An Enduring Threat Greatly Impacting Public and Private Sector Organizations
Ransomware: A type of malware that attempts to extort money from victims by restricting access to a computer system or files. This is accomplished by encrypting files that can only be decrypted with a key held by the malicious actor.
In this week’s bulletin, we are focusing on the growing number of ransomware attacks that are impacting public and private sector organizations nationwide, crippling operations, and resulting in devastating financial losses. Despite all the warnings and awareness campaigns that prescribe risk mitigation strategies and tactics to help ward off ransomware attacks, they continue to be a highly successful and profitable endeavor for those actors who carry them out. On August 16th, 22 public sector organizations in Texas fell victim to a coordinated ransomware attack. One week later, their recovery efforts continue with major systems still offline. In July, Louisiana Governor Edwards declared a State of Emergency to deal with a spate of ransomware attacks. The Georgia Department of Public Safety was also victimized along with a growing list of victim organizations nationwide. Closer to home, the Stevens Institute of Technology was hit by ransomware on August 8th and their IT team is racing to restore their systems in time for the start of the fall semester.
Over the past two years, over 100 ransomware incidents affecting NJ organizations and individuals have been reported to the NJCCIC and, during that time, we have seen an increase in the sophistication of attack methods and the ransoms demanded. Early on, an individual or organization was targeted with only a handful of systems infected, and relatively low ransoms demanded. More recently, threat actors have focused their efforts on public and private sector organizations. Once compromised, the actors install additional hacking tools that capture the passwords of all user and system accounts. The ransomware can then spread throughout the organization for maximum coverage, encrypting online backup systems and deleting system restore points, leaving the victim organization with no other option for restoring operations than to pay the ransom. As many victims have found, paying the ransom does not guarantee you will get your data back, and it does nothing to prevent your organization from being victimized again. It does, however, incentivize the threat actors to continue to target other victims.
Over time, organizations’ IT networks have grown very complex and include a potent mix of legacy systems and new technologies that sometimes make effective security an increasingly unattainable goal without sufficient resources and capabilities. And, while we in the security profession can prescribe very effective risk mitigation and defense-in-depth strategies, the best defenses will never fully eliminate risk. Without delving into a treatise on risk management, no matter what path you take - mitigating, transferring, or accepting risk - you always have some risk. What level you’re willing to take on is up to each individual organization. Unfortunately, for many organizations, fully understanding their risk posture is as unattainable as fully securing their systems.
In today’s world, just about all organizations rely on computers to carry out their work. That may be word processing, it may be conducting financial transactions, it may be monitoring and/or controlling critical infrastructure systems, or it may be dispatching first responders to emergencies. The possibilities are endless. Regardless, the loss of access to critical systems and information can have devastating impacts to operations, revenue, and public health and safety.
Assuming that you cannot block all attacks, some of the questions you need to be asking of your IT departments include the following: Can we recover from an attack? Are our systems and data backed up? How frequently are they backed up, and how quickly can all critical systems be restored to a known good state from those backups? In IT parlance we refer to those as the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). In the case of Baltimore, they are still restoring systems and data from the ransomware attack they suffered in May. Is a four-month RTO acceptable for your organization? Or more devastatingly, what if your data was never able to be restored? Oftentimes, organizations assume they are backing up their data only to find at the time of restoration that the backups are corrupt and, therefore, unusable. So, more questions you should ask include, how often are backups tested and how are the backups themselves protected? Keep in mind, there is a cost attendant with shorter RPOs and RTOs, and those costs become part of the risk formula that your organization will need to consider.
RTOs and RPOs should be planned and prioritized based on the criticality of the systems and data. Similarly, contingency and disaster recovery plans should prioritize critical systems and data. Criticality, along with the RTO and RPO, should be defined by the business unit. Too often, we abdicate that responsibility and foist it upon the IT department, only to deem it unacceptable when recovery from an incident doesn’t meet our expectations. Everyone has a role to play in cybersecurity.
Information security and IT teams often focus their efforts and resources on the prevention aspect of security – security awareness training, endpoint protection software, email content filtering, firewalls, and other protective technologies - and rightfully so. Attacks happen all day, every day. At the NJCCIC, we detect and block over 10 million attacks against the Garden State Network each month. However, an information security program that focuses only on prevention or protective technologies is going to be ineffective. Similarly, an information security program that doesn’t account for the realities of the business objectives of the organization is going to be ignored. Information security programs need to span across people, processes, and technology, and they need to take a holistic approach to security, while also understanding that risk resides beyond just the cybersecurity sphere.
A core tenant of cybersecurity awareness training is to warn about the perils of opening email attachments or clicking links from unknown individuals, but the reality is that opening email attachments or clicking links from unknown individuals is oftentimes part and parcel of the organization’s responsibility. Human Resources personnel open attached resumes as part of their job. Customer service representatives receive and open unsolicited emails from customers every day. Send a subpoena in the form of an attachment to a law department or an invoice to an accounts payable department, and you can be sure the recipients will open them. That’s their job. This is especially true of public service personnel who interact with the public, including through email, as part of their jobs. So, while the “don’t open” and “don’t click” warnings are still valid, they are not universally practical and need to be combined with defense-in-depth approaches to security. Email is a very common means of communication and including attachments and links is often a part of effective communications.
As one of the primary attack vectors for ransomware includes unsolicited emails with malicious attachments or links, the recipient shouldn’t be the single point of failure. Organizations should apply a defense-in-depth approach to mitigating email risks including, but not limited to, filtering emails and websites for malicious content. IT departments should set group policy to disable macros by default in all office applications. Users should be trained to spot and report suspicious emails they receive and understand the dangers of macros as email filters are not 100 percent accurate. Endpoint protection software should be enabled and continuously updated, and all operating systems and software should be maintained at vendor-supported patch levels.
In naval architecture, watertight hatches between compartments have been used to limit the damage and prevent the sinking of a vessel due to a breach of a ship’s hull. That same compartmentalization should be applied to networks to mitigate the risks of sinking an enterprise as a result of a ransomware infection in one business unit or department. An infection in the accounts payable department should not impact the police department, and vice versa. Properly designed networks should be segmented to deny the traversal of traffic between differing segments by default, and allow traffic only by exception based on explicit and documented business requirements. Unfortunately, as we have seen in some of the recent devastating ransomware incidents, network segmentation was not implemented and the ship sunk.
Do You Know Your Risk Profile?
Whether we call it threat modeling or conducting risk assessments, business unit managers and organizational leaders that depend on technology to carry out their work should be asking questions to determine the likelihood and impacts of a ransomware or other attack on their operations. They may not be the ones responsible for implementing the security controls and backing up systems, but they should be informed of their risk profile and adjust accordingly.
Below is additional information on the current threat environment as well as links (yes, the NJCCIC also uses them to communicate effectively) to help your organization mitigate the risks of ransomware and other cybersecurity attacks.
Our job at the NJCCIC is to help make NJ more resilient to cyber threats. We stand ready to assist you in making your organization part of those resiliency efforts.
Director - New Jersey Cybersecurity and Communications Integration Cell
State Chief Information Security Officer
New Jersey Office of Homeland Security and Preparedness
The NJCCIC assesses with high confidence that ransomware extortion incidents will likely result in greater operational disruptions, permanent data loss, and higher financial payouts in 2019 and beyond, as profit-motivated cybercriminals increasingly seek higher profile targets—with more critical data and time-sensitive operations—raising the likelihood of larger ransom payments. While all organizations remain at risk of opportunistic attacks, we assess the following are at high risk of targeted extortion attacks with costly ransom demands: government, education, municipalities, police departments, healthcare providers, law firms, investment firms, and critical infrastructure operators, such as electric and water utilities, transportation systems, and manufacturing plants. Organizations can drastically reduce their risk by implementing cybersecurity best practices including backups, utilizing resources such as the New Jersey Statewide Information Security Manual (SISM), and conducting training and awareness briefings for all employees.
If you were impacted by ransomware today, are you prepared?
The NJCCIC recommends all organizations implement a robust data backup process that safeguards any data considered valuable or critical to the organization. A comprehensive data backup plan includes keeping multiple backups stored offline in a separate and secure location, and tested regularly to confirm their integrity.
Ask yourself the following:
Do you have data backups?
Have the backups been tested?
Are there multiple backups?
Are the backups consistent with the business or organization’s recovery point objective (RPO) and recovery time objectives (RTO)?
RPO - The point in time to which data must be recovered after an outage.
RTO - The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.
What should I do if I suspect my network is targeted with ransomware?
Immediately unplug the Ethernet network cable or disable Wi-Fi on the system if a ransomware infection is suspected. This will prevent the ransomware from spreading to other devices on the network or infecting backups that are stored on the network or in a cloud environment.
Turn off the power or unplug the power cord from the system. Although doing so inhibits complete forensic analysis of the infected device, it stops the encryption process and may limit data loss.
Organizations should strongly consider procuring a reputable email gateway product to decrease the likelihood of phishing emails reaching end users. Enterprises should restrict or disable unnecessary remote access pathways such as RDP, and implement multi-factor authentication to prevent account takeover as the result of credential compromise. Lastly, ensure all device software and hardware are updated.
How do I reduce my risk of a ransomware infection?
Keep software and hardware updated with the latest security patches and updates.
Deploy anti-malware software on all endpoints capable of running anti-malware software including, but not limited to: laptops, desktops, servers, tablets, and smartphones.
Implement network segmentation to isolate critical systems on a network and reduce the impact of an incident.
Follow the Principle of Least Privilege for all user accounts and services, ensuring permissions are not granted beyond what is necessary for their work role, and enable User Access Controls (UACs) to prevent unauthorized changes to user privileges.
Implement a Defense-in-Depth cybersecurity strategy, establishing barriers across multiple layers of the organization.
Ensure any third-party vendors, particularly managed service providers, adhere to cybersecurity best practices, including the use of multi-factor authentication for remote access to client networks.
Disable all unnecessary ports and services as they may be used by malware to propagate to other systems within the organization’s network.
For a full list of recommendations, please view the NJCCIC product:
Ransomware: Risk Mitigation Strategies
The NJ Statewide Information Security Manual
The NJ Statewide Information Security Manual (SISM) is a resource for organizations to manage risk while protecting the confidentiality, integrity, availability, privacy, and safety of information and information systems. The following sections may be considered by businesses and organizations when developing processes and procedures to employ in order to reduce the risk of a ransomware infection.
The Third Party Management section of the SISM recommends organizations implement appropriate processes and security measures necessary to manage information security risks associated with third parties at acceptable levels. Third party management includes conducting risk assessments, maintain written and executed agreements, establish third-party interconnections, ensure compliance, implement processes and controls, and employ supply chain security safeguards.
The Contingency Planning section of the SISM recommends organizations develop, implement, test, and maintain contingency plans to ensure continuity of operations for all information systems that deliver or support essential or critical business functions. These contingency plans include conducting backups and establishing recovery point objectives, recovery time objectives, and recovery procedures to restore data. Once recovery and reconstitution are complete, agencies are advised to perform root-cause analysis for lessons learned and to review and implement contingency plan updates.
The Incident Response section of the SISM recommends organizations maintain an information security incident response capability to include adequate preparation, detection, analysis, containment, recovery, and reporting activities that may compromise information and information systems. Incident response plans should include strategies, roles and responsibilities, training, and an Information Security Incident Response Team (ISIRT).