What you don’t see
The devastating aspect of ransomware is that the majority of firms discover that hackers have been present in their network after it’s too late. Also, many firms who fall victim to ransomware state that “no evidence any data was infiltrated can be found” whenever a breach gets disclosed to the public. The reality, especially after just a week of finding out they’ve been breached, is that most firms haven’t got a clue if they lost any data or not. For the firm to get an accurate estimate of the scope of the breach, a costly cyber-forensic inspection is needed.
In most cases, I have seen that the attackers have been hiding in the network for 90 days or more. You can expect that the attackers have spent those three months mapping out the entire network architecture and grabbing all the credentials they need for the most disruptive take-down of the victim they can muster. They want to inflict maximum pain so they can get a maximum ransom from the victim. Unfortunately, I am seeing more cases of hackers not only stealing information and then encrypting everything, but they are also deleting the backups. Just because the victim has been persistently doing backups, it does not mean they are completely safe. In many instances, when the attack is triggered the client has zero backups to recover from. This forces the victim to pay a ransom that can be upwards of a million dollars.
These hackers are constantly expanding their criminal industry and it’s not expected to slow down. We can all expect that this year will have the worst cyber breaches and ransomware that we’ve seen so far.
The truth about ransomware
When firms think about ransomware, they think it only involves encrypting information and then demanding a ransom. However, that is just scratching the surface of what these criminals are really doing. During the three months these hackers are in your network, they are taking advantage of all the information they can capitalize on. Information such as credit card numbers, SSNs, protected health information, intellectual property, financial records and more. Once they have exhausted all of your valuable information they then flip the switch and demand a ransom for the encrypted data.
Cyber-breaches aren’t slowing down
Dark Reading has an article, Attackers Increasingly Focus on Business Disruption, that validates what I have been discussing. In that article, Robert Lemos states, “The number of days attackers went undetected increased to 95, up from 85 days in 2018.” He then goes on to say that, “Not all of these threat actors are deploying ransomware, but they were really focused on disrupting the business’ ability to perform business,” and that, “disruption was behind higher ransom amounts and the decision to often pay the ransom.”
Additionally, Lemos brings to light another concerning truth about ransomware that, “While successful attacks have decreased in number by some accounts, attackers are focusing on larger targets and threatening to do greater damage. Called “big-game hunting” by many firms, the revised strategy is about minimizing effort and maximizing the profit from criminal activity.” As the success rate of large ransoms being paid increases, criminals are putting more effort into personalizing their attacks instead of using heavily automated scripts. His story continues with, “That type of access that the attacker has, it really gives them the flexibility to understand where the critical data assets are, what approach they are going to take to encrypt those assets, where the backups are stored — and that really puts the customer at a disadvantage.”
Healthcare and manufacturing firms are the most common sector attacked by hackers according to the Crowdstrike report cited in the article.
Lastly, Lemos states, “Companies that deploy a handful of defenses could fend off many of the attacks…. Multifactor authentication on all public-facing portals, for example, will prevent attackers from gaining easy access through stolen credentials. Network segmentation helps prevent attackers from easily moving around a network following a compromise.” One extremely import defense measure, installation of security software updates every month, was left out of Lemo’s discussion. It is crucial that firms stay consistent with these patches or they could have a situation similar to Experian’s breach.
How you can be safer
Antivirus software and firewalls are ineffective table stakes in this new age of cyber-theft. Here’s some guidelines to ensure your safety:
- MFA (Multi-factor authentication)
- Segmentation of your network
- 24/7 monitoring of your network. Click on the link to read more on why this is critical for network security.
- Daily backups on a disconnected system
- Keep track of admin credentials
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.