Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Why ransomware? Today’s According to Christopher Krebs, former Director of the Cybersecurity and Infrastructure Security Agency (CISA), top three “You’ve got to start with what really matters the most and then you work out from there. So, from that perspective, ransomware is the biggest threat.” 1 challenges Impacts vary, but, in many cases, Security leaders must understand and ransomware disrupts businesses for counter new ransomware challenges, #1 significant periods—or even forces them strengthen defenses across people, to suspend operations or close. processes, and technology and demonstrate why security is critical to the A growing population of highly capable business strategy. cyber extortionists is developing a new means to counter defenses and increase In short, security leaders need to help #2 the level of disruption they can inflict, their organizations gain ransomware constantly. Threats are widespread; they resilience—fast. extend across industry and the public/ private sector, affecting large and small businesses alike. #3 2 Copyright © 2021 Accenture. All rights reserved.
What does ransomware look like? Ransomware can create a crisis of systemic business risk and consumer trust Typical business impacts involve: Hot topics • Disruption to production, delivery, or The top five ransomware variants based customer services on intrusion data derived from Accenture Security Cyber Investigations & Forensic • Loss of sensitive commercial data, or Response (CIFR) engagements: 2 protected information Top five 2020 Top five first quarter 2021 • Direct costs of remediation, recovery, or potential ransom payment 1. Maze 1. DoppelPaymer • Costs associated with litigation, often 2. Sodinokibi 2. Sodinokibi class-action lawsuits 3. Ryuk 3. Hades • Legal and regulatory sanctions 4. Netwalker 4. Ryuk • Reputational damage 5. DoppelPaymer 5. Conti Copyright © 2021 Accenture. All rights reserved. 3
Challenge #1 Successful ransomware extortionists are ramping up attacks Established ransomware operators are To plan for resilience, organizations should upping their game as they continue to focus on the business and operational focus on new monetization opportunities risks presented by the threat across and see no limits to the potential profits. their unique value chain—and prioritize planning and defense efforts accordingly. At the same time, the barrier to entry is low; ransomware tools and supporting The Accenture CIFR team observed a operations are readily available through 160% year-on-year increase in ransomware various markets and affiliate networks. events in 2020—with little signs of any slowdown in early 2021.3 Alongside the opportunities presented by the pandemic, the population of extortionists is growing as new cybercriminals are drawn to the low-risk, high-reward operations. 4 Copyright © 2021 Accenture. All rights reserved.
Challenge #2 Ransomware operators are constantly improving their ability to disrupt Cyber extortionists are incentivized to Commodification of the skills and develop ever-more disruptive ways of services required—ranging from working. The more disruption they can initial access brokers and intrusion inflict, the larger the ransom they specialists to ransomware-as-a-service can demand. models with partners and affiliates and specialist negotiator middle-men—is Operators keep innovating, first using enabling and rewarding the development ransomware in a targeted way, against of new, more disruptive techniques. key assets, then combining that with data leak extortion. Now, there are indications In December 2020, extortionists targeted that certain operators are increasing one of the world’s largest manufacturers, their ability to interfere with operational claimed encryption of 1,200 servers, technology (OT) processes and refining realized the theft of 100GB of data, other means to pressure payment, deleted 20 to 30TB of backups and including layering distributed denial-of- demanded a $34M ransom.4 service attacks with encryption and data leakage. One variant has stepped up its confrontational approach, delivering its ransomware notes through a retailer’s receipt printer. 5 Copyright © 2021 Accenture. All rights reserved.
Challenge #3 Business growth and service strategies lack resilience Downtime from ransomware is still Ransom demands are growing and growing. According to Coveware, firms becoming more customized—with threat experienced on average 23 days of actors assessing who is more likely to downtime in the first quarter of 2021, up pay. If ransoms are paid, it can open from 21 days in the fourth quarter of the door to further criminality. Also, 2020. Downtime ranged from standstill some ransomware operators have been to minor non-availability.5 sanctioned, potentially placing a ransom- paying victim in further legal jeopardy. Encryption can deny access and interrupt basic and vital resources, The Accenture CIFR team observed including internal and customer ransom demands ranging from communications and platforms, as well US$100,000 to US$50M in 2020.6 as operational or production systems. Long periods of downtime can affect In August 2020, a leading foreign tens of millions of people. The theft and exchange firm went into administration to publication of data give attackers new lose more than 1,300 jobs. Administrators extortion opportunities—such as the stated that a ransomware attack had risk of regulatory sanctions if protected caused a month of disruption and at times information is made available online. staff could not use computers to keep track of currency trading. The breach also disrupted online travel money services for leading global clients.7 6 Copyright © 2021 Accenture. All rights reserved.
Ransomware is evolving Established operators Ransomware operators New variants and enhanced Organizations feel the extend reach and profits often move fast tactics challenge defenses pressure of payment with new collaborations strategies and regulatory demands A ransomware-as-a-service model Often, operators have exfiltrated Threats are going beyond IT to new Aggressive operators are phoning has been transformative for sensitive data and encrypted key technologies and platforms—there victims directly, sometimes extortionists. Owners of highly assets within hours of an initial are at least seven known variants with combining denial-of-service attacks effective and widely disseminated infection. Also, some companies are features designed to target common with encryption and publication malware strains, formerly known as more commonly finding themselves industrial environment processes. tactics. The United States federal “banking trojans,” are working with targeted twice in quick succession by Criminals have the resources to government has released an intrusion specialists to infect and different actors. re-invest and innovate, regularly advisory8 reminding CISOs that by extort the maximum number of designing new, more effective tools financing terrorism or financing victims. and techniques to increase their banned organizations in the payment operations’ efficacy. of a ransom, they are committing an offense. While in Europe, GDPR requires any potential breach to be reported to the regulator within 72 hours—or face sanctions. Copyright © 2021 Accenture. All rights reserved. 7
What can you do now? Operate under the assumption that you are already breached and focus on resilience across the end-to-end value chain Focus on Prevent Know your Make it Prepare, prepare the basics and protect operations personal and prepare again Keep security hygiene up to Increase confidence through Model the threat against your CISOs cannot go it alone. Threats are agile and you standard; maintain controls continuous validation and operations and end-to-end Collaborate and prepare should be, too. Businesses and continue patching; ensure testing of your defenses. value chain. with Legal, Communications, don’t evaluate their profit and visibility into and protection of senior management and loss or liquidity levels once a crown jewel data. Train and test employees Understand how to backup external service providers, so year—security should be no frequently. and restore critical data at everyone knows how to work different. Implement a holistic backup speed and scale across the together during an event. and recovery strategy with Ensure adequate visibility and business—strive for continuity Use planning and validation as situational awareness of the coverage across the attack of operations. Conduct crisis management an opportunity to constantly current threat landscape. surface—use tooling, controls and table-top exercises to test measure and improve and telemetry to enhance Be clear on policies and relationships. resilience or adjust your Ensure you have a crisis your defense posture across procedures—the response course over time. management and incident layered prevention, detection, playbook is often the first Meet regularly with response plan that’s in line and agile response. thing regulators and litigants authorities, incident response Pressure-test for when things with the current pandemic- ask for after a breach. partners and outside legal go wrong. *Attributed to Sir Winston Churchill driven operating environment. counsel to bolster support. Copyright © 2021 Accenture. All rights reserved. 8
So, you’ve been hit—what’s next? “Never let a good crisis go to waste”9—after any ransomware attack, CISOs should reflect on improvements to ease the impact of future events 1 2 3 4 5 Trace Collaborate Learn from Update risk Strengthen the attack and report the experience mitigation plans defense posture Use incident response, Work with legal counsel to Quantify the financial and Evaluate current inherent and Get tactical: remediate identified forensic analysis and threat ensure statutory obligations reputational impacts and residual risk measurements vulnerabilities, update operating intelligence to identify how are fulfilled by reporting an identify metrics and resources and work with the business systems, deploy compensating the attack occurred and incident to the appropriate to meet the C-suite’s to identify any beyond controls, refine weak processes, build a comprehensive authorities. Collaborate expectations for cyber acceptable levels. Apply an harden the environment understanding of the intrusion with industry partners, resilience going forward. Talk appropriate risk mitigation (across network, endpoint, and measured impact. This is consortiums and law to the C-suite so that business strategy that includes aspects and identity), improve cyber critical during and after the enforcement for greater leaders can prioritize and such as controls deployment hygiene, enhance the efficacy of incident to inform defense threat awareness. oversee the measurement or security transfer threat detection and response posturing, comprehensive of cyber resilience, secure mechanisms. operations, address weaknesses take-back planning in a funding for improvements in recovery processes and domain compromise and and incorporate it into drive the necessary behavioral safe recovery of business business resilience plans. changes required to strengthen operations. cybersecurity defenses. *Attributed to Sir Winston Churchill Copyright © 2021 Accenture. All rights reserved. 9
Who’s doing what? An organization paid ransom twice A Norwegian aluminum manufacturer following a failure of its antivirus was forced to halt some production and protection measures. Once attackers switch other units to manual operations had gained entry to its systems, they set after hackers blocked its systems. Its post- about changing existing client security measures and controls to guarantee response analysis showed that attackers had been present in the network for three “The organization didn’t realize continued access. The organization didn’t realize how much of its network had been months when somebody clicked on the wrong e-mail. The forced shutdown cost much of its network had compromised and how sophisticated its attackers were. the company US$52M. been compromised and how A medium-sized manufacturer was An oil and gas company with a good recovery plan, validated backups, and sophisticated its attackers were.” preparing to replace all its virus detection a strong leadership team determined software. It was unaware that attackers not to pay a ransom. When it was hit, it had infiltrated its network months prior could get back up and running in less and it was monitoring the company e-mail than one week. On the other hand, for a Web portal through a poorly protected manufacturing customer who had not administrative account. When the been validating its backups and had a attackers discovered a planned upgrade, piecemeal recovery process, it took six hackers launched an attack the weekend weeks to recover from an attack. before countermeasures were planned to be deployed. 10 Copyright © 2021 Accenture. All rights reserved.
Ransomware incident response trends A look back at 2020 intrusion data10 Top industries impacted: Products11 (38%) Resources12 (33%), Healthcare and State and Local Government (17%) Initial ransom demands ranging from US$100K to US$50M Average operational downtime around 12 days Data extortion was incorporated in >60% of intrusions Dwell times range from 2.5 hours to around six months13 Primary attack vectors: 1. Phishing, 2. Remote access, 3. Software vulnerability Copyright © 2021 Accenture. All rights reserved. 11
Are you ready? Being resilient means robust processes, training and coordination across the business value chain Ask yourself: What How Who • What are the most critical • How often do you pressure- • Who are your decision- systems and data in your test and exercise your plans? makers during a crisis? operations? • How quickly could you • Who is responsible for • What plans do you have in respond to and recover from negotiating or reviewing place? (such as business a ransomware threat? your extortion policy? continuity, disaster recovery) • How would you handle a full • Who handles incident domain compromise? response? • What is your media strategy in the event of a crisis? Copyright © 2021 Accenture. All rights reserved. 12
Contacts References 1. Former US cyber chief calls for military to attack hackers, Financial Times, 2021, https://www.ft.com/content/27c09769-ceb5-46dd-824f-40b684d681ae 2. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021, https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition 3. Ibid 4. Foxconn electronics giant hit by ransomware, $34 million ransom, Bleeping Computer, 2020, https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware- 34-million-ransom/ 5. Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound, Coveware, 2021, https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability- exploits-abound 6. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021, https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition Mark Raeburn Jacky Fox Ryan Leininger 7. Travelex falls into administration, with loss of 1,300 jobs, The Guardian, 2020, https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration- Managing Director Managing Director Senior Manager shedding-1300-jobs Cyber Defense United Kingdom & Ireland Cyber Defense Accenture Security Accenture Security Accenture Security 8. Department of the Treasury, 2020, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf 9. Attributed to Sir Winston Churchill 10. CIFR observations 11. Products industries include: Automotive, Airline, Consumer Goods & Services, Hotels, Industrial Equipment, Life Sciences, Retail 12. Resources industries include: Energy (Oil & Gas), Chemicals, Metals/Mining, Utilities 13. Dwell time is the amount of time the threat actor is active in the victim organization’s network—from first evidence of compromise through detection (or impact) opyright © 2021 Accenture. All rights reserved. 13
Appendix Top ransomware variants observed by Accenture Security’s CIFR team: • Conti: First observed by cybersecurity teams in May 2020, it involves double extortion that that puts information and reputation at risk. It not only encrypts files on the infected host but also spreads to encrypt files on different hosts, potentially compromising the entire network. • DoppelPaymer: A newer variant associated with the well-established Dridex Gang, whose leader was sanctioned and linked to Russia’s Federal Security Service (FSB) by the United States Justice Department in December 2019. • Hades: A ransomware campaign that has been ongoing since at least December 2020, Hades ransom notes share portions with the one used by the REvil ransomware operators; there is no evidence to suggest the threat groups or operations have any overlap. • Maze: Maze operations changed the game by being the first cartel to pioneer the double extortion approach. It reportedly shut down in Q4 2020 (see https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down/) • Netwalker: Made a name for itself with a string of healthcare compromises but was interrupted by law enforcement interdiction that occurred in January 2021. Its operations were recently disrupted by international law enforcement agencies (see https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/) • Ryuk: Known for being prolific and aggressive. It benefits from strong working links with the effective and widely disseminated downloader malware, TrickBot and Emotet and conducted multiple high-impact compromises against United States hospitals in late 2020. For more, visit Looking back to see the future: CIFR DeLorean—2021 edition Copyright © 2021 Accenture. All rights reserved. 14
About Accenture About Accenture Security Accenture is a global professional services company with leading Accenture Security is a leading provider of end-to-end cybersecurity capabilities in digital, cloud and security. Combining unmatched services, including advanced cyber defense, applied cybersecurity experience and specialized skills across more than 40 industries, we solutions and managed security operations. We bring security offer Strategy and Consulting, Interactive, Technology and Operations innovation, coupled with global scale and a worldwide delivery services—all powered by the world’s largest network of Advanced capability through our network of Advanced Technology and Intelligent Technology and Intelligent Operations centers. Our 537,000 people Operations centers. Helped by our team of highly skilled professionals, deliver on the promise of technology and human ingenuity every day, we enable clients to innovate safely, build cyber resilience and grow with serving clients in more than 120 countries. We embrace the power of confidence. Follow us @AccentureSecure on Twitter or visit us at change to create value and shared success for our clients, people, www.accenture.com/security shareholders, partners, and communities. Visit us at www.accenture.com DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such Copyright © 2021 Accenture All rights reserved. information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own Accenture, its logo, and New Applied Now are trademarks of Accenture. legal counsel or other licensed professionals. 15
You can also read