Where did we start?
From time to time, I still reminisce about my first ransomware investigation. The attack affected a family business in Florida during the summer of 2015. Business was humming along until one fateful morning when an employee arrived for their day of work, only to find that files stored on their servers were encrypted. I will never forget how devastated the family was; they had spent a number of years and a significant amount of money developing a system that they used to run their business. In an instant, their systems were taken away from them, and they did not understand how or why. At the time, ransomware was just starting to make a buzz in the news. Ransom demands were relatively low, and the attacks were much less focused and strategic.
The attacks evolved…
Ransomware has become a favorite tool of attackers over the past five years and we have observed the evolution of these attacks.
At first, ransom demands were relatively low, small enough that if an individual was affected; say, their digital family photo album was encrypted, the individuals would likely pay the demand in order to recover their data. Ransom demands today have sky rocketed, with ransom demands in the six and seven figures not being unusual.
Over time, we have observed largely automated attacks, such as Wannacry, which exploited a zero day vulnerability in order to propagate itself across the world, infecting hundreds of thousands of victims in one fell swoop. We are also witnessing attacks, such as RYUK, where the threat actors are known to manually surf a client’s network to perform reconnaissance in order to better understand the value of their target and inflict maximum damage, such as deleting and destroying backups, to pressure a victim to pay the ransom.
One of the disturbing new trends is ransomware as a service. For just a couple hundred dollars, criminals are buying ransomware codes that can be used to attack their victims. These attacks make it very difficult to identify and profile the threat actors responsible for the ransomware attack, because a completely different person or group could be launching each attack but using the same strain of ransomware.
In the weeks leading up to the 2019 holidays, we started hearing buzz that some of the ransomware groups had once again changed their tactics. They are now claiming that before executing the ransomware, they stole data from their targets’ network and are now threatening that if the target did not pay the ransom, the threat actors would publicly release the stolen data to shame their target. Another concerning trend is where the threat actors are publicly exposing victims who do not pay the ransom in an effort to pressure them into submission.
Days before Christmas, we were called upon to assist a client who learned that the threat actor claimed to have stolen a considerable volume of data from the client’s network and threatened to release the data publicly. At the same time as we were working on our investigation, news was released that threat actors behind the City of Pensacola, Florida ransomware attack published data that was stolen from the City of Pensacola’s network.
While performing our investigation, we discovered that the threat actors changed administrative passwords within our client’s network. This made it more difficult for our client to regain control of their systems and to perform a comprehensive recovery. Both of these tactics were new trends used by the threat actors, which is proof that attackers are becoming more ruthless and brazen.
Threat actors behind today’s ransomware attacks have definitely upped the ante, as this has proven to be a lucrative business model. Currently, we do not see any relief in the near future, unless organizations get much more serious about cybersecurity. From an attack perspective, I believe these attacks will only get nastier and more painful for the threat actor’s victims.
Who is at risk?
No organization, regardless of size or industry, can eliminate their risk of attacks such as ransomware; however, I believe that organizations can greatly reduce the risk, impact and severity of a future cyberattack by developing a mature security program. The earlier an organization can detect an incident, the sooner they can react, which is critical in reducing response and recovery efforts, as well as cost.
How is RSM helping clients who are impacted by ransomware?
RSM has a whole suite of services that we provide to clients to help them reduce their risk of being impacted by a ransomware event, as well as responding to and recovering from an incident. This includes everything from helping manage their network for them, to developing policies and procedures that outline how to react in the event of an incident, exercising those policies and procedures using interactive incident response tabletops, and even simulating ransomware attacks to test our client’s ability to detect, react and respond.
You might be saying, that’s all great to know but we are dealing with a ransomware attack TODAY, or I’m trying to help my friend figure out how to respond, what NOW?
With today’s enterprise-wide ransomware attacks, we find that many clients don’t have adequate resources available with the specialized knowledge and expertise to swiftly and securely recover from a cyber incident. To meet the needs of our clients, we have merged the skill, experience and agility of our cyber incident responders and the expertise and knowledge of hundreds of IT professionals we have spread across the country to quickly respond when clients need to recover from a cyber incident. Our team works to investigate the incident to understand root causes and impacts while simultaneously working to get the client back up and running with minimal business impact. As part of many of our responses, we deploy endpoint detect and response tools to improve visibility into the client’s network to respond to, and contain, attacks.