As the ransomware landscape continues to quickly change and evolve, every CISO also needs to evolve their business continuity and disaster recovery plans to ensure the impacts of ransomware can be minimized.
If you haven’t updated your business continuity and disaster recovery plan in a while, you may want to make sure that the registering and funding of a bitcoin wallet is included in that plan. On average, it takes about a week, from the time you initiate the transaction to when it’s available to spend, to fund a bitcoin wallet. A week is a long time to be without your systems when the next ransomware attack hits.
If you’re one of those people or companies that say you don’t need a bitcoin wallet because you won’t be paying the ransom, you might want to re-evaluate that position. If the cost to your reputation or your business exceeds that of the ransom, you’re going to have to consider paying it or at least sitting down with the hackers to negotiate. It’s a smart business decision at that point in time, especially if you can pay it discretely.
Ransomware and criminals that deploy it have most of us right where they want us. Most IT organizations are awful at IT hygiene, often leaving systems unpatched, not updated, and data not appropriately backed up. Even if your IT organization is “good” at backing things up, you’re probably only backing up critical servers in your environment and not end user systems where a host of data lives and where ransomware is typically targeted. This is especially true if you run Macs (still a minority operating systems often forgotten) in your organization alongside Microsoft Windows systems.
Even if your IT organization is the cream of the crop as it relates to backups and patching, you’re likely still struggling to manage identities and control access to data and systems; allowing ransomware or other malicious code to spread quickly across your environment (using legitimate accounts) after just one system is compromised. We saw this clearly with Petya/NotPetya.
Combine poor backup and patching practices with identity management issues, and this leaves us in a perpetually vulnerable state — virtual sitting ducks. Then consider the high level of connectivity to the internet: Most companies are easy targets for attackers because they only have to compromise one system to wreak havoc across an entire operation (as we saw with WannaCry only a few short months ago).
The ransomware landscape is also changing and evolving rapidly. We’re seeing nation-state threat actors using ransomware code to infect companies or other governments. We’ve seen an uptick in ransomware targeting mobile devices. We’ll likely see more cases of extortionware to go along with the mobile ransomware. We’ve even recently seen “wiper” malware, used to destroy systems, being confused with ransomware because of the similar characteristics of code.
In other words, there is an increasing level of polymorphism and sophistication to ransomware that will advance more quickly than the operational speed of IT organizations — complicating what cybersecurity professionals can realistically defend against.
I think the call to action here is for every CISO to ensure they’ve considered a ransomware infection as a likely scenario for their incident response, business continuity, and disaster recovery plans. They should run actual tabletop exercises that simulate a ransomware attack and their company’s response as a part of disaster recovery.
Let’s face it, the likelihood that you’ll need to recover from your data center burning to the ground is far less than the likelihood you’ll need to recover from a ransomware attack.
Every CISO needs to get and fund a bitcoin wallet today. You don’t want to be caught flat-footed and faced with a week to get a funded bitcoin wallet. It could cost your company millions of dollars in lost revenue. And you should carefully consider tax implications when opening and funding a bitcoin wallet. Bitcoin is traded on a market, so there is a chance your company can gain or lose money on that market by simply owning bitcoin. You’ll need to take that into consideration and likely get some legal and financial advice first (if only cyber insurance companies would take care of this part for us).
I’d also recommend leveraging outside counsel in general. There are many legal and consulting firms that have experience responding to ransomware attacks, have the ability to pay ransoms on your behalf (they all have a corporate bitcoin wallet now, with funds in it), and provide some expert guidance through this process. It makes no sense to go through this alone if you’re not experienced. I also wouldn’t recommend letting legal fully drive this, as you have to remember that the hackers really don’t care about what is legally right or wrong; they’ve already broken whatever laws exist.
Lastly, I think CISOs need to use their capability and influence to drive IT hygiene. If your vulnerability management program isn’t impacting your IT hygiene (patching, updating, and maintaining systems, applications, and networks), then you are doing it wrong.