Something I like to say is that it isn’t if you’re ransomware, it’s when. Recently there have been many many ransomware stories in the news, something we’ve been saying for well, a while now. The shocking part is that people are beginning to pay ransoms, which makes many of us IT practitioners scratch our heads.
It really isn’t that perplexing though, if you’ve been following the news.
The Evolution of Ransomware
In the early days, ransomware was pretty simple. It encrypted your files, you paid your ransom, and they were unlocked. These attacks were wildly successful in the beginning because let’s be honest, people just we’re planning to have to recover their entire organization. As someone who has spent a ton of time in the disaster recovery space, I’ve seen it time and time again. People don’t bother putting a plan in place until they’re been bitten.
As the attacks grew and grew, people started taking their recovery processes a bit more seriously. There isn’t a day that goes by where I don’t hear or say the word ransomware.
As recovery plans became more sophisticated, so did the attackers. I have to admit, the Colonial Pipeline ransomwareattack really fascinated me, and sent me down an Internet hole of research.
You see, it isn’t enough to be able to simple recover anymore, especially in the era of Ransomware-as-a-Service.
Here’s a gross overview of how the Colonial Pipeline attack when down:
- Someone got into the Colonial Pipeline network
- They contacted DarkSide, and obtained their Ransomware, as a Service.
- They deployed the Ransomware inside the Colonial Pipeline network.
- Not only was ransomware deployed, but data was also taken.
- This someone received part of the ransom paid to Colonial Pipeline.
This is actually a pretty sophisticated business model by DarkSide (who I don’t believe is disbanding for a second). This is also a much more dangerous model, since a potential malicious actor could be just about anyone, if all they need to do is get inside.
It also doesn’t matter if you can recover your data, if the attackers have something that will ruin the reputation of your business, or put you out of business.
The Hidden Cost of Ransomware
Someone somewhere did an analysis and decided it would literally be cheaper to pay the attackers than to risk their data being leaked. What data did the attackers get? Who knows. Sometimes they are nice enough to share samples with their victims, sometimes they aren’t.
This is a lesson in risk analysis of course, and an expensive one, and one more and more organizations are probably making when they see the price tag for actually securing the environment they run.
Someone along the line decided it would be cheaper to pay a ransom than to actually put the proper controls into place to prevent someone from getting access in the first place. Seems to be this wasn’t a winning strategy.
Just like the no DR plan until a disaster crew, these organizations are in for a rude awakening.
In the current age, it has been a mad rush for each and every organization to put together a ransomware recovery plan. Many more companies that we know of may have been ransomed. Not everyone makes the news, and many will pay a pretty penny to their attackers to hopefully stay out of it.
The Only Way to Protect Against Ransomware
The only way to protect against ransomware is to have a multi pronged approach. You can’t focus on keeping the attackers out, and hope you’ll never need to recover. On the flip side, you can’t just rely on your ability to recover alone if the attackers get in.
Now is the time for organizations to do a true audit of their environment, and understand their strengths and weaknesses. In many cases, after an event in the news, many tend to over rotate on fixing on aspect of their environment when it comes to security.
The truth of the matter is that organizations need a holistic security strategy that will protect them on multiple fronts. An undertaking like this of course doesn’t come cheap, so of course our risk analysis comes back it to play.
Is it worth it? Ask anyone who has been in the news lately.
Melissa is an Independent Technology Analyst & Content Creator, focused on IT infrastructure and information security. She is a VMware Certified Design Expert (VCDX-236) and has spent her career focused on the full IT infrastructure stack.