November 14, 2019

Last Updated on January 19, 2024

A game changer is “a newly introduced element or factor that changes an existing situation or activity in a significant way.” The IT field has a rich history of game changers, from the integrated circuit to the first IBM PC to cloud computing.
Of course, like everything else, game changes happen on “the dark side” of IT as well; malware being one of them. While malware has been a threat since the late 1990s, enterprises have primarily treated these attacks as a part of doing business. They were considered merely irritants until the release of ransomware, especially the WannaCry variant. Since WannaCry’s distribution, enterprises are looking at ransomware—and malware in general—with a new level of concern about the potential impact of these threats.
WannaCry is described as a “ransomware crypto worm.” A worm is a type of malware that replicates itself so that it can automatically spread to other systems. Ransomware is a type of malware that encrypts critical files on a victim’s computer; the only method of decryption being for the attacker to send the decryption key to the victim, provided the victim pays a specified ransom.
WannyCry began infecting systems in 2017 and spread to over 200,000 systems globally, encrypting every file within its reach. Although now somewhat contained, WannaCry continues to be a threat today. Even if WannaCry can be completely eliminated, variants will be around for a long time.

“One of the most critical processes for a BCP is an effective backup/restoration plan”

The reason why ransomware is a preferred choice among criminals is because it’s relatively easy to create and propagate, especially with uninformed users. Most importantly, it is very profitable; some examples include:

  • The city of Baltimore was hit in May, 2019 which resulted in the largest financial impact—over $18 million in damages, including the roughly $5 million in consulting firm expenses to remove the malware.
  • FedEx reported a net loss of approximately $300 million from its 2017 quarterly profit as a result of ransomware that hit one of its subsidiaries.
  • The city of Riviera Beach, Florida paid $600,000 to criminals who infiltrated the city’s network with ransomware.
  • Non-profit medical clinics that provide services to low-income patients paid their attackers roughly $70,000 to unlock patients medical records.
  • Hospitals in Australia had to cancel non-critical medical procedures as a result of ransomware attack.
  • Dental record management cloud provider PerCSoft was hit. The company did not publicly state that it decided to pay the ransom, but sources say that an undisclosed ransom was paid.

U.S. law enforcement, including the FBI, recommend that businesses do not pay any ransom because:

  • The attacker is not guaranteed to provide the decryption key or the decryption key may be incorrect.
  • Even if the proper decryption key is provided, the business must manually decrypt all of the related files, tying up time and manpower.
  • Paying the ransom doesn’t preclude that more attempts will be made by the same or different attacker. In addition, decrypting encrypted files may not remove the infecting malware, which may reside for some time, ready to strike again.

New tools are constantly under development to counteract these threats but tools alone are not sufficient. Any business that seriously wants to defend itself against ransomware or any other threat must start with a viable Business Continuity Plan (BCP), which is a plan to restore a business from a failed state to a running state.
One of the most critical processes for a BCP is an effective backup/restoration plan. Restoring from a backup costs money and resources, so restoring from a ransomware attack may not be better than paying the ransom if the BCP has not been evaluated carefully. In addition, many businesses back up their data without evaluating whether the backup was successful, and learn too late that their BCP did not work as expected.
When creating a BCP, the most important consideration is that the business can survive during the downtime and restoration process. There are two key values that must be identified:

  1. The Recovery Point Objective—the maximum acceptable time for data loss.
  2. The Recovery Time Objective—the maximum amount of downtime from a disruption that can be tolerated before the business is impacted.

For example, lets say that a business continuously processes new transactions and that data cannot be older than 4 hours before business revenue is impacted. The Recovery Point Objective in this example would be 4 hours, meaning that a backup must be completed every 4 hours. If the business required 2.5 hours to fully recover from a disrupted state in order to survive the impact, then the Recovery Time Objective would be 2.5 hours. By determining both values, businesses will be able to establish restoration priorities.
It’s important to understand that both values include senior management’s reaction to a disruptive event. For example, if it takes a day for management to implement a restore from a ransomware attack, then 24 hours must be included in the Recovery Time Objective. Because time is money (according to the old saying,) an effective Incident Response Plan is also critical. The clock is ticking once a company’s files have been encrypted, so even a topnotch backup plan will be useless if the company takes too much time to decide whether to implement their restoration process.
Finally, both the Incident Response Plan and Business Continuity Plan must be tested, because what looks good on paper may not work in reality. The most common type of test is called a Tabletop Exercise, during which stakeholders simulate a situation and review their plans step by step. Tabletop Exercises are very effective at finding flaws, which is much better than identifying them during an actual event.
A good Business Continuity Plan and Incident Response Plan are critical for businesses in today’s Internet culture. These plans are not only the most effective against ransomware, but also against other man-made and natural threats to businesses. If we have learned anything from WannaCry, it’s that attacks will become more threatening over time, attackers will continuously look for new opportunities to make illicit gains, and that the best mitigators are knowledgeable people and processes.
To get expert advice on planning for incident response and business continuity, contact Pivot Point Security.