How To Avoid Becoming a Ransomware Target

Cox Media Group is dealing with the aftermath of a ransomware attack that still has some of its websites unable to stream. Greg Scasny is Co-Founder and Chief Technology Officer at Cigent a defensive cybersecurity company that specializes in products and services that provide for the protection of sensitive data. Here’s what Greg has to say about what happened and what you need to do to stay secure.

Radio Ink: What would you speculate happened to Cox Media Group?
Greg Scasny: From all reports, COX media suffered from a ransomware attack, similar to what Colonial Pipeline, JBS, Scripps Health, CNA and many other companies have fallen victim to recently. Ransomware attacks basically encrypt all the data and systems a company needs to operate (including backups) and the attackers will sell the recovery “key” for a ransom payment so that they company can get their data back. Most ransomware utilizes very strong encryption, so getting the data back without the recovery key is usually not possible.

Radio Ink: What are the top three ways companies get snagged in a Ransomware situation?
Greg Scasny: There is a saying in Cybersecurity, that an attacker only has to be right one time. They can try a million things and be wrong a million times, but as a defender, you have to be right 100% of the time. If a defender is wrong 1 time, then the attackers can take advantage of that mistake. Mathematically, it is not a fair game for the defenders to stop the initial intrusion into corporate networks and resources.

Social engineering (phishing) is still the top way that threat actors obtain initial access to a company’s network. Phishing can be used to deliver malware, obtain credentials (usernames and passwords) and to gather intelligence from a company to mount further attacks.

But, because of the onset of the pandemic, companies rushed to get employees working from home via remote access. One thing that does not go hand and hand with security is rushing to get something done. Security usually falls to the wayside when speed is of the essence. Many companies were not ready for the cybersecurity implications of allowing all their employees remote access to their network, and the attackers know this. The Colonial Pipeline attack was successful due to poor security practices around remote access, as was the attack on the Oldsmar Florida water plant.

The third way attackers gain access is from misconfigurations and/or not patching vulnerabilities. Companies are notorious for not keeping systems up to date, and in turn can leave the door open to attackers via an unpatched vulnerability. The reason behind this is that some systems are very difficult to patch – think about production systems that need to be online 100% of the time, or legacy systems that are very expensive to upgrade. There are literally thousands of new vulnerabilities reported every day. Imagine how many vulnerabilities are out there that have not been reported? We have a term for that, they are called “0 day vulnerabilities” and that is what was used in the recent Microsoft Exchange hack by the hacking group Hafnium.

Radio Ink: Have the hackers become smarter than the defenders or are companies just not protecting themselves enough?
Greg Scasny: We have a saying in our company that we took from the Netflix series Stranger Things… “Sometimes, the bad guys are smart too.” The hackers have always been smart, this issue now is that they are organized too. Companies need to realize that they are not up against a lone wolf or rogue attacker (even though these types of people can be a threat, it’s not what is happening for the most part today). They are up against very organized groups of attackers that operate like companies. They have recruitment departments, HR departments, support departments, etc. and it’s not always the same group from start to finish of an attack.

There are adversary groups that just focus on the initial intrusion into a company (actually groups of companies). When they have persistent access into a group of companies, they will offer that access for sale on the dark web.

Another group will buy that access to do whatever “actions on objectives” they have planned for the company (steal sensitive information, ransom systems, etc). But they have to get control over almost all of the network assets before they can accomplish their goals. Once they have control, they can then buy “tools” from yet another group to assist in carrying out the attack. This is what happened in the Colonial Pipeline attack, the hacker group bought “Ransomware as a Service” from another group called Dark Side.

Just like our company sells Security Operations as a service, companies like Dark Side sell Ransomware as a service. They provide the software, support and funds exchange for a piece of the ransomware payment. When companies are paying millions of dollars (in the case of CNA insurance, they paid $40 million to get their systems back), all these groups are making a lot of money.

Radio Ink: How can companies avoid being a victim (other than hiring companies like yours)?
Greg Scasny: Hiring a company such as Cigent to provide monitored and managed detection and response is a good step. The issue is that companies don’t know what they don’t know, and there is a huge gap in the skilled cybersecurity workers and available positions (3.1 million person deficit).

Many companies feel that since they have a firewall and antivirus, that they are protected. Nothing could be further from the truth. Every data breach / intrusion has had 2 things in common, they all had firewalls and they all had antivirus software.

Companies need to continuously monitor their entire infrastructure for anomalies and respond to those anomalies. Remember when I said that defenders have to be right 100% of the time and attackers only have to be right once? While that is true, once that initial intrusion happens, the tables turn. The attackers have to be very quiet, because if they trip 1 indicator of compromise (IOC), they can be detected, caught and removed from the network before they cause any damage or steal any information.

What companies need to realize is that these successful ransomware attacks do not happen instantaneously, or even overnight. It takes time for the attackers to get all the access to all the systems to insure an unrecoverable ransom attack. Industry data show that the time from initial compromise to the detection of that compromise (called “Dwell Time”) is 7 months. That is an extremely long time, but this gives a properly monitored company an edge, as that is a lot of opportunity to detect and respond to that intrusion, and keep the attackers from executing their actions on objectives.

Radio Ink: In your opinion do you think this is happening more than people know and do you believe most people are or are not paying the ransom?
Greg Scasny: These attacks have been happening for a long time and they happen much more than what is reported on the news. Companies do not want to be on the news as a victim of a cyber attack of any kind, as that kind of publicity is not good for anyone’s brand, so if they are not required to report it, many do not.

It is always our position that companies do not pay the ransom, as paying the ransom obviously exacerbates the problem. But that is the security side talking. Paying the ransom comes down to a business decision. If the cost to recover a company’s data is many times more than the ransom, executives opt to pay the ransom. Many companies have no recourse because the attackers also encrypt and/or delete their backups, making paying the ransom the only reasonable course of action to stay in business.

Companies need to realize that paying the ransom doesn’t always mean that they will get their data back, or that their confidential data won’t be released on the Internet. They are dealing with criminals, and there is no honor amongst thieves.

Radio Ink: Why is Bitcoin the choice of payment?
Greg Scasny: Cryptocurrency in general is the choice of payment because it is secure and anonymous. This is what has fueled the explosion of ransomware attacks. Having an anonymous and secure way to get illicit funds is always an issue for a remote adversary. Cryptocurrency facilitates this transfer of funds with little to no risk, because while all the transactions are public, the identities are just a cryptographic “key” that is generated with no individual identifying information.

Bitcoin’s historic rise in value makes it the current crypto of choice for ransomware attacks, but it really doesn’t make a difference to them. The attacker really wants cash, and that is where we are seeing them make mistakes, and why the FBI was able to recover part of the bitcoin payment from Colonial.

Radio Ink: Where do you believe these ransomware attacks are coming from, individuals or states?
Greg Scasny: As previously stated – these attacks are from organized cybercrime groups. Most of these are in countries that have no extradition to the US. It’s difficult to determine if these attacks are state sponsored or not. Nation-states usually have larger goals than stealing relatively small amounts of money from private American companies.

With that being said, cyber-warfare is a real thing, and attacks from nation-states against the United States critical infrastructure and even the private sector are a constant threat, but realize the goals of such an attack from a Nation-State would most likely not be collecting ransom (even though they may use ransomware as part of the attack) but societal and economic damage that can be inflicted through a successful cyber-attack. One of the most difficult things to do in cyber is attribution of attacks, as there are so many ways to deceive and cloak the origins and motives of an attack.

Gregory Scasny is the Co-Founder and Chief Technology Officer at Cigent and can be reached by e-mail at [email protected] or by telephone at 305-767-3853