Ransomware and resilience

A few days into the new year and a ransomware attack has already canceled classes for the Swansea Public School district in Massachusetts.

While students were likely happy for an off day from school, the issue of ransomware continues to plague both public and private sector organizations. Ransomware remains a growing threat from schools and healthcare organizations to government agencies and everyone in between. We've reached the point where an attack is a foregone conclusion for any organization that hosts large amounts of data. 

Organizations will always want to take steps to prevent these types of attacks but they must equally value the capability to recover. A few months back we saw the Los Angeles Unified School District, which serves more than 450,000 students across 780 public schools, get hit with a ransomware attack that took systems offline, an attack that caught the attention of the White House. The Department of Education, the Federal Bureau of Investigation and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency were quickly brought in to provide immediate incident response support.

Thankfully, students were able return to school without missing a day of instruction. This case highlights two significant trends facing organizations in public and private sectors: Ransomware attacks continue at a high rate, and resilience remains incredibly important. 

Under constant attack

Along with the rise of remote workforces during the COVID-19 pandemic, the number of ransomware attacks has doubled year-over-year since 2019. In the first six months of 2021, there were 304.7 million ransomware attacks that cost an estimated $159.4 billion in payouts and downtime.

Federal agencies are not exempt from these types of attacks. The signing of the cybersecurity executive order in May of 2021 and the National Security Memorandum on cybersecurity in January 2022 brought additional attention to all agencies' challenges.

The cyber focus has long centered on a more "warfighting approach" focused on protecting network entry points. Modern attackers, though, continue to develop ways to circumvent these barriers. These attackers know how to enter a network without tripping alarms. They then use this access to move laterally through a network, searching for sensitive information and high-value data.

In a lateral movement breach, the attacker will impersonate a legitimate user and move through multiple systems until they find what they want. The growth of multi-cloud architectures, microservices, and container-based solutions only expands the battlefield for these attacks. While it is imperative to stop these attacks whenever possible, organizations must also be resilient regarding recovery.

Get back up – fast

Getting up quickly after an attack is almost as important as controlling the initial threat – and sometimes more difficult. When an attack happens, the data center turns into a crime scene but one where work still must be done. 

It is akin to a person being attacked in their kitchen and someone coming in to cook dinner while the police do their work. Let's look at some things enterprises can do to improve cyber resilience beyond the practice of good cyber hygiene:

• Stand up a separate space not tied to the production environment. The cyber clean-up crew will need an area to investigate what happened while other operations continue. Often, it can take days for organizations to recover from a cyber-attack, if not weeks, so create a system that provides an area to recover potentially lost or frozen data.
• Have a strong testing environment and a strategy for all recovery systems. The idea is that any person in the organization could essentially walk into a data center and start the recovery process. Create fool-proof systems and repeatable tested processes.
• A cyberattack changes data and even the most sophisticated recovery plans may need experts to understand when alternative methods need use. With that said, know when to deviate from your disaster recovery plan. Do not let a plan act as an out, allowing your team to avoid other potential malicious users.
• Since lateral movement has become so commonplace, isolate any tainted area as quickly as possible. Proactively close off the infected area. Have backups in place for all systems and aim to get impacted applications running on saved versions to ensure continuity of operations.

More than anything, resilience must be at the forefront of cyber planning. Yes, cyber defense will always get the most attention but the ability to get back up and work as fast as possible provides tremendous value.

Ransomware attacks only continue to get worse. They have proven an effective attack measure as many organizations pay the ransom, essentially rewarding the attackers for their actions. Federal agencies need to understand their recovery environment and build strong resiliency measures. In doing so, they will hopefully slow the number of attacks and change the dynamics of ransomware.