The Ongoing Ransomware Crisis: A Cyber Expert's Perspective

August 5, 2021

In mid-May 2021, the CEO of Colonial Pipeline, a major gas pipeline that services much of the Eastern Coast of the U.S., admitted that his company paid hackers an estimated $4.5 million in ransom in return for releasing their computer systems from their hostage takeover. Shortly after, in late May, JBS, one of the world’s largest meat processing companies, was targeted by a ransomware cyber-attack as well. This attack temporarily shut down some of its operations in Australia, Canada and the U.S.  Both ransomware attacks reportedly originated from criminal groups based in Russia.  Since then, Capitol has been part of an ongoing conversation on the rising threats of ransomware and other cyber attacks, with experts from the university weighing in with their unique perspectives.

This is an ongoing series. Be sure to check back on our website and social media for future updates on this story from other industry experts at Capitol.


This interview is courtesy of Dr. Bill Butler, Chair of Cyber Programs at Capitol

and

Dr. Nikki RobinsonSecurity Architect and Adjunct Professor, Center for Cybersecurity Research and Analysis (CCRA)

 

1. Why do you think there is a sudden influx of cyber attacks? Could this relate to the increasing use of remote technology due to Covid?

Ransomware attacks increased by over 300% last year as companies switched to remote work. Today, ransomware gangs are becoming more aggressive: stealing and/or leaking data or locking your systems or files in exchange for ransom payments.

The facts are that $20 billion in damage from attacks on small businesses occur every 14 seconds. While there is an increasing threat of ransomware, it may not necessarily be related to solely remote work. There have been several ransomware attacks that targeted hospitals and local or state governments pre-Covid. Unfortunately, the rise of “Ransomware as a Service” has made it far easier for malicious actors of any variety to conduct ransomware attacks. Ransomware packages are now sold and distributed as means of income for malicious actors.

 

2. From a cybersecurity standpoint, are ransomware attacks more difficult to combat than other types of network attacks/hacks? Why/why not?

One can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware. The countermeasures include implementing multi-factor authentication (MFA), backups, continuity of operations plans, and other measures as recommended by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Cybersecurity and Infrastructure Security Agency (CISA).

The good news is several suggestions from MS-ISAC and CISA to protect against ransomware can also protect against a variety of other attacks. And working on an Incident Response program can also help if a ransomware attack does happen. CISA also has comprehensive resources for creating an Incident Response (IR) plan and other organizations to assist with IR planning.

 

3. Have you ever seen a ransomware attack happen in any of the places you have worked? What happened?

Fortunately, not to my knowledge.

 

4. In a cybersecurity department, is there a specific protocol in place for if a hack or ransomware attack takes place? Does it depend on the company or is there a generally standardized course of action?

Enterprises should have a response plan and an incident response team or contractor ready for such an occurrence. The plan should specify what actions should be taken and by whom once the breach has been detected. Businesses should consult the NIST SP 800-61, NISTIR 8374, and the CISA site which addresses incident response and specifically how to prevent and respond to ransomware attacks.

 

5. What new measures are companies putting in place to ramp up cybersecurity and prevent ransomware attacks?

Companies are recommended to take the following actions by the FBI: keep software up to date, back up data regularly, secure the backups separate from your network, and create and test your continuity plan. Both CISA and FBI have put together open-source documentation to work towards a more secure environment against ransomware and other types of attacks, as well.

 

6. What would you personally do if you worked at a company that was hit with a huge ransom demand? What steps would you take to resolve the issue?

The CISA “stop ransomware” website outlines seven steps to take immediately once an attack has been detected. For example, the first step is to determine which systems were impacted, and immediately isolate them. Once the incident is contained step seven is to consult federal law enforcement regarding possible decryptor availability, as security researchers have already broken the encryption algorithms for some ransomware variants.

 

7. In some situations, does it make more sense to just pay the ransom, or should companies always try their best to fight the attack?

This is a very controversial issue today. The FBI recommends not to pay because it finances more cybercrime, and one is never sure if their data was exfiltrated and/or they will not return in the future. Recently there was some success recovering paid ransom paid in Bitcoin. United States law enforcement has clawed back approximately $2.3 million of the ransom allegedly paid to DarkSide by Colonial Pipeline last month, the Department of Justice (DOJ) and the FBI announced in a recent joint press conference according to threatpost.com.

 

8. Anything else you would like to share about ransomware attacks, hacking and cybersecurity?

The U.S. response to ransomware attacks is taking on a higher priority within the current administration. President Biden has warned Russia and China that our critical infrastructure is off limits to state sponsored or supported cyber-attacks and those nations that support or harbor these cybercrime organizations within their borders will be held responsible. Several recent high level cyber policy appointments within the administration show promise that a whole of government approach is being crafted to respond to what is clearly a national security issue. With the Emergency Directive given by President Biden from May of this year, cybersecurity is a much higher priority for all governmental agencies. Stay tuned.


References:

https://news.youexec.com/briefs/us-government-launches-ransomware-task-force?r=news.&pt=wsd8syh3v2 https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

Multi-State Information Sharing and Analysis Center (MS-ISAC) Ransomware guide: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf

https://csrc.nist.gov/CSRC/media/Publications/nistir/draft/documents/NIST.IR.8374-preliminary-draft.pdf

https://www.cisa.gov/stopransomware https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware https://threatpost.com/fbi-claws-back-millions-darksides-ransom/166705/

https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/

https://www.cisa.gov/cyber-incident-response

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Categories: Cybersecurity