Create a ransomware playbook

Johannesburg, 14 Sep 2021
Read time 5min 50sec
Lee Jenkins, CTO, ETS Group.
Lee Jenkins, CTO, ETS Group.

There’s a tendency for businesses to believe that ransomware attacks will never happen to them, and that if they have backup and disaster recovery in place, they’ll be fine. In fact, according to Gartner, ransomware is one of the most dangerous threats faced by business, but the nature and scope of ransomware attacks are often misunderstood, resulting in inadequate precautions.

Lee Jenkins, CTO of ETS Innovations, says businesses need to take the ransomware threat seriously and implement ongoing steps to defend against this type of cyber attack as the nature of these threats keeps evolving.

“For instance, there’s a new and worrying trend in ransomware where cyber criminals bribe a staff member of the target organisation to install ransomware on their behalf.”

The individual is offered up to 40% of the ransom (sometimes up to $1 million in bitcoins) to deploy the ransomware on a company server. The employee is given instructions on how to deploy the malicious software, which can be as simple as inserting a USB stick into a device on the network or sharing their login details.

“This could be a tempting offer for someone who’s struggling financially,” says Jenkins. “All of the measures that have been taken to secure the network are worthless if an insider bypasses all of the security.”

Check Point’s

April 2021 report

found phishing e-mails as the single biggest ransomware entry method. “Phishing e-mails often use branding of a well-known business, and try to lure the user with fake payment notifications and invoices. A more recent trend is sending e-mails purporting to contain COVID-19 related information, as people are more likely to want to consume such information.”

All it takes is for one person to click on a link, the ransomware downloads to that person’s device and from there it infects the rest of the network. It’s that simple because all too often people haven’t updated their security software because it means downtime, but this practice can leave their system vulnerable to cyber threats.

“Businesses may not realise that ransomware attacks entail far more than just losing some online applications, and that the recovery process isn’t as simple as just restoring from backup. While the majority of companies have backups, both local and in the cloud, it’s likely that they’ve never tested their disaster recovery (DR) or backup systems, so they have no idea how long it’s going to potentially take. For instance, a cloud backup could mean restoring hundreds of terabytes over the internet. IT teams often make a ‘back of the napkin’ calculation and realise that a restore could take months. They only discover how critical (and untested) their DR and backup are when they need them – ie, in the event of a ransomware attack.

“Some businesses may test a point restore to a particular system, but they rarely test their entire system at the same time. The dependency chain between systems is often not known – or it’s just known by a few key people. If those people leave the business, that knowledge is lost.”

If organisations don’t know the intricate coupling and dependencies between their various applications, they don’t know in what order to restore systems. This can affect core customer-facing systems coming back online quickly.

Another potential complication pointed out by Jenkins is that while backups may be stored offsite or in a different data centre and therefore be unaffected by the initial ransomware attack, the software that’s used to do the restore may itself have been infected. “If the business doesn’t realise this in time, it’ll need to go back to the vendor to get a clean version or a patch, further delaying the restore.”

Organisations may resort to organising off-site backups to be copied onto external drives, transporting the drives, which further complicates the restore process.

An issue that is potentially overlooked is that businesses often encrypt their backups for security and data privacy reasons, but store the digital key needed to decrypt the backups on the very same network file share that was encrypted by ransomware. “If you don’t think clearly about where to store the keys, it could potentially affect recovery of your data,” says Jenkins.

Adding to all of this, the pandemic resulted in organisations sidestepping security processes and not consulting cyber security teams in the rush to get people working remotely. An EY Global Information Security Survey 2021 reports that more than 77% of CISOs saw an increase in the number of disruptive attacks, such as ransomware, in the past 12 months. By contrast, just 59% saw an increase in the prior 12 months.

Despite all of this, current IT budgets for cyber security are out of sync with the need to protect the business. By 2021, the global cost of cyber security breaches is expected to reach US$6 trillion, according to EY, yet companies often spend less than 0.05% (half of 1%) of their IT budget on preventing cyber attacks. In fact, the average IT budget is 3.5% of revenue, according to an EY study.

“Cyber security is almost an afterthought, but should really start to come to forefront. A cyber attack could destroy your business as the cost to recover might be more than you can afford. Over and above that, there’s the possibility of being sued for a data breach. Cyber security is becoming essential to business survival.”

Larger organisations overcome some of these challenges by having a hardware security module that can never be hacked because it’s airlocked or not connected to the network. But what else can the CIO or CTO do to safeguard the business? “Testing full environment restores – as mentioned earlier – and creating a playbook are two big first steps,” says Jenkins.

All too often, companies pay the ransom because they just don’t know whether they’ll be able to restore their data – or how to do it. A playbook lays out the full process that must be followed to restore the business’s data and must include the details of who owns which application. “Having a playbook means that the business knows exactly what to do in the event of a ransomware attack, and can avoid possibly having to negotiate with cyber criminals to get access to its own data,” concludes Jenkins.