Prepare yourself for high-stakes cyber ransom

Criminals who hold your data hostage have been around for a while. But the threat is about to get a whole lot worse.

Why? Because success breeds imitators — and ransom has been paying off big lately. You either pay a large sum of money or suffer the consequences.

[ Also on InfoWorld: Murder in the Amazon cloud | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors. Download the PDF today! | Learn how to secure your systems with InfoWorld’s Security Central newsletter. ]

I’m not talking about some CryptoLocker variant holding an individual’s computer hostage unless money is sent via PayPal or Coinbase. I’m talking about scenarios in which a hacker gains complete control over a company’s valuable digital assets and demands major compensation to keep all that loot from landing in the bit bucket.

Suffering the consequences Frankly, I’m still in shock. As you’ve probably heard, a couple of weeks ago, a company that didn’t pay up was put out of business in 12 hours. The company in question, Code Spaces, was using Amazon Web Services and had been under heavy DDoS attack for some time. Then Code Spaces was contacted by a criminal hacker who demanded ransom — or else he would destroy the company’s online assets.

The company tried to limit the hacker’s control of its Amazon control panel and resources. He detected it and went on a rampage, deleting data, configurations, storage, and backups. In less than a day, he deleted so much data that the company was unable to recover what was left and stay in business. Whatever resources remain will be used to recover customer data before Code Spaces closes its doors for good.

How was this a successful criminal act, since the hacker got nothing? Just like a small-time mobster who breaks the windows of stores that won’t pay protection money, the hacker created great publicity for himself: You don’t want to cooperate? Here’s what happens. You can bet other ransom hackers will claim the story, too.

Ransom-extorting hackers and malware have been around for decades. The first exploit I remember was the AIDS PC Cyborg Trojan horse program of 1989. Then in the 1990s, I began to hear whispers of gambling sites paying ransoms to stay online. I occasionally heard rumor of a reported cyber bad guy ending up cold and stiff because he extorted the wrong gang. Then came word that major corporations were starting to pay ransoms in the millions of dollars to be left alone.

My initial reaction: If I found myself in this situation, I would never pay ransom. It only encourages criminal extortionists. But in the real world, ransom is paid all the time to retrieve valued employees, ships, cargo, and now, data.

Prepare for the worst now Ransom incidents will increase significantly in the next decade. I’m not taking a leap of faith here or predicting a new trend — in fact, I’m hopping on late. The trend is already in progress, and I’m sharing what I know. Any company can be a victim, including yours. Your company’s management needs to know how to think about this new threat:

• Educate senior management about the threat of ransom-demanding cyber criminals (along with ransom-demanding malware, which they should already be familiar with). Let them know the threat is real, fairly easy to accomplish, and difficult to prevent. Do your research and put everything in a document, so they can’t say you didn’t warn them.
• Ask management how you should respond if a ransom incident occurs and you believe it to be a viable threat. Should your company ever pay ransom? If your company thinks paying the ransom is the appropriate response (at least in some scenarios), get a sense of what the upper limit might be to save the company. Management won’t want to have this discussion, but it’s a good way to start a dead-serious dialogue about risk management.
• If your management says no ransom should be paid under any circumstances, then you have your marching orders. Before you accede, however, you might want to have management speak with former CEOs of companies who wish they had paid the ransom. Many companies have paid ransom without customers or other stakeholders being the wiser.
• Ask management if your current business interruption insurance covers data ransom scenarios. If so, to what level? If not, it’s time to investigate insurance coverage for this type of event.

Next, delve into the logistics of incident response. If a ransom scenario occurs, who needs to be brought in? What items can you check safely, if any?

You might be able to stave off any direct, hacker-caused damage by cutting all remote access (assuming the attacker isn’t an insider). Is that a risk you’re willing to take, especially given what happened to Code Spaces? Also, how long can your company’s online presence go down without dire business repercussions?

Is an Internet kill switch possible, where you completely disable all remote access immediately in a single step? Could you implement procedures to accomplish it? It’s harder to accomplish today, particularly if your environment is a mixture of on-premise and cloud-based resources.

The key is to discuss the ransom scenario, ask questions, get answers, and document procedures and tasks. The worst time to have these hard discussions is during your first ransom event.

Ensure survival through backups The No. 1 preventive measure you can take is to maintain good, protected backups of all mission-critical assets and data. In the Code Spaces case, the company said its “offsite” backups were destroyed, making recovery impossible. Those backups may have been offsite — but they were also online.

It’s vital to store recent copies of your backups both offsite and offline. I’m amazed how many companies think that resources without an IP address — but contactable using a virtual machine manager or KVM switch — are considered “offline.” They are not! If you can reach a resource over the network, it’s not offline. If you can reach a resource over a network, so can the attacker.

Backups shouldn’t be the only assets kept offline. I routinely work at companies that have their “offline” root CA (certification authority) servers turned off, located on a networked virtual server host. Again, this is not offline. I have been involved in two instances where attackers copied the “offline” root CA image to their remote offices, cracked the admin passwords, and issued themselves trusted digital certificates. In one of those instances, they issued themselves smart cards and work badges, then physically entered the site.

Just as important is how many companies don’t really have backups — or tested backups that can be restored. Almost every security audit I run contains the finding that backups are insufficient and/or untested. When I am involved with test restores, most of the time, they fail.

It’s also critical to understand how your data is backed up in the cloud. Is it backed up, and if so, how? Is it possible for a cyber criminal to access your backups and delete them? How would you get the cloud vendor to initiate a restore? Have they tested a restore? If a cyber criminal deleted your current data, would those deletes be immediately replicated to the backups? Are server configurations backed up or merely the data?

Finally, if your cloud backup service loses your data permanently, find out the limit of the vendor’s liability. Hint: It’ll probably be less than the value of your company.

Improve end-user education Most ransom events start with phishing attacks and malware. I’ve talked for years about how to prevent both: perfect patching, end-user education, and good old antimalware software.

Most companies’ end-user education programs are horrible, both cursory and antiquated. Today’s phishing attacks are not your parent’s phishing attacks, full of typos and language problems. Just read The Onion’s (actual, serious) account of the Syrian Electronic Army’s phishing attack last year.

The SEA group not only used multiple campaigns, each appearing more internal than the last, but it was prepared for the Onion’s IT group sending out an email saying all passwords would be reset — and issued its own password-reset email, allowing it to capture even more logon credentials.

After reading this account, I can tell you that the vast majority of end-user education programs are not sufficiently sophisticated to prevent havoc. They can be, but administrators have to step up their game.

Without doubt, ransom attacks will continue to grow. Is your company prepared?

This story, “Prepare yourself for high-stakes cyber ransom,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.