by Asher de Metz
Baltimore estimates that its ongoing ransomware attack will cost $18.2 million in recovery costs and delayed and lost revenue. The city has already spent $4.6 million on recovery in the four weeks since hackers encrypted files and took down voicemail, email and other critical city systems.
The attack is drawing comparisons to other high-profile ransomware attacks on city governments. In 2018, Atlanta was shut down by ransomware that could end up costing the city $17 million. Greenville, North Carolina, is a more recent victim, and is still recovering from an April ransomware attack more than a month later.
There have been at least 169 ransomware attacks on state and local municipalities since 2013, a number that’s likely on the low side given that attacks aren’t always publicized. With new ransomware variants arising, including some that infect systems even when no one clicks on a link in a phishing email, it’s only a matter of time before there are more victims.
Even if you’re not a city government, this should be a wake up call: Organizations need to take steps now before they come to work one day to find their devices locked down and their data encrypted. Here are a few basic ideas on how to get ahead of ransomware:
- Back up. Regularly back up your critical data. The frequency depends on the nature of the data. For some businesses, you might need snapshots every hour. For others, once a day is more than enough. Separate those backups from the rest of your network so they won’t get locked down along with your other data and devices if you’re infected with ransomware.
- Segment. Segment your networks so that if one segment gets hit, it can be cut off from the rest of your network to prevent the ransomware from spreading. It is also important to segment Active Directory (AD) so that it is harder for ransomware to propagate from less critical AD networks to more critical AD networks.
- Patch and harden. Have a solid vulnerability management program, remove software such as PowerShell from workstations, remove local admin accounts, remove admin rights and install rights from users, and stop the caching of credentials.
- Keep your eyes open. You can spot known ransomware using file-integrity monitoring, security information and event management (SIEM) and other services.
- Test, test, test. Test your disaster recovery plan and processes regularly to make sure they will hold up under a real-world attack. You don’t want to discover that your backups are out of date or you can’t recover from them when you’re under attack.
- Educate. Perhaps most importantly, educate your employees on how to spot and report phishing emails before they click any suspicious links. While not every strain of ransomware works this way, having knowledgeable employees as a first line of defense eliminates certain threats.
How to recover from a ransomware attack
Organizations that have taken these steps need only to shut down the infected devices or segment, recover from the backups and go back to work.
For organizations that have already been hit and haven’t taken the necessary precautions, there are often just a few options, and none of them are great.
The first option is paying the hackers’ ransom request, usually in cryptocurrency. Most cities and municipalities have refused to do this — only 17% have admitted to paying the ransom. Paying is almost always a bad idea, as it tells the hackers you’re willing to pay and essentially puts a target on your back for future attacks.
The other option is to recover the infected systems and rebuild systems from scratch, a process that can take weeks in some cases. To gain the resources needed for that undertaking, some victims have declared a disaster. When the Colorado Department of Transportation had 2,000 computers encrypted by ransomware in early 2018, the Colorado Office of Information Technology issued a disaster declaration to elevate the attack to the level of a natural disaster, which gave the department access to the Colorado National Guard’s cybersecurity unit, logistics teams and other resources.
For businesses that don’t have those government resources, working with an experienced partner gives them the option gain access to expert resources and expedite a return to business as usual. But again, engaging with a partner is a step to take before you become the next victim of ransomware.
What are you doing to protect your data and your business?