We left 2015 talking about exponential increases in ransomware attempts on a quarter over quarter basis. No surprise that we begin 2016 talking ransomware and its many variants, as this threat vector has been a financial bonanza for cyber criminals and cyber attackers having extorted tens of millions of dollars over the past 18 months from victims.
Though originally founded upon a version of ransomware called CyptoLocker 3.0, other variants have surfaced and have been nearly as successful – a spin-off called CryptoWall generated over $300 million for one criminal gang.
What is ransomware? In general, it is a scam by which a very clever attacker sends you a very crafty socially engineered spearphishing email (with information gained from your social media accounts) that when the attachment is opened scrambles your computer files until you pay the attacker a “ransom,” which is very likely a relatively small amount of untraceable bitcoin.
It is somewhat ironic that not unlike various known computer operating systems, ransomware has now become available in different versions. CyptoLocker 3.0 has now given way to CryptoLocker 4.0, which has “added features.” “Ransomware as a Service” is also available on the DarkWeb for Sale, as are ransomware “joint ventures” for a price. Ugh!
Now I am not the most technical savvy cyber lawyer in the universe, and I don’t have the secret decryption key to help those affected/infected by ransomware. I am a cyber corporate governance lawyer trying to help large and small corporations, private equity, and hedge funds deal with an increasing complex cyber threat and cyber regulatory environment. (I leave the “black box” stuff to others!)
Rather, I try and use common sense processes and procedures to help provide our clients with information about current threat actors and threat vectors, so that they (1) can stay safe, and (2) if they have a cyber problem be able to deal with it proactively to protect their businesses, clients and customers.
One of the solutions to the ongoing problem of ransomware is using the NIST cybersecurity framework proactively. What do I mean by that?
The NIST Cybersecurity Framework (“the Framework”) came out in February 2014 as a common sense method for allowing critical infrastructure to proactively assess their current cybersecurity posture and through continuous monitoring improve their posture accordingly.
The Framework’s elegant simplicity is what makes it such a great defense against ransomware. Three of its core elements are right on point:
1. Identify Your Most Critical Assets, Where They Reside, and How You Value Them
Do you know how many organizations don’t know where all their stuff is? When I mean “stuff,” I mean critical, super important stuff, like customer information, critical intellectual property, investment-related information, merger and acquisition-related information, critical manufacturing plans, and other personally identifiable or miscellaneous information (e.g. maybe data regarding their core sales drivers).
Once that task is complete, companies then need to map that data to a location, i.e. is it stored locally in the network server room, or is it in a cloud environment? You have to start somewhere with information management governance. Finding out where your stuff is a good start.
2. Protect Which Matters Most
Ok then, your business is that of a regulated investment advisor. Your business sells the most delicious French toast ever made (using a recipe thought up by your wife), and it’s made and distributed through a plant in New Jersey that is run by both your IT network and by various industrial control devices or SCADA systems contained throughout your factory. The factory is your lifeblood.
If it isn’t running, you can’t make the French toast, and trucks can’t deliver it to food stores around the NY tristate area. And if it can’t get to food stores, your business is toast. So clearly you have three separate sources of critical information (“your crown jewels”) that need protecting – your basic IT network, your industrial control systems in your plant, and your client lists of the various food stores where you sell your French toast.
How are you protecting this data? Really think about the question in detail:
- Do you have next generation firewalls to catch bad code before it enters your network and ICS devices and encrypts your files?
- Do you patch your AV software as required to stay fully up to date on variants of ransomware? How quickly to patch “critical updates?” ASAP or whenever?
- Do you conduct quarterly anti-spearphishing training for your employees so they don’t feel compelled to “click on every link”?
- Do you have a DMARC or other email hardware/filter that will catch or sandbox suspicious socially-engineered or spoofed email before it encrypts your files?
- Have you recently tested or “red-teamed” your ICS or SCADA systems to see if they can be (1) hacked, or (2) need to be patched, or (3) are otherwise subject to encryption coded commands that will shut your factory down
3. Test Your Recovery and Back-Up Systems Constantly – and Segment Your Back Up from Your Network
So your employee clicks on a link from the King of Arabia looking for his King’s Ransom, and your business gets “ransomwared” instead. The Recovery element of the NIST recommends the following: have processes and procedures in place to have your files backed up on a regular basis, stored off-site, tested periodically, and ready to employ on little to no notice if your files get encrypted, and you need to restore your network from the last available moment before the ransomware went live.
In enterprise risk management language, this is called “business continuity planning” or resiliency. In reality, this is called common sense. Understand that you will be hacked. And be ready to react at a moment’s notice.
There are so many variants of ransomware to which neither the NIST framework nor this article can do adequate justice. But using the Framework as a basis to re-evaluate your ransomware defenses is a perfect solution to a moving-target problem that calls not just for one solution or many solutions.
As we enter 2016, and as the Framework approaches its second birthday, we are again urging client’s to use its core precepts to re-evaluate their defenses against all threat vectors. There is ghostware, stealthware, and other silent vectors to strike. Use the Framework as your “Seal Team Six” to fight back.
About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock
 See “Ransomware rearing its ugly head, goes after business,” available at http://www.welivesecurity.com/2015/12/28/cybercriminals-targeting-banks-ransomware/.
 There are variants to the general scam. Sometimes data is exfiltrated during the particular attack to another location, and if the ransom is not paid, the attacker promises to post your confidential data on internet bulletin boards for all to see.
 See e.g. “The NIST Cybersecurity Framework – Encouraging NIST Adoption Via Cost/Benefit Analysis,” which is available at http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-ferrillo.pdf. This is a presentation I gave to NIST officials last year.
 See e.g. “Millions of children’s data hacked after ‘biggest ever cyber attack’ on toy firm,” available at http://www.telegraph.co.uk/news/uknews/law-and-order/12051439/Millions-of-childrens-data-hacked-after-biggest-ever-cyber-attack-on-toy-firm.html.
 See “Ransomware: Refusing to Negotiate with Attackers,” which is available at http://www.tripwire.com/state-of-security/security-awareness/ransomware-refusing-to-negotiate-with-attackers/.