• +416-614-3259

Lessons Learned from the Colonial Pipeline Attack: Protect Your Organization Against Ransomware

Current ransomware attacks are becoming frequent and sophisticated, with attackers deploying massive botnets to distribute infections and spam through spear-phishing campaigns. The attacks increased by a mind-boggling 485 percent in 2020 compared to 2019, according to Bitdefender telemetry as published in the 2020 Consumer Threat Landscape Report. Unlike in the past when hackers targeted the perfect stranger, today’s ransomware attacks are executed with great attention to detail to net many victims without arousing suspicion.

Other than targeting specific individuals and organizations, there are other emerging trends in the ransomware industry. Previous ransomware attacks aimed to compromise the availability component of the CIA triad, but all bets are off now as threat actors are triggering new trends in organized cybercrime. They are augmenting ransomware attacks with additional extortion components targeting both confidentiality and integrity.

The Consumer Threat Landscape Report revealed that hackers now use a ‘big game hunting’ tactic to threaten victims with publishing stolen data accessed before the encryption, adding more pressure on companies to pay the ransom or risk reputational damages. A case in point is the latest interruption to the Colonial Pipeline that took place a few days ago. Reports indicate that the hackers behind the incident began to steal large amounts of data from the pipeline’s networks on Thursday before locking computers with ransomware on Friday, May 7. Threatening to go public with stolen information is an additional guarantee that even if an organization recovers from backups, it will still consider paying to avoid reputational and financial damages from data breach costs and regulatory fines.

To Pay or Not to Pay the Ransom

Frustratingly, only 8 percent of businesses that pay a ransom get all their files and data back, according to Sophos State of Ransomware 2021. Be that as it may, the number of victims paying the tacks to regain control of their information and systems increased from 26 percent in 2020 to 32 percent in 2021. For instance, the recent Colonial Pipeline ransomware incident saw the company’s CEO authorize a $4.4. million ransom to hacker gang to restart the pipeline’s systems safely and quickly.

What cybercriminals fail to mention in ransom notes is that the likelihood of getting all files back is slim, and on average, those who pay the ransom get back only 65 percent of their data. In fact, 29 percent of victims who pay get back no more than half their data.

No matter what happens, there is nothing worse than paying attackers for a criminal act. Even if paying ransom seems a direct route to access your systems after an incident, it does not fix the root problem, and authorities strongly caution victims against negotiating with criminals. As Stelios Valavanis posts on Law.com, the entire ecosystem should cooperate in starving the ransomware industry and the criminals behind it so that it is no longer a profitable scam. However, achieving this goal requires all businesses to bring their cybersecurity up to levels where they are difficult to penetrate.

The National Cyber Security Center (NCSC) also warns victims against ransom payments since there is no guarantee that they will regain access to their data and systems. Besides, the computers can still be infected, and criminals are likely to target the payer again.

Decrease the Attack Surfaces to Mitigate Attacks

Negotiating with cybercriminals is not an option. Cybersecurity experts agree that it should not get there in the first place. After the Colonial Pipeline incident, the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that ransomware poses a threat to all organizations, regardless of size or sector. Every business should strengthen its cybersecurity posture to reduce exposure to such threats.  

How then can you prevent attackers from gaining access to information and systems?

  1. Multilayered Security Strategy

It is worth noting that ransomware is often the visible symptom of a network intrusion that may have persistent in an organization for a long time. Hackers leverage several ways to gain access to an environment before launching the attack. For instance, they target unpatched vulnerabilities in systems and applications, exploit network services, and send phishing emails to employees.

Organizations can effectively reduce their attack surfaces by establishing robust security measures against prevalent and emerging vulnerabilities. Enterprises can simply leverage multiple components, such as firewall, unified threat management (UTM), end-point and end-user protection tools, email and web filtering, data encryption, and mobile device security management, to protect operations on different levels.

  1. Maintaining Backups

Businesses can make regular backups in conformity with an incident response plan as an effective way of recovering from an attack. In this case, organizations can keep an updated backup of critical files and test that they can restore data from the independent data stores. The devices containing backup files should be separate from the company network to prevent hackers from targeting both the production and backup data. 

  1. Privileged Access Management

Organizations typically run several privileged accounts that are often left unmanaged. Cybercriminals, rogue insiders, former employees, and state-sponsored actors are aware of this issue, and they target such accounts to anonymously access and extract confidential information. Once hackers access administrative and privileged access, they can use the rights to copy malware to other systems and devices.   

Drawing on this observation, organizations should ensure privileged accounts are secure, and credentials are updated and protected continuously. Users are also responsible for safeguarding their credentials. They should avoid sharing privileged account credentials while looking to cut corners and make things easy. IT admins should also create strong passwords to prevent brute force attacks. Such privileged account security measures limit the attacker’s capabilities to impact an organization extensively.

  1. Maintain an Effective Incident Response Plan

Organizations can take all measures to protect their information assets, but an attacker will exploit the weakest link to access information. Beyond that, new vulnerabilities and attack tactics emerge daily, making it practically impossible to prevent attacks entirely.

Organizations can build resiliency and redundancy to limit damages and achieve rapid recovery in case of successful attacks. A cybersecurity incident response (IR) plan is an effective tool featuring a set of instructions to help companies prepare for, detect, respond, and recover from security incidents. An effective IR plan covers technology and other areas such as HR, customer service, employee communication, finance, legal, public relations, regulators, insurance, suppliers, shareholders, partners, and other outside parties.   

How KeyData Can Help with PAM

Robust control of privileged and administrative accounts can limit hackers’ aptitude to launch ransomware attacks or steal confidential information. KeyData Privileged Access Management services help organizations control access to privileged accounts, enabling them to protect access to their mission-critical data.

Whether your organization is in the planning stage or is just completing its PAM implementation, KeyData provides end-to-end PAM services for comprehensive ransomware risk mitigation. 

How can we help you? Contact us to discuss your PAM requirements, inquire about our services, or request a free comprehensive workshop on PAM Best Practices.

  • Toronto Office: 214 King Street West, Suite 314, Toronto, ON, Canada, M5H 3S6   +1-416-614-3259   This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Boston Office: One Boston Place, Suite 2600, Boston, MA, USA, 02108
Top
We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. Cookie policy. I accept cookies from this site. Agree