Have you been ransomware’d yet?

If you don’t know what ransomware is, chances are you haven’t been victimized – yet. Let’s clear the fog. Ransomware is a type of virus designed to deny access to a computer system or data until a ransom is paid.

Some of the most vulnerable and critical agencies are being targeted – state, city and educational institutions. Recent state and local ransomware attacks include the cities of Baltimore and Albany, school districts in Louisiana and 23 cities in Texas. And this is only going to get worse.

With that doomsday prediction out of the way, it’s instructive to get an idea why this is happening.

1. The targets typically do not have adequate security technical expertise to keep up with software patches, ensure they have the appropriate security tools to keep their systems safe or even have a good ongoing data hygiene practice in place.
2. The attackers have good understanding of how critical functions like tax payment systems or tuition e-commerce sites are the lifeblood of these taxpayer funded entities and other smaller institutions. And the longer they are offline the greater the propensity for the victim to feel the pain and pay up.
3. Past success is a harbinger of future growth. This may sound outlandish, but it’s true. Once the miscreants see that these targets have been paying up, all local, state, educational institutions become sitting targets.
4. And with every passing attack, the chances of the next victim having cybersecurity insurance is greater which means a greater opportunity (and quicker too) of getting paid.

There are also lessons to be learned from how some of these affected entities decided to deal with the issue. There is no uniform or consistent response from these organizations. For instance:

• Mayor Bernard C. Jack Young of Baltimore took to Twitter to defend his decision not to pay the ransom of $80000 in cryptocurrency and instead is now paying the price as the costs of the ransomware attack have reached $18 million including remediation, new hardware, and lost or deferred revenue.
• West Haven, CT messaged that their police IT experts determined the best course of action, given all the available information, was to pay a one-time fee of $2,000to unlock servers. The money was paid in digital currency. The data restoration of a critical system occurred shortly after the completion of that transaction.
• Roseburg, OR public schools superintendent Gerry Washburn said that they exhausted all efforts to avoid paying the requested ransom out of concern that more damage could be caused; however, the experts ultimately determined that the solution was worth the risk

So that is where we stand today in terms of why this is happening and how inconsistent the responses are from these unfortunate victims.

But that’s only half the story. There needs to be an urgent and frankly existential need to shore up the defenses NOW.

Specifically, the following steps will make for better defenses, foolproof #NO, make you a tougher target compared to your sister city #YES.

Starting with the compute side:

Understand what the critical system functions are

First do an inventory of all the compute functions that the entity offers – email, e-commerce, chat functions …

Then rank order what the critical functions are – sometimes the only way to do this is to consciously turn off these systems and see the disruption they cause – aka in your home is turning off water, power or Internet going to cause you more angst

Assess the security protections you have in place for these critical assets

For these prioritized assets, are there strong security controls in place. For email systems, if it is hosted in the cloud, it is time to start asking some questions of your cloud providers. If it is hosted in your own data center, ditto. And maybe use this as a trigger to see if cloud options may be a better solution. Or not.

Assign an owner for these systems. Someone whose job is to think about this day and night. And that may very well mean ask for budget. But contextualize the risk by showing the impact of an attack rather than just fear mongering.

Very similarly, on the data side:

Understand what the critical data is

Do an inventory of ALL the data that you have and collect on an ongoing basis. Tax returns, utility bills, mid-term papers, in-process patent filings…

Rank order these assets in terms of criticality. What would cause the most damage if it were to be ransomware’d. City employees’ salaries, students term papers…

Assess the security protections you have in place for these critical assets

For these prioritized assets, are there strong security controls in place. For data it comes down to encryption, key management, data disposal.

Based on the above, it may also turn a light bulb on as to why you are collecting so much data in the first place. Yes, with new initiatives like Smart Cities or Digitized Education there is going to be more and more data. But don’t forget the adage More data = more risk.

Assign an owner for these systems. Someone whose job is to think about this day and night. And that may very well mean ask for budget. But contextualize the risk by showing the impact of an attack rather than just fear mongering.

One more aspect to stay ahead of for these organizations besides staying competitive, compliant and cash-flow positive. But in this #ransomware age, is there any other choice? The answer, a resounding #NO.