Solutions Research Analyst
Mark Arnold is a senior research analyst in the solutions research and development group within Optiv’s Office of the CISO. In this role he specializes in developing strategy deliverables and frameworks to help industry verticals mature and grow efficient security programs. Arnold’s current research focuses on endpoint and cloud security.
Ransomware Part 1: Is this an Epidemic?
The words ‘ransomware’ and ‘epidemic’ occur too frequently in the same sentence these days, prompting executives to prepare their organizations to survive this latest cyber threat. The Center for Disease Control and Prevention (CDC) provides the following definition of an epidemic.
“Occasionally, the amount of disease in a community rises above the expected level. Epidemic refers to an increase, often sudden, in the number of cases of a disease above what is normally expected in that population in that area. Outbreak carries the same definition of epidemic, but is often used for a more limited geographic area.”
If pundits and researchers are correct regarding their assessments of ransomware as an epidemic (or greater), the keys to preventing wide-spread infections are rapid mobilization, coordinated response plans, and dissemination of information.
- Organizations should be mobilizing teams internally to understand the prevalence of the threat and attacker intentions. Coordination of teams is mandatory for an organization’s response capability and survivability.
- Security operations, incident response and management should have a vetted, coordinated response plan in place, including the following preventive measures:
- Working backups (preferably, online and out-of-band). All backup capabilities are not equal. We cannot stress this step enough. Ransomware attacks reveal that backups are not functioning at effective levels in numerous organizations.
- Detection and prevention controls in place.
- Data classification and valuation of data.
- Communication trees and rules of engagement (ROE) with ransomware dealers. In the case of a successful attack, organizations can:
- Attempt to remove the compromise.
- Pay the ransom or attempt to negotiate (nothing guaranteed).
- Do nothing at all (the FBI has recently reconfirmed its stance to not pay ransomware dealers).
- Communicate and widely disseminate information about ransomware criminals. Organizations should have strong security awareness programs. Focus on phishing awareness is crucial. Attackers typically target unsuspecting users as entry points into organizations.
- Learn from the experiences of others to shore up on defenses. Many organizations targeted by ransomware campaigns have shared valuable insights combatting this wave of attacks.
If ransomware truly is the newest cyber epidemic, executives should waste little time investing in preparedness to defeat it.
In our next post we will examine how different strains of ransomware can infect your environment.