To address ransomware, companies need to train staff and have systems in place to counter phishing, keep machines up to date with security patches, have secure and clean backups or data vaults from which to restore network data, and have a properly tested remediation plan that includes continuity of business.

One other quite helpful network security policy is to properly segment your network. Often, ransomware hits one part of a network and is able to laterally move across a flat network taking over the whole system (including backups). A properly segmented network, especially using hardware-enforced one-way data flow, can isolate ransomware to a network segment, reducing the overall impact to the business.

What are you doing to avoid the impact of ransomware?

How IIoT and the Cloud are Upending the Purdue Model in Manufacturing

The Purdue Model of Control Hierarchy is a framework commonly used by manufacturers in pharmaceuticals, oil and gas, food and beverage, and other verticals to group enterprise and industr...
September 11, 2019
Gary McGibbon Business Development Manager - Financial Services

Capital One as a Canary in the Cloud Coal Mine: Part 3 – Conclusions

If the Capital One sysadmin had just changed the WAF password... In the final part of our blog series on the Capital One breach, I want to discuss the conclusions reached based on the vu...
August 15, 2019
Gary McGibbon Business Development Manager - Financial Services

Capital One as a Canary in the Cloud Coal Mine: Part 2 – Findings

"That is a pretty egregious oversight." In the second part of our three part series on the Capital One breach, I want to discuss the vulnerabilities and other elements that went into the...
August 13, 2019