In 2020, there was the SolarWinds hack. Its 2021 sequel is the Kaseya ransomware attack, which has so far infected over 1,500 businesses from Sweden to New Zealand. These attacks were very sophisticated and were difficult to construct; they were well-executed and extremely difficult to detect and filter out.
The malware was hidden inside standard software updates. A key element of good cyber-hygiene is to ensure your software is current and updated to the latest standards, and the best way to do this is to turn on automatic updates. These two attacks are examples of supply-chain ransomware attacks where the malware is gift-wrapped in the software provider’s updates.
The hackers’ goals were different in these two attacks, but the approach, tools, and techniques were the same. In the SolarWinds attack, the goal was espionage; among many things, it was to map out national infrastructure. The Kaseya was a “standard” supply-chain ransomware attack to steal and encrypt the victim’s data and demand a ransom. These kinds of attacks require a significant investment in time, money, and effort. The focus is on high-payoff targets, victims with extensive distribution networks.
For the hacker, the first step is to identify a suitable target that delivers software to thousands. Once the target is identified, the next step is to exploit the target to get into the system undetected. Next is to move within the system to where the software is developed; this can take months of effort or longer. The hard part is to craft the exploit so that it can hitch a ride on the standard update undetected. This, too, may require months of effort, simulation, and extensive testing. By the time the ransomware is launched, there may be millions of dollars invested in this effort. Often these attacks are developed through contracting with specialized teams, with each independent team focused on a specific phase of the attack, each with honed skills and tools dedicated to that step of the process. The use of these teams or specialists has morphed into a very specialized industry; some have coined the term, “ransomware as a service,” or RaaS.
Although not the leader in terms of cybercrime, RaaS is a booming business. As of 2019, losses to ransomware attacks were estimated at $11.5 billion; in 2020, that number is $20 billion. The average cost by type of attack in 2020: A data breach was $3.86 million, a malicious breach $4.27 million, ransomware $4.44 million.
In 2021, ransomware attacks are occurring roughly once every eleven seconds. The odds are against you recovering your data, even if you pay: An estimated 36 percent of the victims paying a ransom — and 17 percent paying the ransom and not recovering any data.
And once you have been successfully attacked, the likelihood of you being attacked again is much higher. This seems to indicate businesses attacked the first time continue to be easy targets.
The next question: What can you do? The FBI recommends several immediate response actions for all ransomware attacks. At the first indication of an attack, disconnect your system or networks from the global Internet. Try to copy the details of the ransom note and the extensions of the encrypted files. Protect your existing backups, disconnect them, and do not try to recover at this stage. Shut down system communications at the network level, shut down the router and switches, power off all devices.
The above actions are only effective if the virus has not spread and if you can catch it before it has fully deployed. However, if it has spread throughout your system, the best means of recovery will be an offline or air-gapped backup, one that is not connected to your network. This may be the best way to recover your data; if you archive monthly, then the loss will be a month.
Begin to look at the endpoints where the users are; most attacks begin on the endpoints used by people. You need to figure how it got into your system; there is no sense in recovery with the same vulnerability present. Before you recover, you wipe all the infected and suspected devices and rebuild them from the ground up. This could take considerable time and cost. Again, it makes no sense to restore if the virus is still lurking in the virtual shadows.
The FBI also recommends that you contact them via email or phone at (855) 292- 3937.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.