Ransomware. Oh, how we’d love to move on! Yet the gotchas of ransomware keep rolling in, imparting painful lessons about disaster readiness and how to evaluate the true costs of recovery. What are the key takeaways this week? First, the cost for each organization will be unique and depend upon the users hit by the ransomware. Second, prevention, backups and testing all need to be higher priority than they are.
In Defensive Security Podcast #219, hosts Jerry Bell and Andrew Kalat discuss three ransomware attacks. Wondering aloud at whether the cited costs are accurate, they bring up two important questions: “What is the true cost of a Ransomware attack?” and “How many people know the true time it takes to restore from a backup and if their backup actually works?” These are great questions that EVERY organization not only needs to ask, but also answer by critically evaluating their backup processes and determining if they need additional measures of protection. Meanwhile, let’s take a look at some painful ransomware lessons.
Lesson 1: True costs are more than direct costs.
The true cost of ransomware is not going to be a simple comparison against the ransom itself. As noted by Jaikumar Vijayan of CSO magazine, budgeting needs to include costs to clean infected systems and cover staff overtime. Recovery also needs to factor in costs related to lost revenue and other long-tail expenses. Last July, for example, the Erie County Medical Center in Buffalo, New York spent $10 million responding to an attack involving a $30,000 ransom, but only half of the costs were related to services, software and expenses directly related to the attack. And that $10 million doesn’t even cover future costs, such as employee awareness training and potential litigation expenses.
Lesson 2: Invest in advance, don’t spend in an emergency.
The City of Atlanta reportedly spent $2.6 million dollars to recover from a ransomware attack in which the initial ransom was $52,000. Lily Hay Newman of Wired details how eight emergency contracts were signed with various IT companies, crisis communication vendors and consultants. While the numbers are staggering, it could have been worse. In an interview with Newman, Chris Duvall (senior director of The Chertoff Group) shares the story of a client with only $60 million in revenue that paid $3.1 million to recover from a ransomware attack! As pointed out by Jake Williams of Rendition Infosec, “emergency support and overtime costs phenomenally more…upgrades that might have cost $100k in normal budgeting might cost $300k-plus in emergency spending during an incident.” The need to save money never goes away, but IT managers need to make sure that those controlling the spending truly understand the real costs of recovery and business risks that they accept.
Lesson 3: Backup the right data, correctly.
Backups can often mitigate the damage, but to be effective, backup procedures need to be tested. Also, it is probably a good idea to keep more than one backup and to make sure that they cover the critical data for the organization. Catalin Cimpanu of BleepingComputer.com notes that in the Atlanta case and previous incidents, dashcam footage and other investigation evidence has been lost. The police of Riverside, Ohio lost 10 months of evidence in one attack and the police of Cockrell Hill, Texas lost eight years of evidence! In the case of Cockrell Hill, the recovery effort was actually hampered by their back-up procedure when the back-up kicked in automatically after the ransomware attack and overwrote the unencrypted backup file with the encrypted, malware-infected files! How many companies have backup solutions that they have never tested? Bell & Kalat point out that in some cases, backup tests have shown that some backup solutions may take too much time to be a practical recovery solution for a ransomware attack. Companies of all sizes need to test their solutions and check that critical data is protected correctly.
Lesson 4: Recovery is never painless.
BankInfoSecurity.com covers the case of Associates in Psychiatry & Psychology. Although they paid the $55,000 ransom to recover the data of 6,500 patients, they still faced a regulatory requirement to report the incident to the Department of Health and Human Services as a potential HIPAA breach. In this case the financial costs of the ransomware attack were minimal, but the reputational cost may be much more significant. Additionally, David Holtzman of CynergisTek points out that “after paying the ransom… some organizations have found malware and other viruses implanted in their data.” Ransomware really is the gift that keeps on giving!
We already think of some security products (antivirus, firewalls) as we do insurance and safety equipment – required equipment for every business. Is it because we expect or intend for bad things to happen? No. It is because we know accidents happen and thus prepare so that small accidents don’t become big problems. Ransomware threats, however, strike fast and evolve at a frenetic pace, making security a demanding task for even the largest, most prepared entities. The usual security products mostly prevent known attacks, but what about the human factor. From paying ransoms themselves to hiding breaches, users remain a wild card when it comes to defending against new malware. Perhaps it is time to take additional steps to protect users as a preventative medicine.
Gartner and Forrester have both published articles detailing how Browser Isolation technologies can provide that extra layer of security against malware. Soliton’s SecureShield incorporates our SecureBrowser technology to provide browser isolation. For more about our solution, click here.
Bell, J. and Kalat, A. Defensive Security. Defensive Security Podcast #119
Vijayan, J. CSO Online, What does a ransomware attack cost? Beware the hidden expenses.
Newman, L.H., Wired. Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare
Cimpanu, C. BleepingComputer. Years of Police Dashcam Video Lost in Atlanta Ransomware Incident
Cimpanu, C. BleepingComputer. Police Department Loses Years’ Worth of Evidence in Ransomware Incident
Kolbasuk McGee, M. BankInfoSecurity. Mental Health Provider Pays Ransom to Recover Data
MacDonald, N. Gartner. It’s Time to Isolate Your Users From the Internet Cesspool With Remote Browsing
Cunningham, C., Balaouras, S., Barringham, B., Dostie, P. Forrester. Protect Your Digital Workforce With Browser Isolation Technology (BIT)