Ransomware as a Service,

Immediate Action Recommendations

Not too long ago, there was the SolarWinds exploit, and this last week it is the Kaseya ransomware attack, which has so far infected over 1,500 businesses from Sweden to New Zealand. These attacks were very sophisticated and were difficult to construct; they were well-executed and extremely difficult to detect and filter out. The reason is the malware was hidden inside standard software updates. What is an element of good cyber hygiene? It is to ensure your software is current and updated to the latest manufacture standards, and the best way to do this is to turn on automatic updates. These two attacks are examples of supply chain ransomware attacks where the malware is gift-wrapped in the software manufacturer updates. 

The hackers’ goals were different in these two attacks, but the approach, tools, and techniques were the same. In the SolarWind attack, the goal was espionage; among many things, it was to map out national infrastructure. The Kaseya was a “standard” supply chain ransomware attack to steal and encrypt the victim’s data and demand a ransom.  These kinds of attacks require a significant investment in time, money, and effort.  The focus is on high payoff targets, victims with extensive distribution networks. For the hacker, the first step is to identify a suitable target, one that delivers software to thousands. Once the target is identified, the next step is to exploit the target to get into the system undetected. Next is to move within the system to where the software is developed; this can take months of effort or longer. The hard part is to craft the exploit so that it can hitch a ride on the standard update undetected. This, too, may require months of effort, simulation, and extensive testing. By the time the ransomware is launched, there may be millions invested in this effort. Often these attacks are developed through contracting with specialized teams, with each independent team focused on a specific phase of the attack, each with honed skills and tools dedicated to that step of the process. The use of these teams or specialists has morphed into a very specialized industry; some have coined the term Ransomware as a Service (RaaS).

Although not the leader in terms of cybercrime, RaaS is a booming business. In 2019 losses to ransomware attacks were estimated to be $11.5 Billion; in 2020, the estimate is $20 Billion.  The average cost by type of attack, in 2020, a data breach was $3,86 Million, malicious breach $4.27 Million, ransomware $4.44 Million.  In 2021 the estimated ransomware attack frequency is once every eleven seconds. The estimate is that 36% of the victims paid a ransom, with 17% paying the ransom and not recovering any data. This means the odds are against you recovering your data, even if you pay.  Another critical point is that once you have been successfully attacked, the likelihood of you being attacked again is much higher. This seems to indicate businesses attacked the first time continue to be easy targets.

The next question is, what can you do? Listed here are the immediate action steps recommended by the FBI. These immediate response actions would apply to all ransomware attacks. At the first indication of an attack, disconnect your system or networks from the global internet. Try to copy the details of the ransom note and the extensions of the encrypted files. Protect your existing backups, disconnect them, and do not try to recover at this stage. Shut down system communications at the network level, shut down the router and switches, power off all devices. The above actions are only effective if the virus has not spread and if you can catch it before it has fully deployed. However, if it has spread throughout your system, the best means of recovery will be an offline or air-gapped backup, one that is not connected to your network. This may be the best way to recover your data; if you archive monthly, then the loss will be a month. Begin to look at the endpoints where the users are; most attacks begin on the endpoints used by people. You need to figure how it got into your system; there is no sense in recovery with the same vulnerability present. Before you recover, you will need to wipe all the infected and suspected devices and rebuild them from the ground up. This could take considerable time and cost.  Again, it is no sense to restore if the virus is still lurking about. The FBI also recommends that you contact them, CyWatch, 855.292.3937, cywatch.fbi.gov.