Ransomware is currently one of the most significant cybersecurity issues facing all business and government sectors, as cyber criminals hack into businesses, schools, hospitals, critical infrastructure and more so as to encrypt files and demand a ransom payment for the decryption key. Despite warnings, many victims pay these ransoms, under the impression that it is the quickest way to restore their network, particularly if the cyber criminals are also threatening to leak stolen data. But all this means is that the attack cycle continues, with ransomware groups using their ill-gotten gains to finance more ambitious attacks.
Many of ransomware incidents are simply kept private, so it is hard to get a good picture of what is really happening to many organizations. Even when companies do admit to a cyber-attack, they are very often vague about what has happened, and seem most reluctant to describe any incident as a ransomware attack.
A serious cyber-attack, a cyber incident that has caused some disruption and data being encrypted by a third-party are just some of the statements put out by victims of ransomware attacks to describe what happened, but never mentioning ransomware. Some victims eventually become more open about what happened, but only months or years after the incident and some never publicly acknowledge it was ransomware at all.
It is frustrating for investigators who are not able to get a comprehensive and clear picture about the current ransomware situation. Researchers are trying to read between the lines of the vague statements about a sophisticated cyber incident that has disrupted services, and they are determining that it was in fact, a ransomware attack. This lack of transparency about ransomware attacks and other cyber incidents may be damaging to everyone.
Some victims disclose that it is ransomware attack, through their CISO’s or senior management. The common thread among these cybersecurity leaders who choose to speak about their organizations being hit by ransomware, is that they want to help prevent others from becoming the next victim by detailing the lessons they learned about increasing their cyber threat notifications and cyber defenses to prevent future incidents. The best time to take action is always before the attack takes place.
Who do you call for help to support Transparency? In a recent talk by the FBI, they urge they be called even if the company does not want to prosecute. Why? Because the valuable information derived from that ransomware attack can be used to connect other tactics and criminal or state sponsored hacking organizations. This is very important. In the case of the Colonial Pipeline cyber-attack, the FBI was immediately called and they set-up a e-dye pack to follow the e-commerce ransom money and were able to identify the culprits and retrieve the ransom. The e-dye pack is no different than the dye packs used in banks, where the robbers grab the money packet and when they leave the bank, the money pack activate and spreads blue dye on the criminals so the responding police can identify them.
In some cases, it looks like this situation may already changing; recently, Los Angeles Unified (LAUSD), the second biggest school district in the US, was hit by a ransomware attack, immediately disclosing the incident to the authorities, as well as keeping the wider general public up to date about the situation. Red Sky Alliance reported on this last week. Their approach was praised by director of the Cybersecurity & Infrastructure Security Agency (CISA), who said LAUSD "clearly knows the value of transparency when responding to a cyber incident their speed, clarity and focus on partnership is commendable" and described them as a "Great example of how to keep stakeholders informed, including potential impacts & what to expect next."
Dealing with a ransomware attack is a challenge, but the way organizations frame the experience is just as important as the technical response. By detailing what has happened and how the incident is resolved, they can generate positive feedback and show that the ransomware gangs do not always have to be feared. It might prevent others from suffering the same fate. In the fight against ransomware, it is going to be better for everyone if there is more transparency around attacks.
It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings