“You don’t wake up one day and find that you have ransomware.” “In many cases it starts with a simple Microsoft Office file that has an embedded macro that then loads a web page that then loads a dropper, and then the dropper starts reaching out to com- mand-and-control servers, and eventually starts infecting the LAN using an exploit like ‘Eternal Blue’ [which was allegedly stolen from the National Security Agency in 2017]. If you can capture it at any one of those first few steps, you can avoid a ton of damage. Unfortunately, most companies don’t start to catch it until after it starts to encrypt corporate resources and the ransom has been demand- ed. These days the ransom has a time on it, so it’ll say things like pay me two bitcoins now or pay me three bitcoins in four hours or five bitcoins in 24 hours. It puts a sense of urgency on the user to act quickly rather than take the time to make rational decisions.” A few years ago, the conventional wisdom was to decline to pay the ransom and to restore the locked data from backups. These days, the cybercriminals can often reach those backups as well, rendering them useless. In addition, some data lockups can also be life threatening – particularly in the areas of healthcare and also municipal governments when 9-1-1 services are affected. If you do pay the ran- som, there is no guarantee that the criminals won’t try to retain access to the network so they can re- peat the exploit at a later date. Furthermore, news of the payoff will likely be posted to the Dark Web, which will attract other attackers who will now be aware of your willingness to pay. “Companies need to discuss their response in advance based on circumstances,” added Masergy’s Ray Watson. “Many people will neglect to call law enforcement, thinking there’s nothing they can do. But sometimes the FBI can have the keys from other cases involving the same perpetrators, so it’s definite- ly worth a call. In addition to phishing and ransomware, a wide variety of other threat vectors exist, including mal- ware, man-in-the-middle attacks [intercepted data-in-motion], denial-of-service attacks, SQL injec- tions, zero-day exploits and more. According to the 2019 Verizon Data Breach Investigations Report (DBIR): • 43% of breaches involved small business victims • 10% were breaches of the Financial industry • 15% were breaches involving Healthcare organizations • 16% were breaches of Public sector entities • 52% of the breaches featured hacking • 33% included social attacks • 28% involved malware • 21% were caused by errors • 15% were the result of insider misuse Copyright © 2020 AVANT Communications, Inc. 14
Managed Security Trends and Insights Page 14 Page 16